Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 5570 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Connect Client Site-to-End Tunnel?

n33dfull

Hallo liebe Community,

aktuell habe ich ein kleines Problem mit SFOS 17.5.0 und dem IPSec Conect Client. Ich kann mich erfolgreich mit dem Sophos Connect Client über IPSec mit der Appliance verbinden, komme aber leider nicht in das Interne LAN sowohl mit IP oder DNS. 

Über ipconfig /all wird mir beim Tunneladapter eine IPv4 adresse in einem 10.xxx.xxx.xxx/32 zugewiesen OHNE Standartgateway! 

Ich würde gerne auf meine internen Ressourcen zugreifen aus dem LAN, habe ich eine Einstellung vergessen? 

XG:

WAN:PPPoE

LAN:172.17.10.0/24

 

Sophos Client IPsec Konfiguration:

 

Firewall Regel:

alternative Firewall Regel, geht auch nicht...

 

IPsec Verbindung:



This thread was automatically locked due to age.
  • 0

    Welche IP´s vergibst du denn im Pool? Du hast es leider zensiert. 

  • 0 in reply to LuCar Toni

    Hallo ich habe eben noch ein mal die Einstellungen geändert in:

     

    Es wird kein Remote Network angegeben ???

     

    Firewall Regel sieht wie folgt aus:

    Benötige ich noch eine regel von LAN --> VPN?

  • 0 in reply to n33dfull

    Das ist ok. 

    Der DNS Server scheint jedoch "falsch zu sein". Versuch hier bitte einmal das LAN Interface IP von der XG. 

    Des weiteren könntest du kurz einmal den Ping probieren und dabei den Logviewer anschauen.

    Matcht denn die Regel? Überprüf die Rules (Objekte) bitte nochmal genau. 

  • 0 in reply to LuCar Toni

    Hallo,

    wir haben das gleiche Problem. Die Sophos XG können wir über den VPN Tunnel anpingen, aber sonst keine andere Maschine im internen Netz. Gibt es hier eine Lösung?

  • 0 in reply to LuCar Toni

    Hallo, 

    bitte entschuldigt die späte Rückmeldung. Ich habe wieder Zeit mich mit dem Thema zu beschäftigen.  Leider funktioniert es immer noch nicht einwandfrei und ich finde keine Anleitung die genau beschreibt wie vorzugehen ist.

     

    Anbei habe ich noch einmal alle Informationen zusammengetragen. 

     

    Ich habe das Gefühl, dass er für die VPN Verbindung kein Standardgateway für den virtuellen Adapter definiert. Ich kann einen Ping auf 172.17.10.1 (LAN Gateway )machen, dieser funktioniert leider nicht.

     

    Solltet Ihr weitere Infos brauchen werde ich mich nun schneller zurückmelden.

    Firewall Rule:

     

    CLIENT:

     

    LOG vom Client:

     

