https://support.sophos.com/support/s/article/KB-000037043?language=en_US



Overview

This article contains the steps to allow Remote Access SSL VPN traffic over an existing IPsec tunnel without modifying the IPSEC tunnel.

Applies to the following Sophos products and versions:
Sophos Firewall

Allowing the remote access SSL VPN traffic

In this scenario, it is assumed that the SSL VPN profile is already created to access the local network of the Sophos Firewall. Follow the steps in Sophos Firewall: Configure SSL VPN remote access.

The following are the required configurations on the Sophos Firewall at the local site where the SSL VPN client is connecting to:

Edit the SSL VPN (remote access) policy

  1. Go to VPN > SSL VPN (remote access).
  2. Edit the existing SSL VPN remote access policy and add the IPsec remote network in Permitted network resources.
  3. Click Apply.
tidy_fix_alt

Create an IP network object for the SSL VPN remote access IPv4 lease range

To find out the current IPv4 lease range for SSL VPN (remote access):
  1. Go to Configure > VPN.
  2. Click Show VPN settings.
    tidy_fix_alt
  3. Look for the IPv4 lease range
    tidy_fix_altIn this example, the current IPv4 lease range is 10.81.234.5 - 10.81.234.55     
  4. Create a network object for the IPv4 lease range on System > Host and services > IP host.
    tidy_fix_alt
  5. Click Save.

Add a firewall rule

  1. Go to Rules and policies > Firewall rules > Add firewall rule > New firewall rule.
  2. Configure the settings as shown below:     
    ParameterValue
    Source zonesVPN
    Source networks and devicesSSL VPN remote access IPv4 lease range
    Destination zonesVPN
    Destination networksIPsec Remote network
    ServicesANY

  3. Click Create linked NAT rule.
  4. In the Translated source (SNAT) field, click the drop-down and click Create new > IP address and create an entry for the local LAN interface IP.

         
  5. Click Save.
  6. The following screenshot is the linked NAT rule. Click Save.
  7. Click Save to save the firewall rule.

Add an IPsec route

  1. Access the Sophos Firewall CLI of the Head Office via SSH.
  2. On the menu, select option 4 for Device Console.
  3. Add the IPsec route using the below command:

    console> system ipsec_route add net 10.x.x.x/255.x.x.x tunnelname IPsecTunnel (name of the IPsec tunnel)

    i.e: console> system ipsec_route add net 10.1.10.0/255.255.255.0 tunnelname To_Branch_Office

    Note: 10.1.10.0 is just an example, add the subnet of the actual remote network advertised on the IPSEC Site to Site tunnel.
         
  4. To check if the IPsec route was successfully added, type the below command:

    console> system ipsec_route show
    tunnelname host/network netmask
        To_Branch_Office   10.1.10.0        255.255.255.0

Related information
Sophos Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key  

 

Sign up to the Sophos Support Notification Service to get the latest product release information and critical issues.


Previous Article ID: 127761