Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 28 subscribers
  • Views 3820 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to fix issue with remote users behind SSL Site-to-Site VPN being unable to access the Internet using XG as gateway

chotaire

Hi all,

I have been experiencing this issue that remote hosts routed via Sophos XG (located behind a SSL Site-to-Site VPN) are unable to access the Internet and I have been trying to fix this for quite a while. I have had no issues allowing Internet access to SSL Remote Access VPN users, instead I have only been experiencing this with Site-to-Site connections.

The remote users outgoing traffic was never leaving the tun0 interface on XG and neither NAT nor routing nor firewalling was the actual problem. I had even tried Reflexive NAT rules to workaround this issue. I have been witnessing the firewall log entries stating that these SSL VPN connections were running into Security Policy 0, which was not much of helpful information to me. So after a while I got back to the root of the problem which I was suspecting in the first place, and that is the Local and Remote network definitions of the SSL VPN tunnel on XG.

As it appears, it is not possible to allow "Any" as a local network for the SSL Site-to-Site VPN configuration, so any outgoing connections are filtered. It is also not possible to add an "IP Host" definition that has a network of 0.0.0.0/0 (cannot use unspecified address). I attempted to be tricky and set up an IP range of 0.0.0.1-255.255.255.254, however this will also fail because an IP range cannot be selected (it's invisible) for Local networks. 

Finally I found the workaround to fix this incredible headache. I had to add an IP Host group. Then add an IP range of 0.0.0.1-255.255.255.254 to this IP Host group. Magically, IP Host groups are allowed to be added to local networks. Problem solved.

Since this is problem was pretty hard to find and workaround, I thought I would a) let you guys know in case you run into the same problem and b) ask for a discussion if  my way of doing this is actually the correct way to allow acess to Any for a SSL Site-to-Site-VPN and c) if yes, I would like someone to submit this as a bug. Should I have been doing this wrong and the solution was much easier than I thought, please update me and others who will be running into the same issue. 

Thanks for your attention and thank you Sophos/Cyberoam for a fantastic and rock-solid product which I will happily recommend to enterprise contacts. 

Best regards
Marc



This thread was automatically locked due to age.
  • 0

    Hello Marc 

    i m facing the same problem of routing internet from client site to server site , i did your idea and host group added 

    but client site still use its gateway not server sits`s gateway 

    can you explain more about roles you create or another configurations you did 

    Many thanks in advance and your support is appreciated.

     

    Best regards