Reach IPSec site-to-site targets with a SSL VPN

Network sketch Initial position

Using an SSL VPN Roadwarrior to Access a Network Behind an IPSec Site-to-Site Connection

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notempty

This article refers to a Resellerpreview

04.2022

Initial position

A network at location A is connected to a network at location B via an IPSec site-to-site connection
There is an SSL VPN connection from a Roadwarrior to the network at location B

Goal:

The internal network at location A should be accessible for the roadwarrior via the SSL VPN connection to location B

Configuration:

Location A:
Internal network: 192.168.218.0/24
location B:
Internal network: 192.168.219.0/24
Roadwarrior:
SSL VPN connection to location B
Transfer network IP: 10.10.10.0/24

Set up IPSec site-to-site connection

A guide to configure an IPSec site-to-site connection is available in this wiki.

Set up SSL-VPN connection

A guide to configure an SSL VPN connection for roadwarriors can be found in this wiki.

Adjust the configuration

Edit SSL-VPN connection

Location B
Customize the SSL VPN Roadwarrior connection under VPN SSL-VPN Button of the used connection, General tab.

Caption	Value	Description
Share server networks:	» ✕192.168.219.0/24» ✕192.168.218.0/24	In this example, the internal network of location B (192.168.219.0/24) has already been released by the SSL VPN connection. Additionally', the internal target network at location A, which is to be accessed by the Roadwarrior, must now be released.
Save and close		Accept specifications with the Save button
Restart SSL VPN connection with the Restart button. The SSL VPN connection on the Roadwarrior must be terminated and reestablished once to push the new server network

Configuration with adjustment of the IPSec connection

The Roadwarrior's transfer network must be entered on both UTMs' in phase 2 of the IPSec connection.
Configuration under → VPN →IPSec Button Phase 2 of the connection used, tab Subnets, button AddIPSec Connection

Adjusting the IPSec connection

Caption	Value	Description	Subnetz hinzufügen UTMuser@firewall.name.fqdnVPNIPSec Add subnet in phase 2 / location A Phase 2 bearbeiten UTMuser@firewall.name.fqdnVPNIPsec Completed subnets in phase 2 / location A
Location A
Local Network:	192.168.218.0/24	The local target network must be entered as Local network at location A
Remote network:	10.10.10.0/24	The transfer network of the Roadwarrior (here 10.10.10.0/24) must be entered as remote network at location A
Add subnets with Apply changes of phase 2 also with the button Restart IPSec connection with the button Restart

Location B
Caption	Value	Description	Subnetz hinzufügen UTMuser@firewall.name.fqdnVPNIPSec Add subnet in phase 2 / location B Phase 2 bearbeiten UTMuser@firewall.name.fqdnVPNIPsec Completed subnets in phase 2 / location B
Local Network:	10.10.10.0/24	The transfer network of the Roadwarrior (here 10.10.10.0/24) must be entered at location B as Local network
Remote network:	192.168.218.0/24	The internal target network (in location A) must be entered at location B as a remote network
Add subnets with Apply changes of phase 2 also with the button Restart IPSec connection with the button Restart

Internal target network that the Roadwarrior should be able to access

Location A
This rule is not required if the IPSec connection was allowed via implicit rules.
However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
Create packet filter rule in Firewall Network objects Button Add object tab.

Caption	Value	Description	Netzwerkobjekt hinzufügen UTMuser@firewall.name.fqdnFirewallNetzwerkobjekte
Caption	Value	Description	Netzwerkobjekt hinzufügen UTMuser@firewall.name.fqdnFirewallNetzwerkobjekte
Name:	SSL-VPN-RW-Network	name freely selectable
Type:	VPN-network	Even if it is only a single roadwarrior, a tunnel net IP is used for the connection. Therefore, the type Network must be selected here.
Address:	10.10.10.0/24	The net IP of the SSL-VPN Transfer network from location B
Zone:	vpn-ipsec	The zone corresponds to the IPSec connection
Groups:		If necessary, the network object can be added to a group
Save and close		Save and add network object with this button

