Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 7420 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 ipsec remote access vpn. Can access remote LAN, but no Internet.

Don Maker

Hello all, recently installed Sophos. I needed to replace my aging ASA 5505 at home due to some limitations with the base license and the hardware cap of 100 Mbps interfaces. I tried a few vm based firewalls, but think I would like to settle on Sophos. 

 

I have most things working the way I want, except for remote access vpn. I was finally able to make a connection and I can access LAN resources fine, but I have no Internet while doing so. I seem unable to access my regular DNS server. If I do an nslookup from the command line specifying the utm as a resolver, it works fine. But I don't see how to assign that to vpn client sessions. I do have the ipsec vpn pool allowed to use the utm as a resolver, so it's not that. I don't see anything being dropped in the firewall log and the ipsec log looks pretty clean as well. 

Is there a way to split tunneling or something so that I use the ipsec tunnel only for remote LAN traffic and continue to use my local resources and web gateway? That was how things worked with my ASA, and I would not like to be locked into connecting only to the remote LAN for everything. I use this vpn session primarily from work. I have a large esx lab that I run virtual routers, and LTM appliances, etc, that I use on a daily basis. If I am cut off from accessing the corporate network while using the Sophos ipsec vpn, then that's pretty much a deal breaker.  So, I really hope that is not the case.

 

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    I should also add that the tunnel only seems to work if I put "Any" for local networks allowed. So, it's almost as if it is forcing me to configure a full tunnel, but then not providing web access. Which is not what I want anyway, I want a split tunnel, but that does not seem to work.  Below is my ipsec connection setup:

     

  • 0 in reply to Don Maker

    Hi Don,

    you point out your problem.. if "any" is in local network definition from the tunnel then a default route will be set to the tunnel on the client.

    its necessary to only set your needed networks there, so that only a route to these networks is set on the the client to the tunnel.

    config seems ok.. do you have the needed firewall rules set up?

    if you configure split tunneling and connect then with the client... what routes are then setup from client? (cmd / netstat -r  or route print on windows machines)

     

    just to test you can set up an SSL-VPN for you with split-tunneling and try it with this client.

    i use ssl-vpn for all my home-office workers it runs fine and you dont need an ipsec-client.

  • 0 in reply to zaphod

    Thank you for the reply. I installed the Shrew Soft client at work this morning ( I was testing last night using a hosted Windows sever VPS at OHV), and I only specified the remote LAN in the Shrew Soft client. It worked...for about ten minutes. Then it disconnected and will not connect again. 

    I understand that putting any in the local network definition creates a full tunnel, but it will not work at all unless I specify any. I do have the vpnpool added to my "outbound all" firewall rule. 

    I'll have to fiddle around with it some more. If I can't get back in, however, it will have to wait until this evening as I will have no access to the utm at home. 

Reply
  • 0 in reply to zaphod

    Thank you for the reply. I installed the Shrew Soft client at work this morning ( I was testing last night using a hosted Windows sever VPS at OHV), and I only specified the remote LAN in the Shrew Soft client. It worked...for about ten minutes. Then it disconnected and will not connect again. 

    I understand that putting any in the local network definition creates a full tunnel, but it will not work at all unless I specify any. I do have the vpnpool added to my "outbound all" firewall rule. 

    I'll have to fiddle around with it some more. If I can't get back in, however, it will have to wait until this evening as I will have no access to the utm at home. 

Children
  • 0 in reply to Don Maker

    It seems that either the utm at home crashed, or my service provider is suffering a local outage. My wife texted me that the internet is down at home. At least I know it was my just my vpn client :)   On the other hand, if it is just the utm that crashed, that will suck.  The wife will not be happy...might have to put the ASA back in place.

  • 0 in reply to Don Maker

    This is slightly off topic, but my wife had to reboot the cable modem and then things came back online. I hope my messing around with vpn connections didn't somehow mess up the external interface of the utm. I'll look at the logs...

  • 0 in reply to Don Maker

    Well, it turns out that it is something to do with the vpn traffic that is crashing my internet. I can't see what is happening remotely, but the internet came back up after my wife rebooted the cable mode. I connected with the Shrew Soft client again and then (exactly like earlier) as soon as I try to rdp a machine in my remote lan, the internet went down again.  Very weird. 

  • 0 in reply to Don Maker

    Wow, this is really weird. I got the split tunnel thing worked out and the tunnel behaves the way that I would want it to. 

     

    But....I now have this weird internet crashes whenever I try to rdp a specific machine in my remote lan from my office. I connected from my Windows vps using the shrewsoft client and was able to rdp everything that I wanted to with no issues. I then connected from my desk, using the same Shrew soft client and settings and everything was great until I tried to rdp that specific machine, and boom the internet crashes. This is the third time that I can repeat this on demand by trying to rdp my laptop at home from my pc at work. 

    I'm not even sure where to begin to look at something like this.  This seems tres bizarre. 

     

    Does anyone have any thoughts?  Should I start a different thread perhaps?

     

  • 0 in reply to Don Maker

    Hi, Don, and welcome to the UTM Community!

    When you had a Full tunnel, you probably couldn't get out on the Internet because of the third item in #3.1 in Rulz.  If that wasn't it #1 probably would have shown you the problem.

    If you've gotten the Shrewsoft client to work, I think there are a lot of folks here that would like to see your configuration on the client and in the UTM.  I got it to work almost five years ago as a test, but it was a real pain as I recall.  Once I started using the SSL VPN on my iPhone and laptop, I never setup anything else for any of my clients.

    One of our unwritten rules here is "one topic per thread" so that it's easier for people to find existing answers.  Accordingly, please ask this new question in a new thread - TIA.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi, thanks for the reply. I've abandoned ipsec in favor of ssl, but I basically just followed the below guide to connect the Shrewsoft client:

     

    www.virtualizationhowto.com/.../