Mobile IPSEC VPN and Internet Access

Did some digging through the forums, but can't seem to find my own answer. Thanks in advance for any help.

I'm testing out a mobile IPSEC VPN and everything works great except internet access. I'm not using a split tunnel and we are using policy based routing on a M500 with two external interfaces. The VPN clients are using a virtual IP pool that is different from all of our trusted/optional networks. I've added the network address for the IP pool to our Dynamic NAT settings and specified External-A as the external interface. I've also added the IPSEC user group to our HTTP, HTTPS and TCP-Outgoing policies. PBR settings for these policies also use External-A.

When trying to hit the web I can resolve internal and external hostnames (via our internal DNS servers), but I can't connect to any external sites (timeout). In traffic monitor, it looks like traffic from the VPN client is being routed out of my other external interface (External-B) instead of the interface specified in my policies and NAT.

What am I missing?

Comments

  • Also - it should be noted that I am not using any aliases on these policies (Any-Trusted, Any-Optional, etc.). I am using the network address. I may be confused based on some info I found in the forums and KB, but do I need to add the network address for my VPN IP pool to these policies, or is the IPSEC user group sufficient? I think this may be the issue, as I have only added the user group based on information I've found elsewhere.

  • What XTM version are you running?

    Do you still have the 3 default Dynamic NAT entries? If so, then you don't need to add any others for the IPSec IP addr pool IP addrs/subnet.
    If not, there is rarely a reason to remove the 3 default entries, and could be related to your issues.

    So you do not have To: Any-external on your outgoing policies?
    From: IPSec-Users should on outgoing policies should allow Internet access

    "it looks like traffic from the VPN client is being routed out of my other external interface (External-B) instead of the interface specified in my policies and NAT"
    In a multi-WAN setup, you need to use Policy Based Routing or SD-WAN (it depends on your Fireware version as to which one you need to use) to force selected traffic out the desired WAN interface. NAT entries or To: interface name on a policy will not do this.

  • I'm on version 12.2.1.B572649

    Sorry, my comment about Aliases referred to the From: entries. All of my outgoing policies specify To: Any-External, and then we use PBR settings to dictate which interface to use. Sounds like we're on the same page.

    We've not had the three default NAT entries for quite some time on this appliance and its predecessor. They were summary addresses if I recall. I believe they were removed when started using PBR.

  • The three default Dynamic NAT entries are for the 3 private subnets:
    192.168.0.0/16
    172.16.0.0/12
    10.0.0.0/8

    Either add the 3 default entries back or fix your newly added Dynamic NAT entries to be to Any-external, not External-A
    Use of PBR is not a real reason to remove the default entries.

    Then you need to identify why traffic from the IPSec clients is using some policy which does not have PBR on it forcing traffic for IPSec clients out External-A.

  • Hi Bruce,
    I did as you suggested and internet access started working, but I can still see some traffic being routed out the other external interface (External-B) and I'm not sure why. I only have four policies that use External-B, and only for traffic coming from a completely different network. All of my policies for external outgoing traffic specify To: Any-External with the appropriate PBR setting. 98% of these policies use my other external interface (External-A).

    For instance, I can see some HTTPS traffic being routed out of External-B, when all of it should be routed out of External-A based on my settings and the policies that apply to From: 192.161.1.0/24 (VPN virtual pool). I only have a single HTTPS policy where the PBR settings use External-B, and I can't see how this policy could possibly evaluate to true for my VPN traffic when From: is set to 192.168.1.0/24.

    Any thoughts?

  • No idea.
    If you have a current LiveSecurity license, you could open a support incident and have a WG rep review your config.

  • The solution from WG support was to use SSL VPN instead.

Sign In to comment.