Name:	IPSec target	name freely selectable
Type:	VPN network
Address:	192.168.219.0/24	The net IP of the internal target network to be accessed
Zone:	vpn-ipsec	The zone corresponds to the IPSec connection
Groups:		If necessary, the network object can be added to a group
Save and close		Save and add network object with this button

Packet filter rule location A

Location A

Quelle	SSL-VPN-RW-Network	Network object of the Roadwarrior network
Target	internal-network	Internal target network that the Roadwarrior should be able to access
Service	xyz	Desired service or service group

Display of the packet filter rule in the overview

	#	Quelle	Target	Service	NAT	Action	Active
Already existing rule that enables the establishment of the IPSec tunnel This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.	4	internet	external-interface	ipsec		Accept	On
Existing rule that allows the local network to access the IPSec network This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.	5	internal-network	IPSec-Network	Desired service or service group	HNE	Accept	On
Existing rule that allows the IPSec network to access the local network This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.	6	IPSec Network	internal-network	Desired service or service group		Accept	On
New rule that allows the roadwarrior to access the internal network via the SSL VPN network object	7	SSL-VPN-RW-Network	internal-network	Desired service or service group		Accept	On

The rule is not applied until the Update rules button is pressed!

Create a network object at location B

Location B
Create a network object for the target network under Firewall Network Objects Button Add Object

Caption	Value	Description
Name:	IPSec target	name freely selectable
Type:	VPN network
Address:	192.168.218.0/24	The net IP of the internal target network to be accessed
Zone:	vpn-ipsec	The zone corresponds to the IPSec connection
Groups:		If necessary, the network object can be added to a group
Save and close		Save and add network object with this button

Packet filter rule location B

Location B

Quelle	SSL-VPN-RW-Network	Network object of the Roadwarrior network
Target	IPSec target	Network that should be accessed
Service	xyz	Desired service or service group

Save the rule with the Save and close button.

Display of the packet filter rule in the overview

	#	Quelle	Target	Service	NAT	Action	Active
Already existing rule that enables the establishment of the IPSec tunnel This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.	4	internet	external-interface	ipsec		Accept	On
Existing rule that allows the local network to access the IPSec network This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.	5	internal-network	IPSec-Network	Desired service or service group	HNE	Accept	On
Existing rule that allows the IPSec network to access the local network This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.	6	IPSec Network	internal-network	Desired service or service group		Accept	On
New rule that allows the roadwarrior to access the IPSec target network	7	SSL-VPN-RW-Network	IPSec target	Desired service or service group		Accept	On

The rule is not applied until the Update rules button is pressed!

Configuration with HideNat rule

If there is no access to the configuration at location A, a rule with HideNat can also be applied. This then replaces the transfer of the network IP of the SSL VPN remote network in phase 2 of the IPSec connection.

Since IP addresses are exchanged in this process, this can lead to problems with VoIP or FTP, for example.

Create a network object at location B

Location B
Create a network object for the target network under Firewall Network Objects Button Add Object

Caption	Value	Description
Name:	IPSec target	name freely selectable
Type:	Network (address)	Important: The SSL VPN connection does not realize that this is another VPN connection. Therefore, no VPN network should be selected here!
Address:	192.168.218.0/24	The net IP of the internal target network to be accessed
Zone:	external	external
Groups:		If necessary, the network object can be added to a group
Save and close		Save and add network object with this button

Packet filter rule location B

Location B

Quelle	SSL-VPN-RW-Network	Network object of the Roadwarrior network
Target	IPSec target	Network that should be accessed
Service	xyz	Desired service or service group
NAT Type:	Hidenat	The addresses must be translated from the Roadwarrior network to the goal network
NAT Network object	internal-interface	The SSL VPN network is treated like an internal network at this point!

Save the rule with the Save and close button.

Display of the packet filter rule in the overview

		#	Quelle	Target	Service	NAT	Action	Active
		7	SSL-VPN-RW-Network	IPSec target	Desired service or service group	HN	Accept	On

The rule is not applied until the Update rules button is pressed!