Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 4117 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tunnel all traffic over SSL Site to Site

jdale
I have a Site to Site VPN created and I can reach both internal networks perfectly.

Is there a way to have all the network traffic from the local network to be tunnelled to the remote network and out the internet there.

Basically a full tunnel.

I know in IPSec you can just add the ANY in the connection properties but the SSL VPN doesn't seem to work like that.

Thanks


This thread was automatically locked due to age.
  • 0
    It works the same for both types of VPN, but, for SSL, the change is made only on one side and then the other side is reloaded with the new configuration.  Add "Internet" to 'Local networks' in the remote Astaro, and then import the new configuration file into your local Astaro.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    PMFJI (old thread, I know), but on a related matter:

    Bob, any thoughts about this with a non-Astaro/UTM on the opposite side?

    Consider the following:

    Local LAN: 192.168.112.66/30

    ASG: SSL VPN



    DD-WRT OpenVPN

    Remote LAN: ***.***.***.***/24

    The object is to route *all* traffic from 192.168.112.66/30 through the DD-WRT box on the far side.

    Astaro SSL S2S config:

    Local networks: 192.168.112.66/30
    Remote networks: 0.0.0.0/0, ***.***.***.***/24

    OpenVPN config on far side:


    client
    dev tun
    proto tcp
    keepalive 10 60
    hand-window 30
    port 5443
    remote myASG-FQDN
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /tmp/openvpncl/ca.crt
    cert /tmp/openvpncl/client.crt
    key /tmp/openvpncl/client.key
    cipher AES-128-CBC
    auth MD5
    comp-lzo
    route-delay 4
    verb 3
    reneg-sec 0
    I'm not seeing my internet-bound traffic hitting the tunnel IP at all, nor am I seeing the appropriate routing getting pushed to the client from the ASG. A traceroute from the single machine on the affected subnet to a machine on the remote (non-ASG) side shows traffic going from the ASG internal IP to the tunnel IP and finally to the destination, but I get only timeouts tracing out to the internet.

    It appears as though ASG (8.306) is simply ignoring the "Internet IPv4" network added to the remote networks list, and is just dropping the traffic. This can also be seen in the firewall log, which shows dropped packets. Something else intercepting my outbound traffic, do you think? (If I add an explicit fw rule to allow outbound traffic from the affected subnet, it is no longer dropped, but not routed through the SSL VPN, either.)

    TIA
  • 0
    Hey Lewis,

    There's a thread that discusses translating between ovpn and the Astaro formats. I haven't done this with a non-Astaro OpenVPN. 

    Cheers - Bob

    Sorry for any short responses!  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Thanks, Bob. I'll track down that thread and have a look-see.

    Cheers
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?