Using an SSL VPN Roadwarrior to Access a Network Behind an IPSec Site-to-Site Connection
Last adaption: 04.2022
New:
Addition of the rules needed for the IPSec connection without implicit rules
Layout adjustment of portfilter rules
notempty
This article refers to a Resellerpreview
-
Initial position
A network at location A is connected to a network at location B via an IPSec site-to-site connection
There is an SSL VPN connection from a Roadwarrior to the network at location B
Goal:
The internal network at location A should be accessible for the roadwarrior via the SSL VPN connection to location B
Configuration:
Location A: Internal network: 192.168.218.0/24
location B: Internal network: 192.168.219.0/24
Roadwarrior: SSL VPN connection to location B Transfer network IP: 10.10.10.0/24
Set up IPSec site-to-site connection
A guide to configure an IPSec site-to-site connection is available in this wiki.
Set up SSL-VPN connection
A guide to configure an SSL VPN connection for roadwarriors can be found in this wiki.
Adjust the configuration
Edit SSL-VPN connection
Location B Customize the SSL VPN Roadwarrior connection under → VPN →SSL-VPN Button of the used connection, General tab.
Caption
Value
Description
Add server networks
Share server networks:
» ✕192.168.219.0/24» ✕192.168.218.0/24
In this example, the internal network of location B (192.168.219.0/24) has already been released by the SSL VPN connection. Additionally', the internal target network at location A, which is to be accessed by the Roadwarrior, must now be released.
Save
Accept specifications with the Save button
Restart SSL VPN connection with the Restart button.
The SSL VPN connection on the Roadwarrior must be terminated and reestablished once to push the new server network
Configuration with adjustment of the IPSec connection
The Roadwarrior's transfer network must be entered on both UTMs' in phase 2 of the IPSec connection. Configuration under → VPN →IPSec Button Phase 2 of the connection used, tab Subnets, button AddIPSec Connection
Adjusting the IPSec connection
Location A
Caption
Value
Description
Add subnet in phase 2 / location A
Completed subnets in phase 2 / location A
Local Network:
192.168.218.0/24
The local target network must be entered as Local network at location A
Remote network:
10.10.10.0/24
The transfer network of the Roadwarrior (here 10.10.10.0/24) must be entered as remote network at location A
Add subnets with Save Apply changes of phase 2 also with the button Save Restart IPSec connection with the button Restart
Location B
Caption
Value
Description
Add subnet in phase 2 / location B
Completed subnets in phase 2 / location B
Local Network:
10.10.10.0/24
The transfer network of the Roadwarrior (here 10.10.10.0/24) must be entered at location B as Local network
Remote network:
192.168.218.0/24
The internal target network (in location A) must be entered at location B as a remote network
Add subnets with Save Apply changes of phase 2 also with the button Save Restart IPSec connection with the button Restart
Internal target network that the Roadwarrior should be able to access
Location A This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
Create port filter rule in → Firewall →PortfilterTab Network objects Button Add object tab.
Caption
Value
Description
Name:
SSL-VPN-RW-Network
name freely selectable
Type:
VPN-network
Even if it is only a single roadwarrior, a tunnel net IP is used for the connection. Therefore, the type Network must be selected here.
Address:
10.10.10.0/24
The net IP of the SSL-VPN Transfer network from location B
Zone:
vpn-ipsec
The zone corresponds to the IPSec connection
Groups:
If necessary, the network object can be added to a group
Save and close
Save and add network object with this button
Caption
Value
Description
Name:
IPSec target
name freely selectable
Type:
VPN network
Address:
192.168.219.0/24
The net IP of the internal target network to be accessed
Zone:
vpn-ipsec
The zone corresponds to the IPSec connection
Groups:
If necessary, the network object can be added to a group
Save and close
Save and add network object with this button
Port filter rule location A
Location A Create port filter rule in → Firewall →PortfilterTab Portfilter Button Add rule tab.
