VPN Internal Connectivity

Hi,

Can you show us the VPN Config? 

Do you have the LAN Network as permitted networks? 

Hi,

I'm also having issues getting SSL VPN to work. I do get a connection, but no traffic is passed through.

I followed the steps in this manual; https://community.sophos.com/kb/en-us/122769

I troubleshooted with this; https://community.sophos.com/kb/en-us/123320

No traffic is passing through the appliance.
Although I don't trust the counter you see with the rules, (I had smtp issues as well, until I disabled the default rule that scans SMTP and with that rule the counters kept saying 0 bytes in, 0 bytes out... Yeah right...) also the rule that allows traffic from VPN to LAN stays on 0 B in and 0 B out.
Even a rule; Allow ANY to ANY (just for test) doesn't change anything.

The ping (or ssh connect) isn't seen within Wireshark on the destination device.
And the client keeps reconnecting every now and then (8,5 minutes or so), even though I switched off the disconnect when idle setting in the XG.

Does somebody know what's going wrong here? It actually starts to drive me a little bit mad...
I have a lot of experience with the UTM, but never experienced this with it...

Thanks in advance for your help!
Regards,
Erwin

Would recommend a dump on XG.

Login via SSH - 5 -3 (Advanced Shell) - tcpdump -ni any icmp 
Try to ping the target server. 

Post your Resultats. 

VPN config is pretty minimal, really: 

Following your advice to the other guy, I do the tcpdump and get this:

10:48:37.510046 Port1, OUT: IP 192.168.1.1 > 192.168.1.67: ICMP echo reply, id 0
, seq 0, length 24
10:48:38.733885 Port1, IN: IP 192.168.1.122 > 192.168.1.1: ICMP echo request, id
0, seq 0, length 24
10:48:38.733932 Port1, OUT: IP 192.168.1.1 > 192.168.1.122: ICMP echo reply, id
0, seq 0, length 24
10:48:40.937763 tun0, IN: IP 10.81.234.6 > 192.168.1.44: ICMP echo request, id 7
2, seq 1, length 64
10:48:42.456905 Port1, IN: IP 192.168.1.123 > 192.168.1.1: ICMP echo request, id
0, seq 0, length 24
10:48:42.456991 Port1, OUT: IP 192.168.1.1 > 192.168.1.123: ICMP echo reply, id
0, seq 0, length 24
10:48:45.013543 tun0, IN: IP 10.81.234.6 > 192.168.1.44: ICMP echo request, id 7
3, seq 1, length 64
10:48:45.800501 Port1, IN: IP 192.168.1.125 > 192.168.1.1: ICMP echo request, id
0, seq 0, length 24
10:48:45.800551 Port1, OUT: IP 192.168.1.1 > 192.168.1.125: ICMP echo reply, id
0, seq 0, length 24
10:48:47.515220 Port1, IN: IP 192.168.1.67 > 192.168.1.1: ICMP echo request, id
0, seq 0, length 24
10:48:47.515264 Port1, OUT: IP 192.168.1.1 > 192.168.1.67: ICMP echo reply, id 0
, seq 0, length 24
10:48:48.737377 Port1, IN: IP 192.168.1.122 > 192.168.1.1: ICMP echo request, id
0, seq 0, length 24
10:48:48.737459 Port1, OUT: IP 192.168.1.1 > 192.168.1.122: ICMP echo reply, id
0, seq 0, length 24
10:48:49.061747 tun0, IN: IP 10.81.234.6 > 192.168.1.44: ICMP echo request, id 7
4, seq 1, length 64
10:48:52.461448 Port1, IN: IP 192.168.1.123 > 192.168.1.1: ICMP echo request, id
0, seq 0, length 24
10:48:52.461498 Port1, OUT: IP 192.168.1.1 > 192.168.1.123: ICMP echo reply, id
0, seq 0, length 24

The traffic of interest is the 10.81.234.6 to the 192.168.1.44. So, the requests are hitting the firewall. But I see no evidence of that traffic being processed by any firewall rules. I can see the phone talking to the internet through the VPN and firewall, but nothing inbound seems to even hit a rule. 

You are using the wrong "networks" for permitted Networks.

Those objects are the Interface IPs of XG - Not the whole network behind it.

Use a object with 192.168.1.0/24 in permitted network - Should work fine. 

Perfect, that was it. Why I didn't think of that, I don't know. 

Was there some place in the logs I could have seen failures/rejects? 

Hi,

Thanks for your reply. I'm not getting any output from the tcpdump. It looks like the traffic doesn't get to the firewall.

I have read somewhere that I needed a network object in my "permitted network resources" instead of the port, so I already did that.
My internal LAN /24 is permitted.

Thanks,
Erwin.

Can you post your SSLVPN Log of client? He should push the routes. 