    2019-03-18 07:55:47AM 00[DMN] Starting IKE service charon-svc (strongSwan 5.7.1, Windows Client 6.2.9200 (SP 0.0)
    2019-03-18 07:55:47AM 00[LIB] TAP-Windows driver version 1.0 available.
    2019-03-18 07:55:49AM 00[LIB] opened TUN device: {8BF876A7-4792-4F42-8477-773846380571}
    2019-03-18 07:55:49AM 00[LIB] loaded plugins: charon-svc nonce x509 pubkey pkcs1 pkcs7 pkcs8 pkcs12 pem openssl kernel-libipsec kernel-iph socket-win vici eap-identity eap-gtc eap-mschapv2 xauth-generic windows-dns
    2019-03-18 07:55:49AM 00[JOB] spawning 16 worker threads
    2019-03-18 07:55:49AM 17[KNL] interface 7 'Intel(R) Dual Band Wireless-AC 8260' changed state from Down to Up
    2019-03-18 07:55:51AM 18[KNL] 169.254.236.148 disappeared from interface 7 'Intel(R) Dual Band Wireless-AC 8260'
    2019-03-18 07:56:05AM 09[CFG] added vici connection: ClientIPSec
    2019-03-18 07:56:05AM 13[CFG] loaded certificate 'C=DE, ST=Hessen, L=City, O=Organization, OU=OU, CN=SophosApplianceCertificate, E=emailadress@outlook.de'
    2019-03-18 07:56:05AM 11[CFG] loaded RSA private key
    2019-03-18 07:56:06AM 15[CFG] loaded EAP shared key with id 'ClientIPSec-xauth-id' for: 'test'
    2019-03-18 07:56:06AM 15[CFG] vici initiate 'ClientIPSec-1'
    2019-03-18 07:56:06AM 13[IKE] <ClientIPSec|1> initiating Main Mode IKE_SA ClientIPSec[1] to XXX.XXX.84.231(WAN of XG)
    2019-03-18 07:56:06AM 13[ENC] <ClientIPSec|1> generating ID_PROT request 0 [ SA V V V V V ]
    2019-03-18 07:56:06AM 13[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51266] to XXX.XXX.84.231(WAN of XG)[500] (180 bytes)
    2019-03-18 07:56:06AM 14[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[500] to 10.201.46.118(IP WiFi Network)[51266] (180 bytes)
    2019-03-18 07:56:06AM 14[ENC] <ClientIPSec|1> parsed ID_PROT response 0 [ SA V V V V V ]
    2019-03-18 07:56:06AM 14[IKE] <ClientIPSec|1> received XAuth vendor ID
    2019-03-18 07:56:06AM 14[IKE] <ClientIPSec|1> received DPD vendor ID
    2019-03-18 07:56:06AM 14[IKE] <ClientIPSec|1> received Cisco Unity vendor ID
    2019-03-18 07:56:06AM 14[IKE] <ClientIPSec|1> received FRAGMENTATION vendor ID
    2019-03-18 07:56:06AM 14[IKE] <ClientIPSec|1> received NAT-T (RFC 3947) vendor ID
    2019-03-18 07:56:06AM 14[CFG] <ClientIPSec|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    2019-03-18 07:56:06AM 14[ENC] <ClientIPSec|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2019-03-18 07:56:06AM 14[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51266] to XXX.XXX.84.231(WAN of XG)[500] (268 bytes)
    2019-03-18 07:56:06AM 09[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[500] to 10.201.46.118(IP WiFi Network)[51266] (268 bytes)
    2019-03-18 07:56:06AM 09[ENC] <ClientIPSec|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2019-03-18 07:56:06AM 09[IKE] <ClientIPSec|1> local host is behind NAT, sending keep alives
    2019-03-18 07:56:06AM 09[IKE] <ClientIPSec|1> remote host is behind NAT
    2019-03-18 07:56:06AM 09[IKE] <ClientIPSec|1> sending cert request for "C=DE, ST=Hessen, L=City, O=Organization, OU=OU, CN=Sophos_CA_xxxxxxxxxxxxxxx, E=emailadress@outlook.de"
    2019-03-18 07:56:06AM 09[IKE] <ClientIPSec|1> authentication of 'C=DE, ST=Hessen, L=City, O=Organization, OU=OU, CN=SophosApplianceCertificate, E=emailadress@outlook.de' (myself) successful
