Secure-Client VPN through Site-to-Site-VPN

[martinp05]

Hello!

I have the following issue:

Between a VPN-Edge-Box (latest firmaware) and a NGX-Firewall there is a Site-to-Site-VPN configured. Behind the NGX-Firewall there is an other NGX-Firewall (SecureClient VPN-Endpoint). Behind the VPN-Edge-Box there is a ClientPC. This ClientPC should establish a SecureClient-VPN through the Site-to-Site-VPN to the SecureClient-VPN-Endpoint.

SC-Client---Edge-----NGXFirewall----VPN-Endpoint.

The Site-to-Site-VPN works fine. The mainproblem is, that i can not connect trhough this VPN via SecureClient.

Has someone configured such a vpn and maybe can give me some information?

Best regards

Martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[FWHATER]

Sounds very unusual. Is the vpn tunnel between the Edge and NGX configured to bypass nat and the firewall ? Can the SC-Client reach the network between the NGX and the VPN-Endpoint ? Secureclient connecting over VPN needs a certificate on the destination to aquire a fingerprint. Is there a generated CA on the VPN-Endpoint ? Without it, Secureclient will fail trying to reach it. Any one of these issues could cause your Secureclient connection to fail.

 

[martinp05]

Hello,

Bypass nat is configured (between the VPN-Tunnel Edge-NGX). Yes, the secureclient can reach the network. Yes the certifificate exists as well.

I know the request ist quite strange, but the customer is the king.

Martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[FWHATER]

I'm not thoroughly familiar with VPN-Endpoints, all though I imagine they can't be that hard to administer. I would check the rulebase for that VPN-Endpoint. Is it at all like Firewall-1 where you create users with pre-shared secrets as the source, add them to remote access groups with encryption domains as their destination ? What exactly happens when you try to connect ?