Ping from trusted Network Server to Mobile VPN SSL Client not possible

I am using Mobile VPN with SSL, everything is working fine so far.
However i am trying since a long time how i can ping my connected vpn client pc's from our AD Server on the trusted LAN.
On the Server the ip's are resolving properly on DNS Manager. But if i trace a route to the clients ip, 192.118.113.2 for example, the trace routes firstly correct to the Firewall, after the Firewall to the external network (www) and then goes nowhere.

what I have already tried:
Pinging directly from WG Firewall to Client's IP is sucsessful
Pinging to IpSec Client's (shrewSoft) from the Server is possible
Nothing to see in Traffic manager

Firewall M270, 12.7.2 (Build 647073)

does anyone have a suggestion on how I can successfully ping our Mobile VPN with SSL clients?

Answers

  • Is 192.118.113.2 the virtual IP addr of the VPN client?
    I would not expect so, since it is a public IP addr.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @unik
    For the SSLVPN, there's no rule by default that allows traffic to go from the internal network to VPN clients -- you need to make one.
    Generally, making a rule that allows traffic from your trusted subnet to the SSLVPN subnet should allow that traffic, provide nothing else is blocking it.

    -James Carson
    WatchGuard Customer Support

  • edited December 2021

    @Bruce_Briggs
    small mistake i meant 192.168.113.2 ;-)

    @james.carson
    no improvement after i created the appropriate police. (see attached photo1)
    I find it strange that the traceroute after the firewall goes to the Internet via the external interface. (see attached photo2)
    how can i route this traffic vpn through tunnel?
    I currently have no network routes set up on firebox.

    [https://bilderupload.org/bild/cfa476921-photo1]
    [https://bilderupload.org/bild/b59c77030-photo2]

  • Look at Web UI -> System Status -> Routes
    I have an entry near the bottom for my SSLVPN subnet
    192.168.222.0/24 tun0 0.0.0.0 U 0

    Do you have something similar?

    When I tracert to 192.168.222.4 - a not connected SSLVPN IP addr, my tracert does not go out to the Internet.

    I'm running V12.8 beta, but I would not expect the version to be an issue.

  • I see the same route on my Firebox
    192.168.113.0/24 tun0 0.0.0.0 U 0

    I don't think it's the version either.

    something is routing the traffic back to SSLVPN-Clients wrong..

  • Consider opening a support incident

Sign In to comment.