Quelle
SSL-VPN-RW-Network
Network object of the Roadwarrior network
Target
internal-network
Internal target network that the Roadwarrior should be able to access
Service
xyz
Desired service or service group
Display of the port filter rule in the overview
#
Quelle
Target
Service
NAT
Action
Active
Already existing rule that enables the establishment of the IPSec tunnel
This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
4
internet
external-interface
ipsec
Accept
On
Existing rule that allows the local network to access the IPSec network
This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
5
internal-network
IPSec-Network
Desired service or service group
HNE
Accept
On
Existing rule that allows the IPSec network to access the local network
This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
6
IPSec Network
internal-network
Desired service or service group
Accept
On
New rule that allows the roadwarrior to access the internal network via the SSL VPN network object
7
SSL-VPN-RW-Network
internal-network
Desired service or service group
Accept
On
The rule is not applied until the Update rules button is pressed!
Create a network object at location B
Location B Create a network object for the target network under → Firewall →PortfilterTab Network Objects Button Add Object
Caption
Value
Description
Name:
IPSec target
name freely selectable
Type:
VPN network
Address:
192.168.218.0/24
The net IP of the internal target network to be accessed
Zone:
vpn-ipsec
The zone corresponds to the IPSec connection
Groups:
If necessary, the network object can be added to a group
Save and close
Save and add network object with this button
Port filter rule location B
Location B Create port filter rule in → Firewall →PortfilterTab Portfilter Button Add rule tab.
Quelle
SSL-VPN-RW-Network
Network object of the Roadwarrior network
Target
IPSec target
Network that should be accessed
Service
xyz
Desired service or service group
Save the rule with the Add and close button.
Display of the port filter rule in the overview
#
Quelle
Target
Service
NAT
Action
Active
Already existing rule that enables the establishment of the IPSec tunnel
This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
4
internet
external-interface
ipsec
Accept
On
Existing rule that allows the local network to access the IPSec network
This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
5
internal-network
IPSec-Network
Desired service or service group
HNE
Accept
On
Existing rule that allows the IPSec network to access the local network
This rule is not required if the IPSec connection was allowed via implicit rules. However, this is usually not recommended, since implicit rules allow the ports used for IPSec connections to all interfaces.
6
IPSec Network
internal-network
Desired service or service group
Accept
On
New rule that allows the roadwarrior to access the IPSec target network
7
SSL-VPN-RW-Network
IPSec target
Desired service or service group
Accept
On
The rule is not applied until the Update rules button is pressed!
Configuration with HideNat rule
If there is no access to the configuration at location A, a rule with HideNat can also be applied. This then replaces the transfer of the network IP of the SSL VPN remote network in phase 2 of the IPSec connection.
Since IP addresses are exchanged in this process, this can lead to problems with VoIP or FTP, for example.
Create a network object at location B
Location B Create a network object for the target network under → Firewall →PortfilterTab Network Objects Button Add Object
Caption
Value
Description
Name:
IPSec target
name freely selectable
Type:
Network (address)
Important: The SSL VPN connection does not realize that this is another VPN connection. Therefore, no VPN network should be selected here!
Address:
192.168.218.0/24
The net IP of the internal target network to be accessed
Zone:
external
external
Groups:
If necessary, the network object can be added to a group
Save and close
Save and add network object with this button
Port filter rule location B
Location B Create port filter rule in → Firewall →PortfilterTab Portfilter Button Add rule tab.
Quelle
SSL-VPN-RW-Network
Network object of the Roadwarrior network
Target
IPSec target
Network that should be accessed
Service
xyz
Desired service or service group
NAT
Type:
Hidenat
The addresses must be translated from the Roadwarrior network to the goal network
NAT
Network object
internal-interface
The SSL VPN network is treated like an internal network at this point!
Save the rule with the Add and close button.
Display of the port filter rule in the overview
#
Quelle
Target
Service
NAT
Action
Active
7
SSL-VPN-RW-Network
IPSec target
Desired service or service group
HN
Accept
On
The rule is not applied until the Update rules button is pressed!