Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 708 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to get SSL VPN to pass traffic

AND268Y

Hi

I have experience of setting up site to site SSL VPNs which work well, but appear to be coming unstuck when trying to setup a client VPN which will act as the gateway for all traffic.

I have added basic firewall rules in to allow traffic the  between the VPN zone and the WAN/LAN in the same way you would do for Site to Site traffic.  I can see the rules being hit in the logs and allowing DNS traffic between VPN and WAN, but the DNS request isn't successful.  The NAT rule it is hitting is the default out of the box MASQ NAT rule which does also work.

Under the SSL VPN Policy I have the internal LAN subnet and the WAN IP, but I suspect this isn't really required when using the XG as the default gateway for all traffic.  As such, I can see the route being correctly added on the client when the VPN connects. (0.0.0.0 128.0.0.0.........)

What I am struggling with is how to diagnose this issue any further as the logs are proving to be utterly useless as nothing is showing as blocked/dropped by the firewall.

Other issues that I am seeing is that I can't ping any of the XG IP addresses when connected via the VPN which includes the standard gateway IP address.



This thread was automatically locked due to age.
  • 0

    I am not sure if it's applicable in this circumstance, but the drop-packet-capture CLI command is often useful to see what's being dropped.

    I think you're saying that you can capture packets and see a DNS request coming in from a remote SSL VPN client and being routed to the WAN, and then a DNS answer coming back in from the WAN, but that it's getting dropped before being routed back to the VPN client. Is that correct?

    It might be helpful to see -- with whatever censorship you're comfortable with -- the SSL VPN configuration and firewall rules.

    Just to be clear, I have been unable to get the Sophos to be the DNS server for my SSL VPN clients. I have to specify something like 8.8.8.8 for them. (I was initially confused that this might result in the remote clients bypassing the VPN so I needed to have them use the Sophos as DNS server, but this was incorrect: 8.8.8.8.8 still goes through the tunnel, as with all other WAN traffic.)