Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1663 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN and policy routing

amster
Hello,

We have a problem with the mix of policy routing and SSL VPN remote access.

We don't use Failover or uplink balancing. 
In the case we test, the range 10.20.0.0/24 should only access internet through the router 192.168.20.200. So the policy routing we create is

Route Type: Gateway route
Source Interface: Lan 2 (10.20.0.254)
Source Network: 10.20.0.0/24
Service: Any
Destination Network: any
Gateway: Router 2 (192.168.20.200)

In the firewall settings, we add this rule

Masquerading: 
Lan2 --> Wan2 (10.20.0.254)

FW rules:

Lan2 --> any --> 0.0.0.0/0 with Wan2 interface


Eveything works fine until we try an ssl vpn access from internet through router 1. 

Tcpdump on tun0:

12:42:48.265920 IP 10.242.2.6 > 10.20.0.2: ICMP echo request, id 31531, seq 989, length 64
12:42:49.273975 IP 10.242.2.6 > 10.20.0.2: ICMP echo request, id 31531, seq 990, length 64
12:42:50.281965 IP 10.242.2.6 > 10.20.0.2: ICMP echo request, id 31531, seq 991, length 64
12:42:51.289946 IP 10.242.2.6 > 10.20.0.2: ICMP echo request, id 31531, seq 992, length 64

Tcpdump on eth3 (10.20.0.254):

12:42:10.970066 IP 10.242.2.6 > 10.20.0.2: ICMP echo request, id 31531, seq 952, length 64
12:42:10.970283 IP 10.20.0.2 > 10.242.2.6: ICMP echo reply, id 31531, seq 952, length 64
..

The default gateway for the client 10.20.0.2 is 10.20.0.254 

Do you have some advice ?

Thanks


This thread was automatically locked due to age.
  • 0
    Of course, if we suspend the policy routing, the VPN is working, but no more access to  internet through 192.168.20.200.
  • 0
    Hi, amster, and welcome to the User BB!

    Please [Go Advanced] below and attach a picture of the Edit of the SSL VPN definition.  Also, explain what problem you're having and what you see that leads you to the conclusion it's not working as you expected.

    Also, explain why you aren't using Uplink Balancing as this offers the easiest solution, especially if you're using Web Filtering.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi, amster, and welcome to the User BB!

    Please [Go Advanced] below and attach a picture of the Edit of the SSL VPN definition.  Also, explain what problem you're having and what you see that leads you to the conclusion it's not working as you expected.

    Also, explain why you aren't using Uplink Balancing as this offers the easiest solution, especially if you're using Web Filtering.

    Cheers - Bob


    Thank you. That's what I have done. The Uplink balancing way resolve my problem. 

    bye?
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML