Jump to:navigation, search
Wiki

Reach IPSec site-to-site targets with a SSL VPN

From Securepoint Wiki


















































































SSL-RW durch IPSec-S2S.png
Network sketch Initial position
De.png
En.png
Fr.png









Using an SSL VPN Roadwarrior to Access a Network Behind an IPSec Site-to-Site Connection

Last adaptation to the version: 12.6.0

New:
  • Updated to Redesign of the webinterface
Last updated: 
    02.2025
    • Example adapted to Best Practice (graphic, locations, IP addresses)
notempty
This article refers to a Resellerpreview


Initial position

  • A network at location A is connected to a network at location B via an IPSec site-to-site connection
  • There is an SSL VPN connection from a Roadwarrior to the network at location B

Goal:

  • The internal network at location A should be accessible for the roadwarrior via the SSL VPN connection to location B


Configuration:

  • Location A:
    Internal network: 192.168.174.0/24
  • location B:
    Internal network: 192.168.175.0/24
  • Roadwarrior:
    SSL VPN connection to location B
    Transfer network IP: 192.168.192.0/24


Set up IPSec site-to-site connection

A guide to configure an IPSec site-to-site connection is available in this wiki.


Set up SSL-VPN connection

A guide to configure an SSL VPN connection for roadwarriors can be found in this wiki.

Adjust the configuration

Edit SSL-VPN connection

Location B Customize the SSL VPN Roadwarrior connection under VPN SSL-VPN  Button of the used connection, General tab.

Caption Value Description Edit SSL-VPN connection UTMuser@firewall.name.fqdnVPNSSL-VPN UTM v14.0.1 SSL-VPN zu IPSec Servernetzwerke-en.pngAdd server networks
Share server networks: »192.168.175.0/24»192.168.174.0/24 In this example, the internal network of location B (192.168.175.0/24) has already been released by the SSL VPN connection.
Additionally', the internal target network at location A, which is to be accessed by the Roadwarrior, must now be released.
Save and close
 Accept specifications with the Save button
Restart SSL VPN connection with the
Restart
button.
  • The SSL VPN connection on the Roadwarrior must be terminated and reestablished once to push the new server network


    • Configuration with adjustment of the IPSec connection

    The Roadwarrior's transfer network must be entered on both UTMs' in phase 2 of the IPSec connection.
    Configuration under → VPN →IPSec Button Phase 2 of the connection used, tab Subnets, button AddIPSec Connection


    Adjusting the IPSec connection
    Location A
    Caption Value Description Add sub net UTMuser@firewall.name.fqdnVPNIPSec UTM v14.0.1 SSL-VPN zu IPSec Phase2 Subnetz-hinzufuegenA-en.pngAdd subnet in phase 2 / location A Edit phase 2 UTMuser@firewall.name.fqdnVPNIPsec UTM v14.0.1 SSL-VPN zu IPSec Phase2 SubnetzeA-en.pngCompleted subnets in phase 2 / location A

    Local Network: 192.168.174.0/24 The local target network must be entered as Local network at location A
    Remote network: 192.168.192.0/24 The transfer network of the Roadwarrior (here 192.168.192.0/24) must be entered as remote network at location A
    Add subnets with

    Apply changes of phase 2 also with the button

    Restart IPSec connection with the button
    Restart
    Location B
    Caption Value Description Add sub net UTMuser@firewall.name.fqdnVPNIPSec UTM v14.0.1 SSL-VPN zu IPSec Phase2 Subnetz-hinzufuegen-en.pngAdd subnet in phase 2 / location B
    Edit phase 2 UTMuser@firewall.name.fqdnVPNIPsec UTM v14.0.1 SSL-VPN zu IPSec Phase2 Subnetze-en.pngCompleted subnets in phase 2 / location B
    Local Network: 192.168.192.0/24 The transfer network of the Roadwarrior (here 192.168.192.0/24) must be entered at location B as Local network
    Remote network: 192.168.174.0/24 The internal target network (in location A) must be entered at location B as a remote network
    Add subnets with

    Apply changes of phase 2 also with the button

    Restart IPSec connection with the button
    Restart


    Internal target network that the Roadwarrior should be able to access

    Location A This rule is not required if the IPSec connection was allowed via implicit rules.
    However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
    Create packet filter rule in Firewall Network objects  Button Add object tab.

    Caption Value Description Add network objects UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v14.0.1 SSL-VPN zu IPSec Netzwerkobjekt StandortA-en.png
    Name SSL-VPN-RW-Network name freely selectable
    Type: VPN-network Even if it is only a single roadwarrior, a tunnel net IP is used for the connection. Therefore, the type Network must be selected here.
    Address: 192.168.192.0/24 The net IP of the SSL-VPN Transfer network from location B
    Zone: vpn-ipsec The zone corresponds to the IPSec connection
    Groups:     If necessary, the network object can be added to a group
    Save and close
    		 Save and add network object with this button
    Caption Value Description Add network objects UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v14.0.1 SSL-VPN zu IPSec Netzwerkobjekt IPSec Ziel StandortA-en.png
    Name: IPSec target name freely selectable
    Type: VPN network
    Address: 192.168.175.0/24 The net IP of the internal target network to be accessed
    Zone: vpn-ipsec The zone corresponds to the IPSec connection
    Groups:     If necessary, the network object can be added to a group
    Save and close
    		 Save and add network object with this button


