Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 2725 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site2Site Tunnel with overlapping Network AND SSL VPN User

GernotMeyer

Hi all,

we are moving from a departement to another.

Therefore a Site2Site Tunnel with overlapping networks are planned

(using that howto: https://support.sophos.com/support/s/article/KB-000035848?language=en_US)

for the duration of the users (about 3 month). 172.20.0.0/16

Old department Sophos SG <-> new department Sophos XG.

So because of pandemie siuation it is also important the all SSL VPN users have permanten access to the network.

And that's my problem: Until now I am only able to get one of both running but not together.

When the XG has a local interface with 172.20.0.0. in place all traffic from the connected VPN Client is directed to that local interface and not (also) through the tunnel).

Turning that local interface off, SSL VPN clients can access all needed destinations through the tunnel behind the remote SG.

Anybody ouside with ideas how to handle this?

Best from Berlin Gernot



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Could you please provide the network diagram as well as the configured firewall rules and VPN configuration details? 

    Are you trying to allow Remote Access SSL VPN traffic over an existing IPsec tunnel? 

    Thanks,

  • 0 in reply to FormerMember

    Here it is:

    works from 10.234.0.x (SSL-VPN) to old department
    Site2Site Tunnel: old department (172.20.20.0/24) <-> SG 172.20.20.1 (internal)
                    <-> Internet <->
                                XG 127.20.21.1 (internal_temp) <-> new department ((172.20.21.0/24)
                                XG SSL VPN 10.234.0.X/24 (XG) <-> VPN Client
                                                                                  
    works NOT from 10.234.0.x (SSL-VPN) to old department
    Site2Site Tunnel: old department (172.20.20.0/24) <-> SG 172.20.20.1 (internal)
                    <-> Internet <->
                                XG 127.20.20.1 (internal) <-> new department ((172.20.20.0/24)
                                XG 127.20.21.1 (internal_temp) <-> new department ((172.20.21.0/24)
                                XG SSL VPN 10.234.0.X/24 (XG)  <-> VPN Client
                                                                                  
    VPN Settings: Allowed SSL VPN to internal and internal_temp
    Existing FW rule allowes SSL VPN to Network 172.20.20.0

    Traffic from SSL VPN to old Dep. works when ONLY disable the XG interface carrying the same NW then old Dep.
    Nothing more.!
    Turn NW Interface off: FW log shows traffic VPN to Site2Site VPN.
    Turn NW Interface on: FW shows that traffic goes ONLY to local adapter (and no more to Site2Site interface)

    Thanks for help!

  • 0 in reply to GernotMeyer

    I am afraid getting the answer by myself in

    https://community.sophos.com/xg-firewall/f/discussions/124040/site2site-tunnel-with-overlapping-ip-ranges-part-2

    I need to reach the other side using machines NAT address, not the real one because Site2Site traffic needs to be NATted for that.