SSL VPN Tunnel to IPSec Tunnel 

Sophos XG Firewall: How to allow Remote Access SSL VPN traffic over existing IPsec tunnel without modifying the IPsec tunnel 

KB-000037043May 28, 20193 people found this article helpful 

Overview 

This article describes how to allow Remote Access SSL VPN traffic over existing IPsec tunnel without modifying the IPSEC tunnel. 

• What to do 
• Related information 
• Feedback and contact 

Applies to the following Sophos products and versions 

Sophos Firewall 

What to do 

In this scenario, it is assumed that the SSL VPN profile is already created to access the local network of the XG. Please see the article Sophos XG Firewall: How to configure SSL VPN remote access - Configuration Guides on how to configure Remote Access SSL VPN. 

The following are the required configurations on the XG Firewall at the local site where the SSL VPN client is connecting to: 

Edit the SSL VPN (remote access) policy 

1. Navigate to VPN > SSL VPN (remote access) 
2. Edit the existing SSL VPN remote access policy and add the IPsec remote network in Permitted network resources. 
3. Click Apply. 

Create an IP network object for the SSL VPN remote access IPv4 lease range 

To find out the current IPv4 lease range for SSL VPN (remote access): 

1. Navigate to Configure > VPN 
2. Click on Show VPN settings 

3. Look for the IPv4 lease range 
    
    

In this example, the current IPv4 lease range is 10.81.234.5 – 10.81.234.55 

4. Create a Network object for the IPv4 lease range on System > Host and Services > IP Host 

5. Click Save. 

Add a User/network rule 

1. Navigate to Protect > Firewall and click on Add firewall rule and then select User/network rule. 
2. Configure the settings as shown below: 
    

Parameter	Value
Source zones	VPN
Source networks and devices	SSL VPN remote access IPv4 lease range
Destination zones	VPN
Destination networks	IPsec Remote network
Services	ANY
Rewrite source address (masquerading)	Enable
Use outbound address	NAT Profile for LAN Interface IP

Note: Create a NAT profile for the LAN Interface IP on System > Profiles > Network Address Translation and then use it as the outbound address. 

Add an IPsec Route 

1. Access the Head Office XG’s CLI via SSH. 
2. On the menu, select option 4 for Device Console. 
3. Add the IPsec route using the below command: 
    
   console> system ipsec_route add net 10.x.x.x/255.x.x.x tunnelname IPsecTunnel (name of the IPsec tunnel) 
    
   i.e: console> system ipsec_route add net 10.1.10.0/255.255.255.0 tunnelname To_Branch_Office 
    
   Note: 10.1.10.0 is just an example, add the subnet of the actual remote network advertised on the IPSEC Site to Site tunnel. 
4. To check if the IPsec route was successfully added, type the below command: 
    
   console> system ipsec_route show 
   tunnelname         host/network     netmask 
   To_Branch_Office   10.1.10.0        255.255.255.0