Site to site VPN (SSL) with default gateway?

Hi Alex,

Depends on where you've configured the SSL Connection.  Either put "Internet IPv4" into 'Local Networks' in the main office or into 'Remote Networks' in the branch and then reload the new client in the other site.  Using "Any" should work, but, in my experience, using it can cause problems.

Cheers - Bob

Hi BAlfson,
thank you for your answer!

What do you mean by "then reload the new client in the other site"? Just switching off the branch office connection and turn back on? Or create a new connection with the downloaded .apc file? I ask, because it is not working with putting "Internet IPv4" into 'Local Networks' in the main office.

The connection was made long time ago, so I don't remember what I did exactly, but as long as I'm not a professional, I think I just configured the server/headquarter connection and downloaded the configuration .apc and installed it in the branch office UTM.

Is above also correct for a IPsec VPN connection (2x UTM with IPsec VPN and BO should use HQ's GW)?

Thanks a lot,
Alex

Yes, Alex, "create a new connection with the downloaded .apc file" and it sounds like you did that.  Please insert a picture of the Edit of the Server definition.

Cheers - Bob

So, the new SSL connection can be established, but no traffic is possible, neither to resources on HQ network nor internet access. What else do I miss?

If you downloaded the "configuration for remote tunnel endpoint" and installed it in your home UTM, I don't see why this won't work.  How about a picture of the Edit of the home 'Client' Connection...

Cheers - Bob

Not too much to see here. This is the freshly imported file from HQ.
Maybe a firewall rule?
Better chance with IPsec?

UPDATE: now I established an IPsec connection also. It seems to be more performant, so may be I should move from SSL to IPsec site2site anyway. Would the procedure be the same for IPsec to use the HQ UTM as default gateway (not to forget, both UTM's are behind an ISP's router)?

ATM I don't have physical access to the HQ UTM, I'm currently connected through a OpenVPN client on my notebook over UTM's SSL Remote Access. So I need to be very careful with dis-/enabling firewall rules etc., because I don't want to kick me out of the UTM's.

Not too much to see here. This is the freshly imported file from HQ.
Maybe a firewall rule?
Better chance with IPsec?

UPDATE: now I established an IPsec connection also. It seems to be more performant, so may be I should move from SSL to IPsec site2site anyway. Would the procedure be the same for IPsec to use the HQ UTM as default gateway (not to forget, both UTM's are behind an ISP's router)?

ATM I don't have physical access to the HQ UTM, I'm currently connected through a OpenVPN client on my notebook over UTM's SSL Remote Access. So I need to be very careful with dis-/enabling firewall rules etc., because I don't want to kick me out of the UTM's.

Hello,

did you just change from a single place / single device setup in your to homeoffice to this setup with a firewall?

How do you handle the network "behind" the Sophos UTM firewall in your ISP-router?

If you did not configure the network, then your tunnel would get established, because the router "sees" the UTM, BUT: none of the devices behind that UTM will get routed anywhere.

I think this is your problem.

Thank you for your reply!

Please remember, I have a working Site2Site SSL connection (and in the meantime a working IPsec connection, also). Everything is fine with both connections so I think ISP-Router... should be ok.

What I didn't achive, yet, is to force the BO-UTM to use the HQ-UTM as DefaultGateway. If I put "InternetIPv4" in the local- network of HQ-UTM VPN connection, the tunnel gets established, but no more traffic is possible.

Best regards, Alex

Just to clarify: normal access to the internet from Homeoffice devices behind the firewall is working?

Or is it only the webproxy, that's working for the clients behind the UTM?

Yes, Alex, I much prefer IPsec site-to-site over the SSL VPN.

Cheers - Bob

Yes, everything is working since a long time. BO can access internet, BO can access resources in HQ, everything is fine.

Ok, so let's switch to IPsec

The first picture shows the working IPsec connection from BO to HQ. BO can access (its own) internet, BO can access resources in HQ. 1.) is the BO public IP from ISP, 2.) public IP from HQ.
If I use another VPN ID the connection will die.

Now I add "Internet IPv4" to "Local networks" in HQ IPsec connection (HQ is "respond only" since it is my VPN "Server" with a fixed public IP)

Now, the IPsec connection is broken, BO cannot access (its own) internet nor access resources on HQ network, anymore.
Any ideas? Is the VPN ID the problem, since it it used twice?

0.0.0.0/0 looks more like "Any" than "Internet IPv4."  How about pictures of the Edits of the IPsec Connection and Remote Gateway for BO and HQ?

Cheers - Bob

"Internet IPv4" is actually configured as "0.0.0.0/0" and is bound to "External (WAN)". This was done by Sophos first installation assistant, I think.
Pictures follow :-)

Branch Office, IPsec Gateway

Branch Office, IPsec Conn

Branch Office, IPsec Local RSA

Branch Office, IPsec Advanced

Headquarter, IPsec Gateway

Headquarter, IPsec Connection

Headquarter, IPsec Local RSA Key

Headquarter, IPsec Advanced