    2019-03-18 07:56:06AM 09[ENC] <ClientIPSec|1> generating ID_PROT request 0 [ ID SIG CERTREQ N(INITIAL_CONTACT) ]
    2019-03-18 07:56:06AM 09[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51267] to XXX.XXX.84.231(WAN of XG)[4500] (668 bytes)
    2019-03-18 07:56:06AM 10[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[4500] to 10.201.46.118(IP WiFi Network)[51267] (1248 bytes)
    2019-03-18 07:56:06AM 10[ENC] <ClientIPSec|1> parsed ID_PROT response 0 [ FRAG(1) ]
    2019-03-18 07:56:06AM 10[ENC] <ClientIPSec|1> received fragment #1, waiting for complete IKE message
    2019-03-18 07:56:06AM 09[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[4500] to 10.201.46.118(IP WiFi Network)[51267] (532 bytes)
    2019-03-18 07:56:06AM 09[ENC] <ClientIPSec|1> parsed ID_PROT response 0 [ FRAG(2/2) ]
    2019-03-18 07:56:06AM 09[ENC] <ClientIPSec|1> received fragment #2, reassembled fragmented IKE message (1708 bytes)
    2019-03-18 07:56:07AM 14[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[4500] to 10.201.46.118(IP WiFi Network)[51267] (1708 bytes)
    2019-03-18 07:56:07AM 14[ENC] <ClientIPSec|1> parsed ID_PROT response 0 [ ID CERT SIG ]
    2019-03-18 07:56:07AM 14[IKE] <ClientIPSec|1> received end entity cert "C=DE, ST=Hessen, L=City, O=Organization, OU=OU, CN=Aplliance IPSec, E=emailadress@outlook.de"
    2019-03-18 07:56:07AM 14[CFG] <ClientIPSec|1> using certificate "C=DE, ST=Hessen, L=City, O=Organization, OU=OU, CN=Aplliance IPSec, E=emailadress@outlook.de"
    2019-03-18 07:56:07AM 14[CFG] <ClientIPSec|1> using trusted ca certificate "C=DE, ST=Hessen, L=City, O=Organization, OU=OU, CN=Sophos_CA_xxxxxxxxxxxxxxx, E=emailadress@outlook.de"
    2019-03-18 07:56:07AM 14[CFG] <ClientIPSec|1> reached self-signed root ca with a path length of 0
    2019-03-18 07:56:07AM 14[IKE] <ClientIPSec|1> authentication of 'C=DE, ST=Hessen, L=City, O=Organization, OU=OU, CN=Aplliance IPSec, E=emailadress@outlook.de' with RSA_EMSA_PKCS1_NULL successful
    2019-03-18 07:56:07AM 13[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[4500] to 10.201.46.118(IP WiFi Network)[51267] (92 bytes)
    2019-03-18 07:56:07AM 13[ENC] <ClientIPSec|1> parsed TRANSACTION request 278024586 [ HASH CPRQ(X_USER X_PWD) ]
    2019-03-18 07:56:07AM 13[ENC] <ClientIPSec|1> generating TRANSACTION response 278024586 [ HASH CPRP(X_USER X_PWD) ]
    2019-03-18 07:56:07AM 13[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51267] to XXX.XXX.84.231(WAN of XG)[4500] (92 bytes)
    2019-03-18 07:56:07AM 10[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[4500] to 10.201.46.118(IP WiFi Network)[51267] (92 bytes)
    2019-03-18 07:56:07AM 10[ENC] <ClientIPSec|1> parsed TRANSACTION request 537123183 [ HASH CPS(X_STATUS) ]
    2019-03-18 07:56:07AM 10[IKE] <ClientIPSec|1> XAuth authentication of 'test' (myself) successful
    2019-03-18 07:56:07AM 10[IKE] <ClientIPSec|1> IKE_SA ClientIPSec[1] established between 10.201.46.118(IP WiFi Network)[C=DE, ST=Hessen, L=City, O=Organization, OU=OU, CN=SophosApplianceCertificate, E=emailadress@outlook.de]...XXX.XXX.84.231(WAN of XG)[C=DE, ST=Hessen, L=City, O=Organization, OU=OU, CN=Aplliance IPSec, E=emailadress@outlook.de]
    2019-03-18 07:56:07AM 10[IKE] <ClientIPSec|1> scheduling rekeying in 15259s
    2019-03-18 07:56:07AM 10[IKE] <ClientIPSec|1> maximum IKE_SA lifetime 16789s
