Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 639 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use Remote Access SSL VPN to reach 4 different internal networks

Peter Zima

Hello,

We convert the configuration from UTM 135 to XGS 136 and we have one Problem with Remote Access SSL VPN and sNAT.

With the UTM we have a C2S SSL VPN for Homeoffice users to the main office (1).

The main office has 3 additional S2S connections to other locations (networks) (2-4).

User can reach also these networks (2-4) by using this C2S VPN by using sNAT pointed to the internal FW IP

The traffic is transferred by sNAT to the other three networks 2-4.

This works fine with the UTM but we can’t get it work with the XGS.

Please see below the configuration we have done.

@ at the connection list we can see that ping use the roule. but we get no ping or connection to the networks 2-4



This thread was automatically locked due to age.
Parents
  • 0

    Hi Peter,

    Thank you for reaching out to Sophos Community.

    Have you tried to use any how-to videos, documentation, Sophos Assistant, or KBA to try to check the issue?

    Can you do and the check Log viewer/packet capture to determine what has happened to the Packet.

    Also, if possible, kindly share the screenshot.

  • 0 in reply to Erick Jan

    Hi Erick,

    seen many videos, documentation,... but noting that shows the scenario with sub networks behind the main office. Only for the UTM I can find some descriptions. Some additional information the S2S-VPN from the main office to the 3 sub office are new but use the same configuration an before witch the UTM. 13 ist the correct sNAT rule and 17 the correct firewall rule so look like the rules are used for the connection. 

    Just information about a test from a sub office I can ping from sub to main office from the SG135 but don't get trace route information. This work from sub to sub office.

    best regards Peter

  • +1 in reply to Erick Jan

    Hi Erick,

    no the client can connect to the mail office and reach the resource at the main office. But he isn't able to use the resources (networks) of the sub office witch are connected via IPSEC. There is no manual how to configure this! The way I showed worked at the SG135,...but not at the XG. I'm wondering that this normal case of use is not documented. 

    But the good news I solved the problem by setting separates routes on the console mode.

    console> system ipsec_route add net 10.182.0.0/255.255.0.0 tunnelname MainOffice2SubOffice1  (this is name your ipsec tunnel at the S2S-VPN )

    I think that is a very important additional information for all configurations with sub networks

    best regards Peter

Reply
  • +1 in reply to Erick Jan

    Hi Erick,

    no the client can connect to the mail office and reach the resource at the main office. But he isn't able to use the resources (networks) of the sub office witch are connected via IPSEC. There is no manual how to configure this! The way I showed worked at the SG135,...but not at the XG. I'm wondering that this normal case of use is not documented. 

    But the good news I solved the problem by setting separates routes on the console mode.

    console> system ipsec_route add net 10.182.0.0/255.255.0.0 tunnelname MainOffice2SubOffice1  (this is name your ipsec tunnel at the S2S-VPN )

    I think that is a very important additional information for all configurations with sub networks

    best regards Peter

Children