Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1126 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connect to other end of IPSEC connection by SSL remote access users

apijnappels

I'm afraid this question has already been asked but I couldn't find it for XG. I did find it multiple times for UTM but that unfortunately doesn't bring me to a solution.

I have to sites, A and B interconnected by a IPSEC VPN connection. Traffic is flowing as expected and everything works fine.

Connected to site A I have SSL VPN remote access clients that can communicate to site A without problem. So far everything is fine.

Now I want to allow remote SSL clients from site A to communicate to site B and it has to be done with a SNAT rule since the other side doesn't want to add the SSL subnet to the tunnel. So basically the remote SSL traffic should be source natted to a site A's local address before being sent to site B.

I made a drawing of the situation:

I made the following firewall rule:

The corresponding NAT rule is the following:

The Translated source (SNAT) address is 172.16.16.250 which is inside the LAN-network of site A.
The SSL VPN Network is: 10.81.234.0/24

VPN config looks like this:

I can "see" the traffic on the XG en it seems that it is being sent to the correct location (however it uses Port2 as Out interface where I expect it should be ipsec0 so this might be the real problem....

The upper line works and is traffic from the SSL client to the network at Site A. The lower line doesn't get a reply back (it uses Port2 to send the packet out and might need to be ipsec0 interface).

I must be miissing something most likely how to make sure the traffic from the remote access vpn client uses ipsec0 as outgoing interface instead of Port2, but I can't seem to find how to configure this.

Can anyone help me on this one?



This thread was automatically locked due to age.
Parents
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    It seems you are missing VPN to VPN firewall rule on firewall A. 

    When SSL remote VPN users connect to firewall A, the source zone would be VPN, and if the SSL VPN users need to connect to firewall B, which is connected to firewall A over IPSec site to site, then the destination zone would be VPN. 

    I would also suggest you remove "Any" and add an appropriate zone in the firewall rule VPN to Any zone.

    Check out the following KBA for more info: Allow Remote Access SSL VPN Traffic Over an Existing IPsec Tunnel without Modifying the IPsec Tunnel in Sophos XG Firewall.

    Thanks,

  • 0 in reply to FormerMember

    Hi H_Patel,

    Seems I needed to add the ipsec_route from the console, which is the last step of the KBA. After doing this my remote access client can access the resources at site B.

    However..... Now the XG firewall itself cannot access the resources anymore behind the VPN-tunnel. I noticed this because my remote worker couldn't authenticate anymore and the XG couldn't reach the AD server anymore which is located at Site B.

    There are multiple networks inside the tunnel between site A and B, when I don't create the ipsec_route for the subnet where the AD-server is, the VPN user can still be authenticated (and the firewall can ping the AD server), but the SSL user cannot (because the ipsec_route is missing).

    While the local computers at site A can still access all resources at site B both with or without the ipsec_route, the firewall cannot access them with this rule, the SSL client cannot access them without....  

    Is this something that can also be solved somehow?

  • FormerMember
    0 FormerMember in reply to apijnappels

    Hi ,

    Did you add the system route for all the remote networks of the firewall B that are part of the IPsec tunnel? 

    The other options would be adding the SSL VPN network to the IPsec tunnel, check out the following KBA:

    Sophos XG Firewall: How to configure access for SSL VPN remote users over an IPsec VPN

    Thanks,

  • 0 in reply to FormerMember

    Hi

    Thank you for your quick response.

    Yes I did add routes for all the subnets and once those routes are created that subnet is reachable by the remote SSL user (but as I said at the exact moment I add the route, XG itself cannot access the remote net anymore Disappointed)

    For the moment it's not possible to include the SSL clients into the tunnel because of restrictions on site B. Seems I have to either try to convince the admin of site B to also include the SSL VPN subnet in the tunnel or have to live with the fact that it's either the XG or the SSL users that can use resources on Site B. As a workaround I can add ipsec_routes for separate hosts or smaller subnets of the original subnet so at least some of the servers are reachable from the remote users.

    This was so easy with UTM but looks more challenging with XG unfortunately.

  • FormerMember
    0 FormerMember in reply to apijnappels

    Hi ,

    Can you share packet capture on the destination IP address that you are trying access with IPsec system routes are added? 

    Check out the following KBA on how to run packet capture form GUI: 

    Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI.

    Thanks,

  • 0 in reply to FormerMember

    Hi

    That give some interesting information, see the screenshot I took from the packet capture with a ping command from the commandline in XG:

    The first one shows the Port1 IP-address of XG (172.16.16.16) and is shown when there is no ipsec_route set. After setting the ipsec_route to the destination network the source address of the UTM is no longer it's Port1 address, but changes to 169.254.234.5 address. Not sure where that comes from, but it's definately not an ip-address (or range) that I have configured anywhere.

  • FormerMember
    +1 FormerMember in reply to apijnappels

    Hi ,

    System generated traffic is not routed via IPsec tunnel by default. If you ping the remote host from the firewall itself, it will not work without the system route.

    Check out the following KBA for more info: Sophos XG Firewall: How to Route Sophos Firewall Initiated Traffic Through an IPSec VPN tunnel.

    Thanks,

  • 0 in reply to FormerMember

    Hi

    That did the trick, thanks a lot for your quick responses! Now all devices can reach all destinations that they need.

    Is there a specific reason that these routes (ipsec_route and set advanced-firewall sys-traffic-nat) have to be set in the console? Is there any way to even see those somewhere in the GUI?

    I'm quite familiar with routing principles and especially in how SG handles them, but this is completely different and I'm trying to get to a "Ah, I see" moment...

  • FormerMember
    0 FormerMember in reply to apijnappels

    Hi ,

    Thank you for the update! I'm happy to help! 

    Unfortunately, there is no option to add or view system/kernel routes from the GUI as of now but from the console. 

    Thanks,

  • 0 in reply to apijnappels

    BTW: Resolving such deployments with Route based VPN, this will be easy to manage via GUI, as you could use NAT. 

    SG uses Policy based as well and the NAT option there was deployed later in the firmware with some tricks (you have to tick the "Please use IPsec"). 

    As everything moves to Route based, this is a good moment to reflect and use Route based as much as possible. 

Reply
  • 0 in reply to apijnappels

    BTW: Resolving such deployments with Route based VPN, this will be easy to manage via GUI, as you could use NAT. 

    SG uses Policy based as well and the NAT option there was deployed later in the firmware with some tricks (you have to tick the "Please use IPsec"). 

    As everything moves to Route based, this is a good moment to reflect and use Route based as much as possible. 

Children
No Data