Furthermore please check the priority of your windows LAN adapter: openvpn.net/.../319-how-do-i-make-the-windows-network-adapter-my-default-adapter-again.html

I'm using a Macbook with Tunnelblick as VPN client. It looks like the route is being pushed.

Netstat -rn on my mac tells me;  10.0.10/24 10.81.234.5 UGSc 0 2 utun2
So it looks like that part goes well.

The log of the session;

2018-08-05 21:11:35 *Tunnelblick: openvpnstart starting OpenVPN

*Tunnelblick: OS X 10.13.6; Tunnelblick 3.7.6a (build 5080); prior version 3.7.6 (build 5060)

2018-08-05 21:11:35 *Tunnelblick: Attempting connection with Sophos_XG using shadow copy; Set nameserver = 769; monitoring connection

2018-08-05 21:11:35 *Tunnelblick: openvpnstart start Sophos_XG.tblk 53458 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2o

2018-08-05 21:11:36 *Tunnelblick: openvpnstart log:

OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2o/openvpn

--daemon

--log

/Library/Application Support/Tunnelblick/Logs/-SUsers-Serwin-SLibrary-SApplication Support-STunnelblick-SConfigurations-SSophos_XG.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.53458.openvpn.log

--cd

/Library/Application Support/Tunnelblick/Users/erwin/Sophos_XG.tblk/Contents/Resources

--setenv

IV_GUI_VER

"net.tunnelblick.tunnelblick 5080 3.7.6a (build 5080)"

--verb

3

--config

/Library/Application Support/Tunnelblick/Users/erwin/Sophos_XG.tblk/Contents/Resources/config.ovpn

--verb

3

--cd

/Library/Application Support/Tunnelblick/Users/erwin/Sophos_XG.tblk/Contents/Resources

--management

127.0.0.1

53458

/Library/Application Support/Tunnelblick/phahlgogoipdkdkfogilinbdpklhmhbkjnhkhmgb.mip

--management-query-passwords

--management-hold

--script-security

2

--up

/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

--down

/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2018-08-05 21:11:35 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 25 2018

2018-08-05 21:11:35 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10

2018-08-05 21:11:35 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:53458

2018-08-05 21:11:35 Need hold release from management interface, waiting...

2018-08-05 21:11:36 *Tunnelblick: Established communication with OpenVPN

2018-08-05 21:11:36 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:53458

2018-08-05 21:11:36 MANAGEMENT: CMD 'pid'

2018-08-05 21:11:36 MANAGEMENT: CMD 'state on'

2018-08-05 21:11:36 MANAGEMENT: CMD 'state'

2018-08-05 21:11:36 MANAGEMENT: CMD 'bytecount 1'

2018-08-05 21:11:36 MANAGEMENT: CMD 'hold release'

2018-08-05 21:11:39 MANAGEMENT: CMD 'username "Auth" "erwin"'

2018-08-05 21:11:39 MANAGEMENT: CMD 'password [...]'

2018-08-05 21:11:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2018-08-05 21:11:39 MANAGEMENT: >STATE:1533496299,RESOLVE,,,,,,

2018-08-05 21:11:40 TCP/UDP: Preserving recently used remote address: [AF_INET]*****PUBLIC-IP*****:8443

2018-08-05 21:11:40 Socket Buffers: R=[196724->196724] S=[9216->9216]

2018-08-05 21:11:40 UDP link local: (not bound)

2018-08-05 21:11:40 UDP link remote: [AF_INET]*****PUBLIC-IP*****:8443

2018-08-05 21:11:40 MANAGEMENT: >STATE:1533496300,WAIT,,,,,,

2018-08-05 21:11:40 MANAGEMENT: >STATE:1533496300,AUTH,,,,,,

2018-08-05 21:11:40 TLS: Initial packet from [AF_INET]*****PUBLIC-IP*****:8443, sid=ea3a8009 5599960d

2018-08-05 21:11:40 VERIFY OK: depth=3, C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root

2018-08-05 21:11:40 VERIFY OK: depth=2, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority

2018-08-05 21:11:40 VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA

2018-08-05 21:11:40 VERIFY X509NAME OK: OU=Domain Control Validated, OU=PositiveSSL, CN=*****FQDN*****

2018-08-05 21:11:40 VERIFY OK: depth=0, OU=Domain Control Validated, OU=PositiveSSL, CN=*****FQDN*****

2018-08-05 21:11:44 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

2018-08-05 21:11:44 [*****FQDN*****] Peer Connection Initiated with [AF_INET]*****PUBLIC-IP*****:8443

2018-08-05 21:11:45 MANAGEMENT: >STATE:1533496305,GET_CONFIG,,,,,,

2018-08-05 21:11:45 SENT CONTROL [*****FQDN*****]: 'PUSH_REQUEST' (status=1)

2018-08-05 21:11:50 SENT CONTROL [*****FQDN*****]: 'PUSH_REQUEST' (status=1)

2018-08-05 21:11:51 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.5,ping 450,ping-restart 1800,route 10.0.10.0 255.255.255.0,topology subnet,route remote_host 255.255.255.255 net_gateway,dhcp-option DNS 10.0.10.110,dhcp-option DNS 10.0.10.254,ifconfig 10.81.234.7 255.255.255.0'

2018-08-05 21:11:51 OPTIONS IMPORT: timers and/or timeouts modified

2018-08-05 21:11:51 OPTIONS IMPORT: --ifconfig/up options modified

2018-08-05 21:11:51 OPTIONS IMPORT: route options modified

2018-08-05 21:11:51 OPTIONS IMPORT: route-related options modified

2018-08-05 21:11:51 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

2018-08-05 21:11:51 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key

2018-08-05 21:11:51 Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication

2018-08-05 21:11:51 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key

2018-08-05 21:11:51 Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication

2018-08-05 21:11:51 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)

2018-08-05 21:11:51 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)

2018-08-05 21:11:51 Opened utun device utun2

2018-08-05 21:11:51 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

2018-08-05 21:11:51 MANAGEMENT: >STATE:1533496311,ASSIGN_IP,,10.81.234.7,,,,

2018-08-05 21:11:51 /sbin/ifconfig utun2 delete

ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

2018-08-05 21:11:51 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure

2018-08-05 21:11:51 /sbin/ifconfig utun2 10.81.234.7 10.81.234.7 netmask 255.255.255.0 mtu 1500 up

2018-08-05 21:11:51 /sbin/route add -net 10.81.234.0 10.81.234.7 255.255.255.0

add net 10.81.234.0: gateway 10.81.234.7

2018-08-05 21:11:51 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1569 10.81.234.7 255.255.255.0 init

**********************************************

Start of output from client.up.tunnelblick.sh

Disabled IPv6 for 'PPPoE'

Disabled IPv6 for 'Thunderbolt Ethernet 2'

Disabled IPv6 for 'Thunderbolt Ethernet 3'

Disabled IPv6 for 'iPad USB'

Disabled IPv6 for 'iPhone USB'

Disabled IPv6 for 'Thunderbolt Ethernet 4'

Disabled IPv6 for 'Thunderbolt Ethernet 5'

Disabled IPv6 for 'iPhone USB 5'

Disabled IPv6 for 'iPhone USB 3'

Disabled IPv6 for 'Thunderbolt FireWire'

Disabled IPv6 for 'Wi-Fi'

Disabled IPv6 for 'iPhone USB 2'

Disabled IPv6 for 'iPhone USB 4'

Disabled IPv6 for 'Thunderbolt Bridge'

Disabled IPv6 for 'PureVPN'

Retrieved from OpenVPN: name server(s) [ 10.0.10.110 10.0.10.254 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]

WARNING: Ignoring ServerAddresses '10.0.10.110 10.0.10.254' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified

Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected

Saved the DNS and SMB configurations so they can be restored

Did not change DNS ServerAddresses setting of '1.1.1.1' (but re-set it)

Changed DNS SearchDomains setting from '' to 'openvpn'

Changed DNS DomainName setting from '' to 'openvpn'

Did not change SMB NetBIOSName setting of ''

Did not change SMB Workgroup setting of ''

Did not change SMB WINSAddresses setting of ''

DNS servers '1.1.1.1' were set manually

DNS servers '1.1.1.1' will be used for DNS queries when the VPN is active

NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.

Flushed the DNS cache via dscacheutil

/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil

Notified mDNSResponder that the DNS cache was flushed

Setting up to monitor system configuration with process-network-changes

End of output from client.up.tunnelblick.sh

**********************************************

2018-08-05 21:12:01 MANAGEMENT: >STATE:1533496321,ADD_ROUTES,,,,,,

2018-08-05 21:12:01 /sbin/route add -net *****PUBLIC-IP***** 172.20.10.1 255.255.255.255

add net *****PUBLIC-IP*****: gateway 172.20.10.1

2018-08-05 21:12:01 /sbin/route add -net 10.0.10.0 10.81.234.5 255.255.255.0

add net 10.0.10.0: gateway 10.81.234.5

2018-08-05 21:12:01 /sbin/route add -net *****PUBLIC-IP***** 172.20.10.1 255.255.255.255

route: writing to routing socket: File exists

add net *****PUBLIC-IP*****: gateway 172.20.10.1: File exists

2018-08-05 21:12:01 Initialization Sequence Completed

2018-08-05 21:12:01 MANAGEMENT: >STATE:1533496321,CONNECTED,SUCCESS,10.81.234.7,*****PUBLIC-IP*****,8443,,

Can you post a screenshot of your SSLVPN config Page?