In a previous article we covered how to use  Sophos UTM to establish an IPSEC VPN tunnel. IPSEC VPNs are great for a number of reasons, but they have a big drawback when it comes to NAT traversal. While Sophos UTM supports NAT-t, where one side is behind a NAT, you run into connectivity issues when both sides are NATs.

The simple solution here is to use SSL Site-to-Site VPN connections. The NAT problem is no longer an issue, and there are some other nice benefits.

Advantages of SSL VPN over IPSEC VPN

Do not let the name fool you, SSL VPNs (which are based on OpenVPN), no longer use SSL. They use TLS (see our article on understanding the difference between SSL and TLS ). The SSL VPN name has stuck though.

The key advantages for me for using SSL VPN are:

  • Ease of configuration
  • Ease of deployment
  • Ease of maintenance
  • Great security
  • NAT and dynamic IP traversal not an issue
  • More SSL VPN connection supported than IPSEC connection per UTM
  • Speed!

On that last point, the SSL VPN traffic compression has so far in my testing shown to be better performing than IPSEC tunnels when configured on the same equipment with the same mix of network devices and connection types.

How Site-to-site SSL VPNs are configured

If you have configured an SSL client access VPN for the UTM on a non-Windows device, you will know about the OpenVPN configuration files. Site-to-Site SSL VPNs work in a similar manner.

The server side generates a configuration file, the client side imports the file and all of the settings are done for you. Once the VPN is established, you can add or remove networks without needing to reconfigure the VPN. The settings are replicated through the existing configuration which makes the VPN simple to configure and maintain.

Using Site-to-site SSL VPNs in a large distributed network

Simply connecting one site to another is a walk in the park, so for this example I am going to go through the steps required to establish a multi-hop or Grandparent, Parent and Child network.

This example has a central corporate head office with distributed divisional or regional offices and then there are branch offices that connect into the regional offices in a traditional HUB and spoke pattern.

In this design, traffic between the regional office and all the attached branch offices are routed locally within the region and only requests to HQ need to traverse that tunnel.

Planning Your Site-To-Site VPN Deployment

Before you begin you need to know what the address blocks are for the different sites that you will be connecting together. Make sure you have your networks laid out and that there are no IP overlaps, as this would cause routing issues.

To have a network design that scales across multiple sites, I suggest you use a contiguous block of IP addresses per region that are divided into smaller blocks for the individual sites. Creating supernet and subnet network definitions, and combining them into groups greatly simplifies the design as you scale out the number of sites.

If you have your Sophos UTMs managed by a SUM (Sophos UTM Manager), you can use this to define the objects once and distribute them to all of the UTMs. This is however a ‘nice to have’ and not a required component.

Configure the Head Office Server Connection

The following is performed on the main corporate UTM. This will set up the grandparent to parent tunnel.

  1. Open Site-to-site VPN | SSL | Connections
  2. +New SSL Connection
  3. Connector Type: Server
  4. Connection Name: Divisional Office
  5. Local Networks: The networks at corporate head office
  6. Remote networks: The Network at the Divisional office AND branches
  7. Check the box for Automatic Firewall Rules
  8. Click Save
  9. Once this is done you have the option to Download the configuration file by clicking the download button.

Configure the Divisional Client Connection

The following is done on the divisional office UTM. Here the configuration is imported and the rest of the settings are done for you.

  1. Open Site-to-site VPN | SSL | Connections
  2. +New SSL Connection
  3. Connection Type: Client
  4. Connection Name: Corporate HQ
  5. Upload the file saved earlier
  6. Check the box for Automatic firewall rules
  7. Save

Once the connection has been configured, you can click on the live log to see that the connection is being made. If the connection is failing, the log is your first place to start looking for clues. Clicking on the Site-to-site VPN link will bring up the VPN Tunnel Status page and show your tunnel(s) and which networks are on each side of the tunnel.

If you only needed to connect two sites to one another, you would be done! The setup automatically makes the routing configurations for you and because we selected to automatically create firewall rules, that portion has been taken care of too. But why stop there when we have another branch to connect…

Configure the Divisional Server Connection

The following is performed on the divisional UTM. This will set up the parent to child tunnel.

  1. Open Site-to-site VPN | SSL | Connections
  2. +New SSL Connection
  3. Connector Type: Server
  4. Connection Name: Branch Name
  5. Local Networks: The networks at the divisional office as well as the corporate head office
  6. Remote networks: The Network at the branch office
  7. Check the box for Automatic Firewall Rules
  8. Save and download the file

At this point, the Divisional UTM is both a client and a server for SSL VPN.

Configure the Branch Client Connection

The following is done on the branch office UTM

  1. Open Site-to-site VPN | SSL | Connections
  2. +New SSL Connection
  3. Connection Type: Client
  4. Connection Name: Divisional
  5. Upload the file saved earlier
  6. Check the Box for Automatic firewall rules
  7. Save

In the same manner as before, we should now see the connection and the networks come online. From the branch all traffic destined to the divisional office and the corporate head-office will flow through the tunnel. When the divisional UTM receives traffic destined for the corporate head office, it will forward it down its own tunnel to the corporate head office.

The place to see that everything is connected and working well is on the divisional UTM. If we look at the Site-to-site VPN section, we can see two tunnels along with the networks that reside on each side of the VPN.

If ever you want to check out exactly what the routes are, go to Support | Advanced | Routes Table.

Central logging and reporting

Since all of the remote sites have their own internet breakout, the most efficient way for them to access the internet for client requests is to make use of the local break out. And since they are connecting through a UTM they have all of the same protection on site that the users at head office enjoy. If you are using a SUM you can actually enforce exactly the same settings.

As Internet usage is not traversing through your central UTM, you may wonder how to go about monitoring and reporting on the entire network centrally.

Since all of the UTMs now have a Site-to-site VPN connection to each other, each UTM can securely send their syslog traffic to your central Fastvue Sophos Reporter server at your head office. This will give you a detailed real-time view of all activity across your entire network.

Fastvue Sophos Reporter - Dashboard Overview

As Fastvue Sophos Reporter is licensed by user count and not UTM device count, you can add additional UTMs at no cost. You will however need a license key for each UTM, so be sure to request enough keys for your environment. Once you have enough license keys for all the UTMs you need to monitor, simply add all your UTMs as sources (in Settings | Sources) and you are all set!

If you simply want to collect all the log data in a central location, you can also send syslog messages to a central Fastvue Syslog server. Just be sure to specify a different syslog port for each application if Fastvue Sophos Reporter and Fastvue Syslog are installed on the same machine.

Fastvue Syslog Server

And of course Fastvue Syslog is free to collect and log all your syslog traffic on one place!

Conclusion

Site-to-Site SSL VPN is a great way to overcome some of the limitations associated with IPSEC VPN tunnels.

There are additional settings, such as setting the certificates to be used, enabling or disabling tunnel compression, and debug logging under the Site to Site VPN| SSL | Advanced tab, but as yet I have had no a reason to change anything from the defaults.

If you have any questions or issues, please let me know in the comments!