    Packet filter rule location A

    Location A

    Quelle Vpn-network.svg SSL-VPN-RW-Network Network object of the Roadwarrior network
    Target Network.svg internal-network Internal target network that the Roadwarrior should be able to access
    Service Service-group.svg xyz Desired service or service group


    Display of the packet filter rule in the overview

    # Quelle Target Service NAT Action Active
    Already existing rule that enables the establishment of the IPSec tunnel
    		 Dragndrop.png 4 World.svg internet Interface.svg external-interface Service-group.svg ipsec Accept On
    Existing rule that allows the local network to access the IPSec network
    		 Dragndrop.png 5 Network.svg internal-network Vpn-network.svg IPSec-Network Service-group.svg Desired service or service group HNE Accept On
    Existing rule that allows the IPSec network to access the local network
    		 Dragndrop.png 6 Vpn-network.svg IPSec Network Network.svg internal-network Service-group.svg Desired service or service group Accept On
    New rule that allows the roadwarrior to access the internal network via the SSL VPN network object Dragndrop.png 7 Vpn-network.svg SSL-VPN-RW-Network Network.svg internal-network Service-group.svg Desired service or service group Accept On
  • The rule is not applied until the
    Update rules
    button is pressed!


    • Create a network object at location B

    Location B Create a network object for the target network under Firewall Network Objects  Button Add Object

    Caption Value Description Add network objects UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v14.0.1 SSL-VPN zu IPSec Netzwerkobjekt IPSec Ziel StandortB-en.png
    Name: IPSec target name freely selectable
    Type: VPN network
    Address: 192.168.174.0/24 The net IP of the internal target network to be accessed
    Zone: vpn-ipsec The zone corresponds to the IPSec connection
    Groups:     If necessary, the network object can be added to a group
    Save and close
    		 Save and add network object with this button


    Packet filter rule location B

    Location B

    Quelle Vpn-network.svg SSL-VPN-RW-Network Network object of the Roadwarrior network
    Target Vpn-network.svg IPSec target Network that should be accessed
    Service Service-group.svg xyz Desired service or service group
    Save the rule with the
    Save and close
    button.


    Display of the packet filter rule in the overview

    # Quelle Target Service NAT Action Active
    Already existing rule that enables the establishment of the IPSec tunnel
    		 Dragndrop.png 4 World.svg internet Interface.svg external-interface Service-group.svg ipsec Accept On
    Existing rule that allows the local network to access the IPSec network
    		 Dragndrop.png 5 Network.svg internal-network Vpn-network.svg IPSec-Network Service-group.svg Desired service or service group HNE Accept On
    Existing rule that allows the IPSec network to access the local network
    		 Dragndrop.png 6 Vpn-network.svg IPSec Network Network.svg internal-network Service-group.svg Desired service or service group Accept On
    New rule that allows the roadwarrior to access the IPSec target network Dragndrop.png 7 Vpn-network.svg SSL-VPN-RW-Network Network.svg IPSec target Service-group.svg Desired service or service group Accept On
  • The rule is not applied until the
    Update rules
    button is pressed!


    • Configuration with HideNat rule

    If there is no access to the configuration at location A, a rule with HideNat can also be applied. This then replaces the transfer of the network IP of the SSL VPN remote network in phase 2 of the IPSec connection.

    notempty
    Since IP addresses are exchanged in this process, this can lead to problems with VoIP or FTP, for example.


    Create a network object at location B

    Location B Create a network object for the target network under Firewall Network Objects  Button Add Object

    Caption Value Description Add network objects UTMuser@firewall.name.fqdnFirewallNetwork objects UTM v14.0.1 SSL-VPN zu IPSec HideNat Netzwerkobjekt-en.png
    Name: IPSec target name freely selectable
    Type: Network (address) Important: The SSL VPN connection does not realize that this is another VPN connection.
    Therefore, no VPN network should be selected here!
    Address: 192.168.174.0/24 The net IP of the internal target network to be accessed
    Zone: external external
    Groups:     If necessary, the network object can be added to a group
    Save and close
    		 Save and add network object with this button


    Packet filter rule location B

    Location B

    Quelle Vpn-network.svg SSL-VPN-RW-Network Network object of the Roadwarrior network
    Target Host.svg IPSec target Network that should be accessed
    Service Service-group.svg xyz Desired service or service group
    NAT
     Type:    		 Hidenat The addresses must be translated from the Roadwarrior network to the target network
    NAT
     Network object    		 Interface.svg internal-interface
  • The SSL VPN network is treated like an internal network at this point!
    • Save the rule with the
    Save and close
    button.


    Display of the packet filter rule in the overview

    # Quelle Target Service NAT Action Active
    Dragndrop.png 7 Vpn-network.svg SSL-VPN-RW-Network Host.svg IPSec target Service-group.svg Desired service or service group HN Accept On
  • The rule is not applied until the
    Update rules
    button is pressed!
    • Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/SSL_VPN_zu_IPSec-Ziel&oldid=94557"