Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 30 subscribers
  • Views 59518 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Remote Access working, "use as default gateway not"

Timothy Stewart

Hi.  I have SSL VPN working with remote access users.  I can remote to any of the machines listed in Tunnel Access - Permitted Network Resources however I cannot use my XG Firewall as a gateway.  When ever this setting is turned on, remote clients cannot access the internet.

I have made sure the #Port1 and #Port2 (LAN/WAN) were added to Tunnel Access > Permitted Network Resources and that my firewall rule is allowing Source Zone: VPN -> Destination Zone: LAN/WAN/Any

I am hoping to use my XG Firewall as a gateway for http/s internet requests when working remotely.

Thanks!



This thread was automatically locked due to age.
  • 0
    Does anyone have SSL VPN working on remote clients if you use your internal network as the gateway? I have fiddled with my rules for hours and read through the admin guide however nothing is working. Everything is working but this... this should be easy.
  • 0 in reply to Timothy Stewart
    This has been working for me, using the internal network as the gateway. If you followed the guide for configuring the VPN, then my guess is that the trouble lies somewhere with the firewall policies.

    Did you add the VPN network to a default policy that does IP Masquerading? In order to use the network as a gateway, it will need to masquerade the VPN user IPs in order to route their traffic.
  • 0 in reply to BrianCarp

    Hi.  Thanks for the reply.  Yes I have verified both.

    I can access resources on my LAN from VPN, it just seems like the default gateway settings are not working.  I look at the logs on my OpenVPN client, does any of this seem to be of concern?

    2016-01-04 18:04:44 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
    2016-01-04 18:04:44 Session is ACTIVE
    2016-01-04 18:04:44 EVENT: GET_CONFIG
    2016-01-04 18:04:44 Sending PUSH_REQUEST to server...
    2016-01-04 18:04:45 OPTIONS:
    0 [route-gateway] [192.168.3.105]
    1 [ping] [45]
    2 [ping-restart] [180]
    3 [redirect-gateway] [def1]
    4 [topology] [subnet]
    5 [route] [remote_host] [255.255.255.255] [net_gateway]
    6 [dhcp-option] [DNS] [192.168.0.1]
    7 [dhcp-option] [DOMAIN] [{example.com}]
    8 [ifconfig] [192.168.3.106] [255.255.255.0]

    2016-01-04 18:04:45 LZO-ASYM init swap=0 asym=1
    2016-01-04 18:04:45 Comp-stub init swap=0
    2016-01-04 18:04:45 EVENT: ASSIGN_IP
    2016-01-04 18:04:45 Error parsing IPv4 route: [route] [remote_host] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair parse error 'route': remote_host/255.255.255.255 : ip_exception: error parsing route IP address 'remote_host' : Invalid argument
    2016-01-04 18:04:45 Connected via tun
    2016-01-04 18:04:45 EVENT: CONNECTED {user@example.com}:8443 ({WAN_IP}) via /UDPv4 on tun/192.168.3.106/
    2016-01-04 18:04:45 SetStatus Connected

  • 0 in reply to Timothy Stewart
    Getting closer. Upon capturing packets I see this:
    Violation Local_ACL where the source IP is my VPN client. It must be one of my rules! Digging further...
  • 0
    Turns out this setting isn't working on my Mac or my iPhone. It works perfect on Windows 10. Any ideas? Has anyone tried this using the OpenVPN client on iOS and TunnelBlick on OSX?
  • 0 in reply to Timothy Stewart
    I've used TunnelBlick on OSX successfully, with multiple users. I have not tried any iOS clients.
  • 0 in reply to BrianCarp
    With the default gateway setting turned on?
  • 0 in reply to Timothy Stewart

    any one find solution ?  

    i have same issue, even VPN in IOS or  sophos ssl vpn client 

  • 0 in reply to KhaledMaged

    Khaled, it's not clear if you and Timothy were having the same problem, so it's difficult to say whether there is a solution.

    In Timothy's case, I'm still not sure what the issue was. The claim was that everything was working fine in Windows 10 but not on OS X with the default gateway setting turned on, but he also indicated seeing a policy violation in his packet capture which would suggest that the firewall wasn't routing the VPN traffic. He didn't specify whether Windows 10 was honoring the default gateway setting and exclusively routing traffic through the firewall or whether it was using the local gateway. I have multiple users connecting to the XG Firewall through the latest version of Tunnelblick on OS X and with the default gateway setting turned on, and everything has worked fine since the beginning. I have not tested it with any iOS VPN, so I don't know if the iOS client specifically has problems that OS X clients do not.

  • 0 in reply to BrianCarp

    My issue is the same now  - clients from Windows 7 or 10 they can access the VPN network and internet without any issue -  but only who is access by IOS they enable to access VPN network but internet is not working - any idea !?