Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 30618 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't get SSL VPN to pass traffic

Daniel Bingham

Hi,

 

I have read plenty of community posts and KB's but just can't seem to get my head around getting SSL VPN to work correctly for my network.

 

I have created a new SSL VPN (Remote Access) Rule:

  • Name: Remote Access
  • Description: Remote Access
  • Policy Members: Open Group
  • Use as Default Gateway: On (Have tried both on and off)
  • Permitted network resources: "Home" which is my internal network 192.168.1.0/24

 

VPN Settings:

  • Protocol: TCP
  • SSL Server Cert: ApplianceCertificate
  • IPv4 Lease Range: 10.81.234.5-55
  • Subnet: /24
  • IPv4 DNS: 8.8.8.8 / 4.2.2.2

 

The username I am trying is part of the "Open Group:

Under firewall I have created 2 network rules:

  • Name: LAN to VPN
  • Source Zones: LAN
  • Source Networks and Devices: Any
  • Destination Zones: WAN
  • Destination Networks: Any
  • Services: Any
  • Identitiy --> Match Known Users
  • Users or Groups: Open Group
  • All other settings are unchecked / none

 

Rule 2:

  • Name: VPN to LAN
  • Source Zones: WAN
  • Source Networks and Devices: Any
  • Destination Zones: LAN
  • Destination Networks: Home (192.168.1.0/24)
  • Services: Any
  • Identitiy --> Match Known Users
  • Users or Groups: Open Group
  • All other settings are unchecked / none

 

I can connect fine but no traffic is passed, nor logged or captured within the firewall:

 

Any assistance is greatly appreciated.

 

Thanks in advance.

 



This thread was automatically locked due to age.
Parents
  • +1

    Daniel,

    On rule 1 chance the source to vpn and destination zone to LAN. On rule 2 change the source to vpn and destination to wan zone.

    Thanks

  • 0 in reply to lferrara

    Hi Luk,

     

    Thanks for the help, here is how they look now:

     

    I am still not getting any access.

  • +1 in reply to Daniel Bingham

    Daniel,

    Remove home from destination network and uncheck match know users.

  • 0 in reply to lferrara

    Thank you, that worked, I can now ping internally which is great, however my new problem is that I can't access the web via VPN.

    When I ping 8.8.8.8 I get a request timed out and if I ping DNS names such as www.google.com, It can't resolve.

     

    Are you able to assist me please?

  • 0 in reply to Daniel Bingham

    Did you remove the home network from vpn to wan?

  • 0 in reply to lferrara

    Yes I did, plus I moved the firewall rules above a clientless rule as it appeared to be hitting that rule rather than the VPN rule.

     

    Thanks

  • 0 in reply to lferrara

    Hi , 

    Could you please show us the output of the command "route print" in CMD after successfully connected via SSL VPN.

  • 0 in reply to Aditya Patel

    Hi Aditya, here it is:

    Microsoft Windows [Version 10.0.15063]
    (c) 2017 Microsoft Corporation. All rights reserved.

    C:\Users\mit>route print
    ===========================================================================
    Interface List
    11...00 ff e6 8b 45 71 ......Sophos SSL VPN Adapter
    10...d8 cb 8a 88 2c 5f ......Intel(R) Ethernet Connection I217-LM
    4...b8 86 87 7e 28 a6 ......Realtek RTL8723BE Wireless LAN 802.11n PCI-E NIC
    5...ba 86 87 7e 28 a6 ......Microsoft Wi-Fi Direct Virtual Adapter
    9...00 ff da 43 0d d4 ......Kaspersky Security Data Escort Adapter
    7...b8 86 87 7e 51 aa ......Bluetooth Device (Personal Area Network)
    1...........................Software Loopback Interface 1
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 172.20.146.254 172.20.146.26 25
    0.0.0.0 128.0.0.0 10.81.234.5 10.81.234.6 257
    10.81.234.0 255.255.255.0 On-link 10.81.234.6 257
    10.81.234.6 255.255.255.255 On-link 10.81.234.6 257
    10.81.234.255 255.255.255.255 On-link 10.81.234.6 257
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    128.0.0.0 128.0.0.0 10.81.234.5 10.81.234.6 257
    172.20.146.0 255.255.255.0 On-link 172.20.146.26 281
    172.20.146.26 255.255.255.255 On-link 172.20.146.26 281
    172.20.146.255 255.255.255.255 On-link 172.20.146.26 281
    MY IP ADDRESS 255.255.255.255 172.20.146.254 172.20.146.26 281
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 10.81.234.6 257
    224.0.0.0 240.0.0.0 On-link 172.20.146.26 281
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 10.81.234.6 257
    255.255.255.255 255.255.255.255 On-link 172.20.146.26 281
    ===========================================================================
    Persistent Routes:
    None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination Gateway
    1 331 ::1/128 On-link
    11 291 fe80::/64 On-link
    10 281 fe80::/64 On-link
    11 291 fe80::7d7e:cca6:52f8:e004/128
    On-link
    10 281 fe80::b44c:3b3a:b35:ddc0/128
    On-link
    1 331 ff00::/8 On-link
    11 291 ff00::/8 On-link
    10 281 ff00::/8 On-link
    ===========================================================================
    Persistent Routes:
    None

  • 0 in reply to Daniel Bingham

    Daniel,

    on the VPN Profile, make sure use default gateway is turned on.

    Also make sure everythime you changed the SSL Profile on XG, you downloaded the new SSL VPN configuration from user portal and installed on the Windows Client.

    Thanks

  • 0 in reply to lferrara

    Thanks, Gateway is turned on, still no dns / www traffic, I can ping internal hosts but nothing external.

     

    I didn't know I had to download a new config with every change! That is really silly in my opinion.

     

    I will give that a go and see if it resolves the issue.

  • +1 in reply to Daniel Bingham

    Hi Daniel

     

    Had the same problem as you, it was not hitting the second rule so changed the first rule so destination included LAN and WAN.

  • 0 in reply to Moeller

    Thank you, that helped resolve the issue.

     

    Cheers

Reply Children
No Data