- Updated to Redesign of the webinterface
Initial position
- A network at location A is connected to a network at location B via an IPSec site-to-site connection
- There is an SSL VPN connection from a Roadwarrior to the network at location B
Goal:
- The internal network at location A should be accessible for the roadwarrior via the SSL VPN connection to location B
Configuration:
- Location A:
Internal network: 192.168.218.0/24 - location B:
Internal network: 192.168.219.0/24 - Roadwarrior:
SSL VPN connection to location B
Transfer network IP: 10.10.10.0/24
Set up IPSec site-to-site connection
A guide to configure an IPSec site-to-site connection is available in this wiki.
Set up SSL-VPN connection
A guide to configure an SSL VPN connection for roadwarriors can be found in this wiki.
Adjust the configuration
Edit SSL-VPN connection
Location B
Customize the SSL VPN Roadwarrior connection under Button of the used connection, General tab.
Configuration with adjustment of the IPSec connection
The Roadwarrior's transfer network must be entered on both UTMs' in phase 2 of the IPSec connection.
Configuration under Button of the connection used, tab Subnets, button
Adjusting the IPSec connection
Internal target network that the Roadwarrior should be able to access
Location A
This rule is not required if the IPSec connection was allowed via implicit rules.
However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
Create packet filter rule in Button tab.
Packet filter rule location A
Location A
Display of the packet filter rule in the overview
Create a network object at location B
Location B
Create a network object for the target network under Button
Packet filter rule location B
Location B
Quelle | SSL-VPN-RW-Network | Network object of the Roadwarrior network |
Target | IPSec target | Network that should be accessed |
Service | xyz | Desired service or service group |
Save the rule with the Save and close button.
Display of the packet filter rule in the overview
Configuration with HideNat rule
If there is no access to the configuration at location A, a rule with HideNat can also be applied. This then replaces the transfer of the network IP of the SSL VPN remote network in phase 2 of the IPSec connection.
Since IP addresses are exchanged in this process, this can lead to problems with VoIP or FTP, for example.
Create a network object at location B
Location B
Create a network object for the target network under Button
Packet filter rule location B
Location B
Save the rule with the Save and close button.
Display of the packet filter rule in the overview
# | Quelle | Target | Service | NAT | Action | Active | |||
7 | SSL-VPN-RW-Network | IPSec target | Desired service or service group | HN | Accept | On |