Overview


This article describes how to configure SSL VPN remote users to have access over a site-to-site IPsec VPN.


The following sections are covered:


⦁    Scenario

⦁    Pre-requisites

⦁    What to do

⦁    Related information


Applies to the following Sophos products and versions


Sophos Firewall


Scenario


Allow SSL VPN remote users to access a remote site via a site-to-site IPsec VPN tunnel.



Pre-requisites


This article requires that an SSL VPN remote access and an IPsec VPN tunnel between two sites are already configured and established. Please see the following articles to configure these requirements.


What to do


In order to provide access for SSL VPN remote users to a remote site via a site-to-site IPsec VPN tunnel, it is necessary to configure the networks that will be accessed in both the SSL VPN Remote Access and the site-to-site IPsec VPN tunnel connections. In the example scenario, the following networks should be included in the configuration.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site 1                                                                                                                                        Networks

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site-to-Site IPsec VPN Tunnel                                                                                            Local Subnet                                                                                                                                                                        Site 1 LAN (192.10.10.0/24)

                                                                                                                                   VPN Pool (10.81.234.0/24)

                                                                                                                                        Remote Subnet    

                                                                                                                                Site 2 LAN (192.20.20.0/24)


-----------------------------------------------------------------------------------------------------------------------------------------                              

 SSL VPN Remote Access                                                                                Permitted Network Resources

                                                                                                                            Site 1 LAN (192.10.10.0/24)

                                                                                                                            Site 2 LAN (192.20.20.0/24)


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site 2                                                                                                                                Networks

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site-to-Site IPsec VPN Tunnel                                                                                        Local Subnet

                                                                                                                            Site 2 LAN (192.20.20.0/24)

                                                                                                                                        Remote Subnet

                                                                                                                            Site 1 LAN (192.10.10.0/24)

                                                                                                                            VPN Pool (10.81.234.0/24)


------------------------------------------------------------------------------------------------------------------------------------------


Firewall rules


For ease of configuration, a LAN-VPN and VPN-LAN rule combined into one firewall rule can be configured in both Site 1 and Site 2.



Note: The firewall configuration above will allow traffic to flow between the LAN to VPN, VPN to LAN and VPN to VPN zones. However, this can also be configured separately.


Result


Once the required networks and firewall rules are configured, SSL VPN Remote Access users should be able to access Site 2's network.


A trace route from the SSL VPN Remote Access user to a host on Site 2.