Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Subscribers 28 subscribers
  • Views 11598 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Internal Connectivity

Joe Schulte

So, just got the device setup. Things are going pretty well. Now I'm just working on my OpenVPN connection to it from an Android phone. 

 

I'm unable to reach anything from the VPN connected device to the internal network. What I get in the logs is this:

 

messageid="05201" log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="tun0" out_interface="" src_mac="" src_ip="10.81.234.8" src_country="" dst_ip="192.168.1.44" dst_country="" protocol="TCP" src_port="58188" dst_port="8112" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

 

I'm not entirely clear how my in_interface is "tun0" (ok, that makes sense) but, but out_interface is "". I'm trying to hit 192.168.1.44, which is the directly connected LAN interface. 

My rules are as simple as can be:

 

 

I have noticed that I have a VPN zone, but I can't do anything to it:

 

So, I feel like I'm missing some basic concept here. Any suggestions?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I'm also having issues getting SSL VPN to work. I do get a connection, but no traffic is passed through.

    I followed the steps in this manual; https://community.sophos.com/kb/en-us/122769

    I troubleshooted with this; https://community.sophos.com/kb/en-us/123320

    No traffic is passing through the appliance.
    Although I don't trust the counter you see with the rules, (I had smtp issues as well, until I disabled the default rule that scans SMTP and with that rule the counters kept saying 0 bytes in, 0 bytes out... Yeah right...) also the rule that allows traffic from VPN to LAN stays on 0 B in and 0 B out.
    Even a rule; Allow ANY to ANY (just for test) doesn't change anything.

    The ping (or ssh connect) isn't seen within Wireshark on the destination device.
    And the client keeps reconnecting every now and then (8,5 minutes or so), even though I switched off the disconnect when idle setting in the XG.

    Does somebody know what's going wrong here? It actually starts to drive me a little bit mad...
    I have a lot of experience with the UTM, but never experienced this with it...

    Thanks in advance for your help!
    Regards,
    Erwin

Reply
  • 0

    Hi,

    I'm also having issues getting SSL VPN to work. I do get a connection, but no traffic is passed through.

    I followed the steps in this manual; https://community.sophos.com/kb/en-us/122769

    I troubleshooted with this; https://community.sophos.com/kb/en-us/123320

    No traffic is passing through the appliance.
    Although I don't trust the counter you see with the rules, (I had smtp issues as well, until I disabled the default rule that scans SMTP and with that rule the counters kept saying 0 bytes in, 0 bytes out... Yeah right...) also the rule that allows traffic from VPN to LAN stays on 0 B in and 0 B out.
    Even a rule; Allow ANY to ANY (just for test) doesn't change anything.

    The ping (or ssh connect) isn't seen within Wireshark on the destination device.
    And the client keeps reconnecting every now and then (8,5 minutes or so), even though I switched off the disconnect when idle setting in the XG.

    Does somebody know what's going wrong here? It actually starts to drive me a little bit mad...
    I have a lot of experience with the UTM, but never experienced this with it...

    Thanks in advance for your help!
    Regards,
    Erwin

Children
  • 0 in reply to ehofstede

    Would recommend a dump on XG.

    Login via SSH - 5 -3 (Advanced Shell) - tcpdump -ni any icmp 
    Try to ping the target server. 

    Post your Resultats. 

  • 0 in reply to LuCar Toni

    Hi,

    Thanks for your reply. I'm not getting any output from the tcpdump. It looks like the traffic doesn't get to the firewall.

    I have read somewhere that I needed a network object in my "permitted network resources" instead of the port, so I already did that.
    My internal LAN /24 is permitted.

    Thanks,
    Erwin.

  • 0 in reply to ehofstede

    Can you post your SSLVPN Log of client? He should push the routes. 

    Furthermore please check the priority of your windows LAN adapter: openvpn.net/.../319-how-do-i-make-the-windows-network-adapter-my-default-adapter-again.html

  • 0 in reply to LuCar Toni

    I'm using a Macbook with Tunnelblick as VPN client. It looks like the route is being pushed.

    Netstat -rn on my mac tells me;  10.0.10/24 10.81.234.5 UGSc 0 2 utun2
    So it looks like that part goes well.

    The log of the session;

    2018-08-05 21:11:35 *Tunnelblick: openvpnstart starting OpenVPN

    *Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.6a (build 5080); prior version 3.7.6 (build 5060)

    2018-08-05 21:11:35 *Tunnelblick: Attempting connection with Sophos_XG using shadow copy; Set nameserver = 769; monitoring connection

    2018-08-05 21:11:35 *Tunnelblick: openvpnstart start Sophos_XG.tblk 53458 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2o

    2018-08-05 21:11:36 *Tunnelblick: openvpnstart log:

    OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

     

    /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2o/openvpn

    --daemon

    --log

    /Library/Application Support/Tunnelblick/Logs/-SUsers-Serwin-SLibrary-SApplication Support-STunnelblick-SConfigurations-SSophos_XG.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.53458.openvpn.log

