Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 916 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Remote Clients through SSL site 2 site connection

wawa123
Hey
i have a problem with my VPN infrastructure.
I have a main site where all remote clients connect via SSL VPN and a side office which also connects via SSL site 2 site.
All works great but... [:)]
my remote access clients cant ping/connect hosts at the side office. Local users at the main site can connect the side office and the other way around, that works.

I read some threads and i think i should change the site 2 site connection to IPsec, but i cant. Both side are behind NATed routers and ipsec does not work.

So how can i implement my SSL VPN? ssl clients should connect via ssl site 2 site tunnel...

regards


This thread was automatically locked due to age.
  • 0
    You will need to change both the site-to-site connections addresses and the local addresses for the remote VPN clients. But the real problem may be that both SSL site-to-site and SSL remote access use the same IP-pool and hence the same subnet.
    If this is not the issue then you need to change the following:

    Remote Access VPN:
    In local networks add the side office's subnet

    Site-to-site VPN:
    In local networks add the VPN SSL pool subnet and re-download and apply the config on the side office to make the change known to the side office.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    It is possible to make IPsec work behind NATting routers, but it is tricky.  In addition to apijnappel's prescriptions, you might want to look at the 'ICMP' tab of 'Firewall' as it's not clear from your description that anyone can ping anyone.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML