Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 6266 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webserver Protection through IPsec VPN

Micha Schweizer1

Hi All,

 

I have a question about routing web traffic through an IPsec VPN. Here's the situation:

 

Site A: Sophos XG with Web Server Protection licensed.

Site B: Sophos XG without Web Server Protection and a dumb web server (ventilation unit) which needs to be accessed for remote support. For proper security I want to use the webserver protection to secure it with a password.

 

I tried to add the Webserver Business rule in Site A but I haven't got any response from the device. Can you help?

 

Thank you very much in advance!

 

Best Regards

Micha



This thread was automatically locked due to age.
Parents
  • 0

    Hi, 

    Can you confirm, that DNAT works? So a basic DNAT von Site A to Site B Webserver through Webserver works? 

    Afterwards, build a WAF Policy with password.

    The password page should be come up. 

    After the login, can you show us the WAF log? 

    As far as i know, there is a routing issue in XG with WAF and resources behind IPsec. So WAF is not using the proper tunnel to the webserver. Could reproduce it with OWA. Maybe this behavior is the same with a standard HTTP/s Webserver. 

Reply
  • 0

    Hi, 

    Can you confirm, that DNAT works? So a basic DNAT von Site A to Site B Webserver through Webserver works? 

    Afterwards, build a WAF Policy with password.

    The password page should be come up. 

    After the login, can you show us the WAF log? 

    As far as i know, there is a routing issue in XG with WAF and resources behind IPsec. So WAF is not using the proper tunnel to the webserver. Could reproduce it with OWA. Maybe this behavior is the same with a standard HTTP/s Webserver. 

Children
  • 0 in reply to LuCar Toni

    Thank you for your answer.

     

    No I cannot get it to work with DNAT. I just setup a DNAT rule on the Site A Firewall which points to the Webserver in site B. Is that correct? On both FW's I've setup rules to allow any traffic in and out via VPN from and to LAN.

     

    Thanks for you help.

  • 0 in reply to LuCar Toni

    Hi again

    I got it to work but I had to rewrite the source address (masquerading) to the internal address of the FW in site A. How can I do this with the webserver protection rule?

    I tried to do it with the Exchange Template, but it doesn't work either. I get an error 503.

    Thanks alot for you help!

     

    Best Regards

    Micha

     

    Time,Server,Source IP/Name,URL,Reason,Message,Status Code,Bytes Received,Bytes Transmitted,Message ID,Policy ID,Live PCAP,
    2018-09-11 08:27:12,some.domain:8888,Source IP,/_kpqkgzssfkythut_form,-,-,,344,934,17071,17,Open PCAP,
    2018-09-11 08:27:12,some.domain:8888,Source IP,/favicon.ico,-,-,,242,526,17071,17,Open PCAP,
    2018-09-11 08:27:12,some.domain:8888,Source IP,/,-,-,,625,755,17071,17,Open PCAP,
    2018-09-11 08:26:57,some.domain:8888,Source IP,/_kpqkgzssfkythut_login,-,-,,544,678,17071,17,Open PCAP,
    2018-09-11 08:26:53,-,Source IP,-,-,-,,0,0,17071,0,Open PCAP,
    2018-09-11 08:26:02,some.domain:8888,Source IP,/_kpqkgzssfkythut_form,-,-,,253,934,17071,17,Open PCAP,
    2018-09-11 08:26:02,some.domain:8888,Source IP,/favicon.ico,-,-,,242,526,17071,17,Open PCAP,
    2018-09-11 08:26:02,some.domain:8888,Source IP,/Lueftung_kpqkgzssfkythut/company_logo.png,-,-,,416,4089,17071,17,Open PCAP,
    2018-09-11 08:26:02,some.domain:8888,Source IP,/Lueftung_kpqkgzssfkythut/default_stylesheet.css,-,-,,375,954,17071,17,Open PCAP,
    2018-09-11 08:26:02,some.domain:8888,Source IP,/_kpqkgzssfkythut_form,-,-,,311,934,17071,17,Open PCAP,
    2018-09-11 08:26:02,some.domain:8888,Source IP,/,-,-,,289,526,17071,17,Open PCAP,

  • 0 in reply to Micha Schweizer1

    It could be this kind of limitation like explained earlier. As far as i know, the WAF cannot use the IPsec Route through the tunnel.

    The WAF should also use MASQ because it generated itself the traffic. 

    You should configure this rules:

    https://community.sophos.com/kb/en-us/123336

    The WAF generates own traffic, so this traffic should be use the system generated traffic routes. 

    Afterwards perform a tcpdump and take a look, if the WAF uses the correct tunnel. 

  • 0 in reply to LuCar Toni

    I see, that the traffic gets routed through the ipsec0 but with an APIPA address as source address (Site A)

    I've also created the NAT rule on the FW in site A:

    But in Site B nothing even shows up in the packet capture.

     

    Do you know why it uses an APIPA address as source address?

     

    Thank you very much and best regards

    Micha

  • 0 in reply to Micha Schweizer1

    Can you please open a Case with the support for this? 

    As i mentioned early, i think, this is kinda a bug. Exactly this setup should work fine. Please post me and  the Case ID.