    --cd

    /Library/Application Support/Tunnelblick/Users/erwin/Sophos_XG.tblk/Contents/Resources

    --setenv

    IV_GUI_VER

    "net.tunnelblick.tunnelblick 5080 3.7.6a (build 5080)"

    --verb

    3

    --config

    /Library/Application Support/Tunnelblick/Users/erwin/Sophos_XG.tblk/Contents/Resources/config.ovpn

    --verb

    3

    --cd

    /Library/Application Support/Tunnelblick/Users/erwin/Sophos_XG.tblk/Contents/Resources

    --management

    127.0.0.1

    53458

    /Library/Application Support/Tunnelblick/phahlgogoipdkdkfogilinbdpklhmhbkjnhkhmgb.mip

    --management-query-passwords

    --management-hold

    --script-security

    2

    --up

    /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

    --down

    /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

     

    2018-08-05 21:11:35 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 25 2018

    2018-08-05 21:11:35 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10

    2018-08-05 21:11:35 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:53458

    2018-08-05 21:11:35 Need hold release from management interface, waiting...

    2018-08-05 21:11:36 *Tunnelblick: Established communication with OpenVPN

    2018-08-05 21:11:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:53458

    2018-08-05 21:11:36 MANAGEMENT: CMD 'pid'

    2018-08-05 21:11:36 MANAGEMENT: CMD 'state on'

    2018-08-05 21:11:36 MANAGEMENT: CMD 'state'

    2018-08-05 21:11:36 MANAGEMENT: CMD 'bytecount 1'

    2018-08-05 21:11:36 MANAGEMENT: CMD 'hold release'

    2018-08-05 21:11:39 MANAGEMENT: CMD 'username "Auth" "erwin"'

    2018-08-05 21:11:39 MANAGEMENT: CMD 'password [...]'

    2018-08-05 21:11:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

    2018-08-05 21:11:39 MANAGEMENT: >STATE:1533496299,RESOLVE,,,,,,

    2018-08-05 21:11:40 TCP/UDP: Preserving recently used remote address: [AF_INET]*****PUBLIC-IP*****:8443

    2018-08-05 21:11:40 Socket Buffers: R=[196724->196724] S=[9216->9216]

    2018-08-05 21:11:40 UDP link local: (not bound)

    2018-08-05 21:11:40 UDP link remote: [AF_INET]*****PUBLIC-IP*****:8443

    2018-08-05 21:11:40 MANAGEMENT: >STATE:1533496300,WAIT,,,,,,

    2018-08-05 21:11:40 MANAGEMENT: >STATE:1533496300,AUTH,,,,,,

    2018-08-05 21:11:40 TLS: Initial packet from [AF_INET]*****PUBLIC-IP*****:8443, sid=ea3a8009 5599960d

    2018-08-05 21:11:40 VERIFY OK: depth=3, C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root

    2018-08-05 21:11:40 VERIFY OK: depth=2, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority

    2018-08-05 21:11:40 VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA

    2018-08-05 21:11:40 VERIFY X509NAME OK: OU=Domain Control Validated, OU=PositiveSSL, CN=*****FQDN*****

    2018-08-05 21:11:40 VERIFY OK: depth=0, OU=Domain Control Validated, OU=PositiveSSL, CN=*****FQDN*****

    2018-08-05 21:11:44 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

    2018-08-05 21:11:44 [*****FQDN*****] Peer Connection Initiated with [AF_INET]*****PUBLIC-IP*****:8443

    2018-08-05 21:11:45 MANAGEMENT: >STATE:1533496305,GET_CONFIG,,,,,,

    2018-08-05 21:11:45 SENT CONTROL [*****FQDN*****]: 'PUSH_REQUEST' (status=1)

    2018-08-05 21:11:50 SENT CONTROL [*****FQDN*****]: 'PUSH_REQUEST' (status=1)

    2018-08-05 21:11:51 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.5,ping 450,ping-restart 1800,route 10.0.10.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,dhcp-option DNS 10.0.10.110,dhcp-option DNS 10.0.10.254,ifconfig 10.81.234.7 255.255.255.0'

    2018-08-05 21:11:51 OPTIONS IMPORT: timers and/or timeouts modified

    2018-08-05 21:11:51 OPTIONS IMPORT: --ifconfig/up options modified

    2018-08-05 21:11:51 OPTIONS IMPORT: route options modified

    2018-08-05 21:11:51 OPTIONS IMPORT: route-related options modified

    2018-08-05 21:11:51 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

    2018-08-05 21:11:51 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key

    2018-08-05 21:11:51 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication

    2018-08-05 21:11:51 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key

    2018-08-05 21:11:51 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication

    2018-08-05 21:11:51 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)

    2018-08-05 21:11:51 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)