    2019-03-18 07:56:07AM 10[ENC] <ClientIPSec|1> generating TRANSACTION response 537123183 [ HASH CPA(X_STATUS) ]
    2019-03-18 07:56:07AM 10[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51267] to XXX.XXX.84.231(WAN of XG)[4500] (92 bytes)
    2019-03-18 07:56:07AM 10[ENC] <ClientIPSec|1> generating TRANSACTION request 586151407 [ HASH CPRQ(ADDR DNS) ]
    2019-03-18 07:56:07AM 10[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51267] to XXX.XXX.84.231(WAN of XG)[4500] (92 bytes)
    2019-03-18 07:56:07AM 10[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[4500] to 10.201.46.118(IP WiFi Network)[51267] (108 bytes)
    2019-03-18 07:56:07AM 10[ENC] <ClientIPSec|1> parsed TRANSACTION response 586151407 [ HASH CPRP(ADDR DNS DNS) ]
    2019-03-18 07:56:07AM 10[IKE] <ClientIPSec|1> Adding DNS server 172.17.6.1 to the TAP adapter
    2019-03-18 07:56:07AM 10[IKE] <ClientIPSec|1> 172.17.6.1 not in servers list, doing add
    2019-03-18 07:56:07AM 10[IKE] <ClientIPSec|1> Adding DNS server 8.8.8.8 to the TAP adapter
    2019-03-18 07:56:07AM 10[IKE] <ClientIPSec|1> 8.8.8.8 not in servers list, doing add
    2019-03-18 07:56:07AM 10[IKE] <ClientIPSec|1> installing new virtual IP 172.17.6.10 on interface {1A868F3F-8A30-4FE2-A061-D4A8BBBE9932}
    2019-03-18 07:56:07AM 10[KNL] <ClientIPSec|1> Adding virtual IP 172.17.6.10
    2019-03-18 07:56:07AM 10[KNL] <ClientIPSec|1> 172.17.6.10 added to addresses list
    2019-03-18 07:56:07AM 10[KNL] <ClientIPSec|1> 172.17.6.10 is not yet assigned to the virtual adapter - adding
    2019-03-18 07:56:07AM 10[ENC] <ClientIPSec|1> generating QUICK_MODE request 1037055552 [ HASH SA No ID ID ]
    2019-03-18 07:56:07AM 10[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51267] to XXX.XXX.84.231(WAN of XG)[4500] (188 bytes)
    2019-03-18 07:56:07AM 14[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[4500] to 10.201.46.118(IP WiFi Network)[51267] (188 bytes)
    2019-03-18 07:56:07AM 14[ENC] <ClientIPSec|1> parsed QUICK_MODE response 1037055552 [ HASH SA No ID ID ]
    2019-03-18 07:56:07AM 14[CFG] <ClientIPSec|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
    2019-03-18 07:56:07AM 14[CHD] <ClientIPSec|1> CHILD_SA ClientIPSec-1{1} state change: CREATED => INSTALLING
    2019-03-18 07:56:07AM 14[CHD] <ClientIPSec|1> using AES_CBC for encryption
    2019-03-18 07:56:07AM 14[CHD] <ClientIPSec|1> using HMAC_SHA2_256_128 for integrity
    2019-03-18 07:56:07AM 14[CHD] <ClientIPSec|1> adding inbound ESP SA
    2019-03-18 07:56:07AM 14[CHD] <ClientIPSec|1> SPI 0x5a51d3ea, src XXX.XXX.84.231(WAN of XG) dst 10.201.46.118(IP WiFi Network)
    2019-03-18 07:56:07AM 14[CHD] <ClientIPSec|1> adding outbound ESP SA
    2019-03-18 07:56:07AM 14[CHD] <ClientIPSec|1> SPI 0xcc38b56a, src 10.201.46.118(IP WiFi Network) dst XXX.XXX.84.231(WAN of XG)
    2019-03-18 07:56:07AM 14[KNL] <ClientIPSec|1> installing route 172.17.10.0/24 src 172.17.6.10 gateway 169.254.128.128 dev {8BF876A7-4792-4F42-8477-773846380571}
    2019-03-18 07:56:07AM 14[IKE] <ClientIPSec|1> CHILD_SA ClientIPSec-1{1} established with SPIs 5a51d3ea_i cc38b56a_o and TS 172.17.6.10/32 === 172.17.10.0/24
    2019-03-18 07:56:07AM 14[CHD] <ClientIPSec|1> CHILD_SA ClientIPSec-1{1} state change: INSTALLING => INSTALLED
