Hi all,
I have a HQ site and a branch site.
- There's a policy-based ipsec site2site connection established the sites.
- Branch site has SSLVPN(OpennVPN 10.81.255.0/24) server running and is used as default gateway.
- Branch site also has an internal vlan88(192.168.88.0/24) network.
Network diagram:
HQ IPSec configurations:
Branch IPSec configurations:
Branch SSLVPN Profile
With the above configurations, I am able to redirect all OpenVPN and vlan88 internet-bound traffics into IPSec site2site tunnel to HQ's ISP gateway. I follow this guide https://support.sophos.com/support/s/article/KB-000035798?language=en_US and everything works like a charm:
My current goal is to change my ipsec from policy-based to route-based and achieve the same results so I can utilize SD-WAN at branch site. However, route-based IPSec combines with SD-WAN only works for vlan88 and does not work for OpenVPN traffics.
Here's my SD-WAN, gateway and route-based IPSec configurations:
HQ
Branch
packet capture reveals that SSLVPN traffics are being denied:
I know that SSL_VPN violation means the destination is not specified under SSLVPN profile permitted network resources. I think it's very interesting that policy-based IPSec completely ignores SSLVPN permitted resources entries.
My question is can I redirect SSLVPN's internet-bound traffics into route-based IPSec site2site tunnel?
thaaks!
This thread was automatically locked due to age.
