Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2259 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

End to Site to Site or: How to?

ZeroEnna
Hello everyone,

I am planning to do a classic scenario, however, the FAQ and KBs don't help me at all.

My idea is as this 




My Laptop --- VPN (L2TP) ---- my UTM ====== IPSec ==== my friend's UTM ----- his network


Seems easy, but what configurations do I have to do? What firewall rules, what NAT masking?

I appreciate your suggestions.


Regards


ZeroEnna


This thread was automatically locked due to age.
  • 0
    Your UTM would need to offer the local IP-range as well as the L2TP IP-range as local networks and connect to your friend's IP-range as remote network.
    On your friends UTM this needs to be the other way around (local/remote switched).

    However if you have the default IP-range voor L2TP-VPN on both sites, then both UTM's have this range as a local range and therefore might not send this traffic into the tunnel. You could try to change this range on one UTM and see what happens.

    Also you could try to use SNAT on your UTM where you change the source address of your L2TP traffic to be coming from your UTM's local LAN for the destination of your friends network.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels
    With your SNAT Approach, I can finally ping the remote network's clients.
    However, it seems that no DNS resolution is possible once I connect to my Network via L2TP.

    Any ideas?
  • 0 in reply to ZeroEnna
    With your SNAT Approach, I can finally ping the remote network's clients.
    However, it seems that no DNS resolution is possible once I connect to my Network via L2TP.

    Any ideas?


    In stead of using the IP address pool you could configure a DHCP scope on a DHCP server (maybe it's even possible on the UTM but I'm not sure since there's no real interface connected to LT2P traffic). In DHCP you can add DHCP-options for DNS-servers and domain-suffix if needed.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    This KB article addresses your issue: How to allow remote access users to reach another site via a Site-to-Site Tunnel

    With L2TP, you shouldn't need anything other than to be sure you two have different Internal and "VPN Pool (L2TP)" subnets and then to add the appropriate Firewall rule on each side.

    Whenever someone uses a SNAT in this situation, I suspect that  there's been a violation of what I call Rule #3:

    Never create a Host/Network definition bound to a specific interface.
    Always leave all definitions with 'Interface: >'.



    DNS for Remote Access is configured in 'Remote Access >> Advanced'

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hello everyone,

    everything is working just fine now!
    Thank you very much!
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML