This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site2Site SSL VPN showing connected but no communication

hai,

i have 3 location A, B and C
at location A and B
ISP>>Juniper >>Sophos>>LAN

here Public IP on Juniper Interface and all ports are forwarded to Sophos external IP and due to some reason could not establish IPSEC tunnel so we done Site2Site SSL VPN (Location A as server and Location B as client)

now site2site SSL VPN from location A (server) to Location C (client)
location C has 4G modem which does not support bridge mode so i forward port ssl port 443 to External IP of Sophos UTM its showing connected but there is no communication from UTM to UTM at both site.

at HO which is act as server there is no entry at routing table of UTM for client network.

firewall rule and masquerading rule dont help..

any help...

This thread was automatically locked due to age.

Parents

0 apijnappels over 10 years ago

I'm not sure I can help you with this, I don't have too much experience with the SSL site2site connections and most of all I don't know if you can have two sites connect to the same UTM server site. For this I hope someone else with more experience with SSL site2site will answer your question.

What I do see however is that you're using 190.0.0.0/16 at one of your sites as LAN. This will most likely work, but it's not a RFC-1918 private IP-range. If you do have the opportunity it would be much better if you change this to 172.16.0.0/12 range (or 192.168.0.0/16 but I would choose the first for business environments).

For the dynamic public IP you have at the 4G site, you could perhaps also use IPSEC but you would need te setup a Respond only IPSEC connection since the public IP is dynamically assigned. Certain providers do have dynamic IP's but it appears that you may keep your assigned IP-address for months (or even years). In such a case you could use this address in the setup and pretend it's a fixed address. However when the address does change in the future, your VPN-tunnel will drop and you will have to adjust this again.

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 apijnappels over 10 years ago

I'm not sure I can help you with this, I don't have too much experience with the SSL site2site connections and most of all I don't know if you can have two sites connect to the same UTM server site. For this I hope someone else with more experience with SSL site2site will answer your question.

What I do see however is that you're using 190.0.0.0/16 at one of your sites as LAN. This will most likely work, but it's not a RFC-1918 private IP-range. If you do have the opportunity it would be much better if you change this to 172.16.0.0/12 range (or 192.168.0.0/16 but I would choose the first for business environments).

For the dynamic public IP you have at the 4G site, you could perhaps also use IPSEC but you would need te setup a Respond only IPSEC connection since the public IP is dynamically assigned. Certain providers do have dynamic IP's but it appears that you may keep your assigned IP-address for months (or even years). In such a case you could use this address in the setup and pretend it's a fixed address. However when the address does change in the future, your VPN-tunnel will drop and you will have to adjust this again.

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data