Configuring SSL-VPN / OneConnect server on secondary Firewall IP address

Last modified on 8 Apr, 2021. Revision 5
Configuring a new SSL-VPN / OneConnect server to listen on a secondary IP address, the importance of routing the IP address on the core interface.
Up to date for
cOS Core 13.00.09 and up
Supported since
cOS Core 13.00.09
Not valid for
cOS Core 13.00.08 and older
Status OK
Author
Peter Nilsson

Description

Adding additional IP addresses to an interface in the Firewall is described in the following KB:

https://kb.clavister.com/324735780/adding-an-additional-ip-address-to-an-ethernet-interface

It is recommended to use the “core” route method. And one of the reason for that recommendation is that non-core routed IP addresses that is to be used by the Firewall for a server function such as SSL-VPN, OneConnect, IPsec, WebUI, SSH etc. may not function properly unless the IP address is core routed.

In versions before 13.00.09 it was possible to configure and use the SSL-VPN server on a non-core routed IP address. But changes in 13.00.09 now aligns the SSL-VPN server with other server types which cause any existing configured SSL-VPN servers to stop working unless the IP address for the server is core routed.

Solution

The solution to the problem is to follow the above mentioned KB article and instead of using “ARP publish”, create and use a core route + ProxyARP to publish the additional IP address on the Firewall. Doing this change on existing Firewall configurations may require updates to any IP Policy (or rule) that is specifically configured towards a non-core interface used towards the additional IP address. An example on needed changes to IP polices/rules:

Before:

Allow Wan all-nets Wan IP_Wan_2 Service=HTTP SetDest=192.168.50.50

After:

Allow Wan all-nets Core IP_Wan_2 Service=HTTP SetDest=192.168.50.50

Related articles

Configure OneConnect V.3 for macOS, iOS and iPadOS towards NetWall
9 Aug, 2021 sslvpn openconnect oneconnect macos ios netwall
Configure the Android OpenConnect client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect 3 for Windows towards Clavister NetWall
7 Jul, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
OneConnect VPN certificate not trusted
12 Oct, 2021 oneconnect sslvpn
Configure the OpenConnect-GUI client towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect macos windows linux core