SSL VPN network extension is configured on the SecoSpace USG6300 to guide all traffic through VPN tunnels, but the configuration fails. SSL VPN dial-up users can access the intranet but cannot access the Internet.
The SSL VPN configuration on the USG6300 is as follows:
v-gateway public ssl
version tlsv11 tlsv12
v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha non-rc4-sha
non-rc4-md5 aes128-sha non-des-cbc-sha
v-gateway sslvpn interface Vlanif3303 private
v-gateway sslvpn alias sslvpn
dns-server 188.8.131.52 184.108.40.206
ssl version tlsv11 tlsv12
ssl timeout 5
ssl lifecycle 1440
ssl ciphersuit custom aes256-sha non-des-cbc3-sha non-rc4-sha non-rc4-md5
network-extension keep-alive enable
network-extension keep-alive interval 120
network-extension netpool 10.1.1.2 10.1.1.100 255.255.255.0
netpool 10.1.1.2 default
network-extension mode full
1. After the network extension module obtains a virtual address, the user cannot access the Internet. Check whether the Full Tunnel mode and DNS are configured. It is confirmed that the Full Tunnel mode and DNS are configured, and the intranet client can use the DNS configuration to access the Internet.
Note: Network extension supports the following routing modes: Split Tunnel, Full Tunnel, and Manual Tunnel. The details are as follows:
In Split Tunnel mode, the data from the client to the intranet is sent to the vNIC based on the system routing table for forwarding, and the vNIC uses the virtual IP address as the source IP address of the data. The data destined for the local subnet is forwarded by a real NIC, and the NIC uses the actual IP address as the source IP address of the data. Therefore, network extension forwards only the data to the intranet. In Split Tunnel mode, the vNIC also forwards the data that does not destine for the local subnet.
In Full Tunnel mode, data accessing any resources is intercepted by the vNIC, and the vNIC forwards the data to the virtual gateway.
In Manual Tunnel mode, the administrator must configure a static route to the intranet on the firewall (using the network-extension manual-route command). The client identifies the data destined for the intranet and uses the vNIC to forward the data.
2. Check the route configuration. There is a default route pointing to the egress of the Internet. The route configuration is correct.
3. Check the session table used when the virtual IP address of network extension accesses the Internet. It is found that NAT is not performed on the IP address of the vNIC during the access to the Internet. As a result, the access fails.
4. Configure a Source NAT policy for access between untrust zones. The problem is solved.
When an intranet user accesses the Internet, NAT is not performed on the IP address of the vNIC.