Sophos XG Firewall: How to configure access for SSL VPN remote users over an IPsec VPN : Manage Service Desk

Overview

This article describes how to configure SSL VPN remote users to have access over a site-to-site IPsec VPN.

The following sections are covered:

⦁ Scenario

⦁ Pre-requisites

⦁ What to do

⦁ Related information

Applies to the following Sophos products and versions

Sophos Firewall

Scenario

Allow SSL VPN remote users to access a remote site via a site-to-site IPsec VPN tunnel.

Pre-requisites

This article requires that an SSL VPN remote access and an IPsec VPN tunnel between two sites are already configured and established. Please see the following articles to configure these requirements.

What to do

In order to provide access for SSL VPN remote users to a remote site via a site-to-site IPsec VPN tunnel, it is necessary to configure the networks that will be accessed in both the SSL VPN Remote Access and the site-to-site IPsec VPN tunnel connections. In the example scenario, the following networks should be included in the configuration.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site 1 Networks

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site-to-Site IPsec VPN Tunnel Local Subnet Site 1 LAN (192.10.10.0/24)

VPN Pool (10.81.234.0/24)

Remote Subnet

Site 2 LAN (192.20.20.0/24)

-----------------------------------------------------------------------------------------------------------------------------------------

SSL VPN Remote Access Permitted Network Resources

Site 1 LAN (192.10.10.0/24)

Site 2 LAN (192.20.20.0/24)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site 2 Networks

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site-to-Site IPsec VPN Tunnel Local Subnet

Site 2 LAN (192.20.20.0/24)

Remote Subnet

Site 1 LAN (192.10.10.0/24)

VPN Pool (10.81.234.0/24)

------------------------------------------------------------------------------------------------------------------------------------------

Firewall rules

For ease of configuration, a LAN-VPN and VPN-LAN rule combined into one firewall rule can be configured in both Site 1 and Site 2.

Note: The firewall configuration above will allow traffic to flow between the LAN to VPN, VPN to LAN and VPN to VPN zones. However, this can also be configured separately.

Result

Once the required networks and firewall rules are configured, SSL VPN Remote Access users should be able to access Site 2's network.

A trace route from the SSL VPN Remote Access user to a host on Site 2.

Sophos XG Firewall: How to configure access for SSL VPN remote users over an IPsec VPN Print

Related Articles