This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS remote VPN to remote network

Good morning,

I would appreciate some help to find a soution to reach a remote BO network throught a remote connection to HO Firewall. Here's some details of the setup:

HO XGS107w with 192.168.3.0/24 network and BO XGS87w with 192.168.2.0/24 network with an SSL site to site VPN already configured.

An additional remote SSLVPN ( subnet 10.81.234.0/24) has been configured to HO.

The question is the following:

I need to reach BO 192.168.2.0/24 network throught the remote VPN established on HO FW.

I've added VPN subnet to "Local networks" in the VPN server configuration.

Rule HO: Accept any service going to VPN zone to remote network BO, when in LAN or VPN zones, and coming from from any network.

Rule FO: Accept any service goint to LAN BO when in VPN zone and coming from LAN HO and REMOTE VPN SUBNET (10.81.234.0/24)

I'm currently able to ping 192.168.2.0/24 BO network when remotly connected to HO, but I can't actually reach hosts throught browser.

It's possible to configure a setup like this or would be better make a second VPN remote connection to connect directly to the BO FW?

I hope I was clear enough.

Thank you in advance

Federico

This thread was automatically locked due to age.

Parents

0 Vivek Jagad over 2 years ago

Hello Federico Piu ,

Thank you for reaching out to the community, have you created a VPN to VPN rule on HO ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Federico Piu over 2 years ago in reply to Vivek Jagad

Hello Vivek,

I've not mentioned that in the remote VPN config, "use as dafault gw" is flagged.

here's the VPN to VPN rule:
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Federico Piu

well if you want your ssl vpn users to have internet via FW, in that scenario you can toggle on the "use as default gw" option and if that is turned on, you'll also need a FW rule VPN to WAN !!

Can you enable the Log Firewall traffic option in the FW rule, and then perform a packet capture - https://support.sophos.com/support/s/article/KB-000035761?language=en_US

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Federico Piu over 2 years ago in reply to Vivek Jagad

Here's trace from HO

and BO

Host 192.168.2.147 used for testin purpose is a Gigaset IP Dect and actually have an http web server
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Federico Piu

This rule id 12 on HO , can you show us a screenshot ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Federico Piu over 2 years ago in reply to Vivek Jagad
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Federico Piu

This is rule no 2 and not rule no 12, kindly share again Federico Piu

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Federico Piu over 2 years ago in reply to Vivek Jagad

Sorry, I got confused. Network Remoto Alghero 2 (192.168.2.0/24)
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Federico Piu

Can you create a separate rules as such LAN TO VPN and VPN to LAN on the Top and mention the source/destination network as any.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vivek Jagad over 2 years ago in reply to Federico Piu

Can you create a separate rules as such LAN TO VPN and VPN to LAN on the Top and mention the source/destination network as any.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Federico Piu over 2 years ago in reply to Vivek Jagad

Hello, sorry for late reply.

In the meanwhile, I made a lot of tries and I found a funcional configuration.

The only problem is that has worked since last week, and now isnt' working anymore. I'm attaching you all the screen of configuration, logs and pcaps.t

HO_Master_FW Configuration

BO_Slave_FW Configuration

HO Pcap with error and

Logs with established conenctions highlited

Why it worked untill today? Any suggestion?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Federico Piu over 2 years ago in reply to Federico Piu

From HO Fw I can't ping BO network, but from BO I can ping HO network. I think that the config above is correct, because it was working.
Cancel
Vote Up 0 Vote Down

Cancel

Sophos XGS remote VPN to remote network

Submitted a Tech Support Case lately from the Support Portal?