    2019-03-18 07:56:07AM 14[ENC] <ClientIPSec|1> generating QUICK_MODE request 1037055552 [ HASH ]
    2019-03-18 07:56:07AM 14[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51267] to XXX.XXX.84.231(WAN of XG)[4500] (76 bytes)
    2019-03-18 07:56:07AM 10[CFG] vici initiate 'ClientIPSec-2'
    2019-03-18 07:56:07AM 14[ENC] <ClientIPSec|1> generating QUICK_MODE request 1604509000 [ HASH SA No ID ID ]
    2019-03-18 07:56:07AM 14[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51267] to XXX.XXX.84.231(WAN of XG)[4500] (188 bytes)
    2019-03-18 07:56:07AM 12[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[4500] to 10.201.46.118(IP WiFi Network)[51267] (188 bytes)
    2019-03-18 07:56:07AM 12[ENC] <ClientIPSec|1> parsed QUICK_MODE response 1604509000 [ HASH SA No ID ID ]
    2019-03-18 07:56:07AM 12[CFG] <ClientIPSec|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
    2019-03-18 07:56:07AM 12[CHD] <ClientIPSec|1> CHILD_SA ClientIPSec-2{2} state change: CREATED => INSTALLING
    2019-03-18 07:56:07AM 12[CHD] <ClientIPSec|1> using AES_CBC for encryption
    2019-03-18 07:56:07AM 12[CHD] <ClientIPSec|1> using HMAC_SHA2_256_128 for integrity
    2019-03-18 07:56:07AM 12[CHD] <ClientIPSec|1> adding inbound ESP SA
    2019-03-18 07:56:07AM 12[CHD] <ClientIPSec|1> SPI 0xb3e1cf23, src XXX.XXX.84.231(WAN of XG) dst 10.201.46.118(IP WiFi Network)
    2019-03-18 07:56:07AM 12[CHD] <ClientIPSec|1> adding outbound ESP SA
    2019-03-18 07:56:07AM 12[CHD] <ClientIPSec|1> SPI 0xc28f38bf, src 10.201.46.118(IP WiFi Network) dst XXX.XXX.84.231(WAN of XG)
    2019-03-18 07:56:07AM 12[KNL] <ClientIPSec|1> installing route XXX.XXX.76.173 (WAN IP of WiFi Network)/32 src 172.17.6.10 gateway 169.254.128.128 dev {8BF876A7-4792-4F42-8477-773846380571}
    2019-03-18 07:56:07AM 12[IKE] <ClientIPSec|1> CHILD_SA ClientIPSec-2{2} established with SPIs b3e1cf23_i c28f38bf_o and TS 172.17.6.10/32 === XXX.XXX.76.173 (WAN IP of WiFi Network)/32
    2019-03-18 07:56:07AM 12[CHD] <ClientIPSec|1> CHILD_SA ClientIPSec-2{2} state change: INSTALLING => INSTALLED
    2019-03-18 07:56:07AM 12[ENC] <ClientIPSec|1> generating QUICK_MODE request 1604509000 [ HASH ]
    2019-03-18 07:56:07AM 12[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51267] to XXX.XXX.84.231(WAN of XG)[4500] (76 bytes)
    2019-03-18 07:56:30AM 12[IKE] <ClientIPSec|1> sending keep alive to XXX.XXX.84.231(WAN of XG)[4500]
    2019-03-18 07:56:32AM 10[IKE] <ClientIPSec|1> sending DPD request
    2019-03-18 07:56:32AM 10[ENC] <ClientIPSec|1> generating INFORMATIONAL_V1 request 3941050968 [ HASH N(DPD) ]
    2019-03-18 07:56:32AM 10[NET] <ClientIPSec|1> sending packet: from 10.201.46.118(IP WiFi Network)[51267] to XXX.XXX.84.231(WAN of XG)[4500] (108 bytes)
    2019-03-18 07:56:32AM 09[NET] <ClientIPSec|1> received packet: from XXX.XXX.84.231(WAN of XG)[4500] to 10.201.46.118(IP WiFi Network)[51267] (108 bytes)
    2019-03-18 07:56:32AM 09[ENC] <ClientIPSec|1> parsed INFORMATIONAL_V1 request 2231620496 [ HASH N(DPD_ACK) ]
    2019-03-18 07:56:57AM 09[IKE] <ClientIPSec|1> sending DPD request

     

  • 0 in reply to n33dfull

    Hello n33dfull,

    It doem seem that the IPsec tunnel was established. Now could conduct a packet capture with any IP request and check if the packet was dropped or not reached to XG firewall?

    You may refer to this KBA