After configuring the SSL VPN on the Smoothwall and setting up the client, the clients connect fine but there are issues reaching destinations behind the Smoothwall. Here we look at the potential issues and solutions for this.
When the SSL VPN is configured on the Smoothwall, a separate subnet is used for client connectivity. This subnet is a virtual subnet that exists "inside" the Smoothwall. When clients connect, they get an IP address on this subnet. Because of this, a route may need to be configured on internal switches to the subnet used by the SSL VPN clients, using Smoothwall as the gateway for this subnet. If the Smoothwall is the default gateway for your other internal networks, this route should not be needed.
Once the SSL VPN is configured, a firewall rule also needs to be added for traffic to be allowed to flow through the Smoothwall into the internal networks from the SSL VPN subnet. This is true for all types of VPN connections on the Smoothwall.
In "Network - Firewall - Firewall rules" create a new rule and add SSL VPN as the incoming interface and any internal interface the SSL VPN clients are allowed to communicate with, into the outgoing interfaces. Set the action to "Accept". This is needed before any SSL VPN clients will be able to reach internal resources.
Only some systems can be accessed
If the client is connected and the firewall rules are in place, all clients should be able to access internal resources. If some aren't available, check the following:
- Does the target that clients are trying to reach, have a route back to the SSL VPN subnet? If not, either add or amend the existing routing table for the target system.
- If the target is addressed using a DNS name that cannot be resolved on the client, make sure internal DNS servers have been added to the "Network » VPN » Global" section in the "L2TP and SSL VPN client configuration settings".
In short, there are three reasons why connectivity can fail once the client is connected. Missing firewall rules, missing routing information for the SSL VPN client IP subnet and missing DNS information in the global section of the VPN area.