    2018-08-05 21:11:51 Opened utun device utun2

    2018-08-05 21:11:51 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

    2018-08-05 21:11:51 MANAGEMENT: >STATE:1533496311,ASSIGN_IP,,10.81.234.7,,,,

    2018-08-05 21:11:51 /sbin/ifconfig utun2 delete

    ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

    2018-08-05 21:11:51 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

    2018-08-05 21:11:51 /sbin/ifconfig utun2 10.81.234.7 10.81.234.7 netmask 255.255.255.0 mtu 1500 up

    2018-08-05 21:11:51 /sbin/route add -net 10.81.234.0 10.81.234.7 255.255.255.0

    add net 10.81.234.0: gateway 10.81.234.7

    2018-08-05 21:11:51 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1569 10.81.234.7 255.255.255.0 init

    **********************************************

    Start of output from client.up.tunnelblick.sh

    Disabled IPv6 for 'PPPoE'

    Disabled IPv6 for 'Thunderbolt Ethernet 2'

    Disabled IPv6 for 'Thunderbolt Ethernet 3'

    Disabled IPv6 for 'iPad USB'

    Disabled IPv6 for 'iPhone USB'

    Disabled IPv6 for 'Thunderbolt Ethernet 4'

    Disabled IPv6 for 'Thunderbolt Ethernet 5'

    Disabled IPv6 for 'iPhone USB 5'

    Disabled IPv6 for 'iPhone USB 3'

    Disabled IPv6 for 'Thunderbolt FireWire'

    Disabled IPv6 for 'Wi-Fi'

    Disabled IPv6 for 'iPhone USB 2'

    Disabled IPv6 for 'iPhone USB 4'

    Disabled IPv6 for 'Thunderbolt Bridge'

    Disabled IPv6 for 'PureVPN'

    Retrieved from OpenVPN: name server(s) [ 10.0.10.110 10.0.10.254 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]

    WARNING: Ignoring ServerAddresses '10.0.10.110 10.0.10.254' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified

    Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected

    Saved the DNS and SMB configurations so they can be restored

    Did not change DNS ServerAddresses setting of '1.1.1.1' (but re-set it)

    Changed DNS SearchDomains setting from '' to 'openvpn'

    Changed DNS DomainName setting from '' to 'openvpn'

    Did not change SMB NetBIOSName setting of ''

    Did not change SMB Workgroup setting of ''

    Did not change SMB WINSAddresses setting of ''

    DNS servers '1.1.1.1' were set manually

    DNS servers '1.1.1.1' will be used for DNS queries when the VPN is active

    NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.

    Flushed the DNS cache via dscacheutil

    /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil

    Notified mDNSResponder that the DNS cache was flushed

    Setting up to monitor system configuration with process-network-changes

    End of output from client.up.tunnelblick.sh

    **********************************************

    2018-08-05 21:12:01 MANAGEMENT: >STATE:1533496321,ADD_ROUTES,,,,,,

    2018-08-05 21:12:01 /sbin/route add -net *****PUBLIC-IP***** 172.20.10.1 255.255.255.255

    add net *****PUBLIC-IP*****: gateway 172.20.10.1

    2018-08-05 21:12:01 /sbin/route add -net 10.0.10.0 10.81.234.5 255.255.255.0

    add net 10.0.10.0: gateway 10.81.234.5

    2018-08-05 21:12:01 /sbin/route add -net *****PUBLIC-IP***** 172.20.10.1 255.255.255.255

    route: writing to routing socket: File exists

    add net *****PUBLIC-IP*****: gateway 172.20.10.1: File exists

    2018-08-05 21:12:01 Initialization Sequence Completed

    2018-08-05 21:12:01 MANAGEMENT: >STATE:1533496321,CONNECTED,SUCCESS,10.81.234.7,*****PUBLIC-IP*****,8443,,

  • 0 in reply to ehofstede

    Can you post a screenshot of your SSLVPN config Page? 

  • 0 in reply to LuCar Toni

    Sure;

     

     

    Under the user settings;

  • 0 in reply to ehofstede

    I am not using a Mac but i think you should take a look at the Tunnelblick client. 

    As you already notice, the traffic is not send to XG, the issue should be the client. 

    https://community.sophos.com/kb/en-us/125374

    https://community.sophos.com/kb/en-us/127843

  • 0 in reply to LuCar Toni

    Well, I wasn't looking at the client, because I have 5 other VPN configurations installed in Tunnelblick and they all work fine.

    One of them is a connection to a UTM, works like a charm, for quite a long time already.

    But I will see if I can get my hands on a windows pc and try that, just to rule out the XG or the Tunnelblick client.

  • 0 in reply to LuCar Toni

    Right, a Windows machine worked just fine, so my config was ok...

    Another Macbook with Tunnelblick also worked...

    On the Macbook which wasn't working, I removed the config from Tunnelblick, I rebooted the Macbook, downloaded the config from the userportal again and imported again in Tunnelblick, not it's also working on this Macbook.

    Thanks for thinking with me here!
    Regards,
    Erwin.