SSL VPN Tunnel to IPSec Tunnel
Sophos XG Firewall: How to allow Remote Access SSL VPN traffic over existing IPsec tunnel without modifying the IPsec tunnel
KB-000037043May 28, 20193 people found this article helpful
Overview
This article describes how to allow Remote Access SSL VPN traffic over existing IPsec tunnel without modifying the IPSEC tunnel.
Applies to the following Sophos products and versions
Sophos Firewall
What to do
In this scenario, it is assumed that the SSL VPN profile is already created to access the local network of the XG. Please see the article Sophos XG Firewall: How to configure SSL VPN remote access - Configuration Guides on how to configure Remote Access SSL VPN.
The following are the required configurations on the XG Firewall at the local site where the SSL VPN client is connecting to:
Edit the SSL VPN (remote access) policy
- Navigate to VPN > SSL VPN (remote access)
- Edit the existing SSL VPN remote access policy and add the IPsec remote network in Permitted network resources.
- Click Apply.

Create an IP network object for the SSL VPN remote access IPv4 lease range
To find out the current IPv4 lease range for SSL VPN (remote access):
- Navigate to Configure > VPN
- Click on Show VPN settings

- Look for the IPv4 lease range

In this example, the current IPv4 lease range is 10.81.234.5 – 10.81.234.55
- Create a Network object for the IPv4 lease range on System > Host and Services > IP Host

- Click Save.
Add a User/network rule
- Navigate to Protect > Firewall and click on Add firewall rule and then select User/network rule.
- Configure the settings as shown below:
Parameter | Value |
Source zones | VPN |
Source networks and devices | SSL VPN remote access IPv4 lease range |
Destination zones | VPN |
Destination networks | IPsec Remote network |
Services | ANY |
Rewrite source address (masquerading) | Enable |
Use outbound address | NAT Profile for LAN Interface IP |


Note: Create a NAT profile for the LAN Interface IP on System > Profiles > Network Address Translation and then use it as the outbound address.
Add an IPsec Route
- Access the Head Office XG’s CLI via SSH.
- On the menu, select option 4 for Device Console.
- Add the IPsec route using the below command:
console> system ipsec_route add net 10.x.x.x/255.x.x.x tunnelname IPsecTunnel (name of the IPsec tunnel)
i.e: console> system ipsec_route add net 10.1.10.0/255.255.255.0 tunnelname To_Branch_Office
Note: 10.1.10.0 is just an example, add the subnet of the actual remote network advertised on the IPSEC Site to Site tunnel. - To check if the IPsec route was successfully added, type the below command:
console> system ipsec_route show
tunnelname host/network netmask
To_Branch_Office 10.1.10.0 255.255.255.0