Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 1510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Android with Connect Client settings problems RDP if SSL/TLS inspection (DPI Engine) enabled

XGMajo

I am setting up a IPSec connection with Android build in IPSec Xauth PSK with connection settings from Sophos Connect Client.

VPN connection works very well but there is a problem that I am not able to find / fix.

If I try to connect with my server over RDP with android microsoft RD client, the connection only will be established if I disable "SSL/TLS inspection" in SSL/TLS inspection rules.

I don't understand that issue.

For testing I disable all AV in all my firewall rules an create "Don't decrypt" rules but nothing working.

If under "SSL/TLS inspection settings / Advanced settings / SSL/TLS engine" I set to "disable" the RDP connection to my Server is also working fine.

Whats the problem with the DPI Engine?

On android there is no possibility to force disable RPD over UDP, so that I am not able to try out.

Some problem also exist if using iOS devices with build in Cisco VPN client.

 



This thread was automatically locked due to age.
  • 0

    Hi,

    you bypass the DPI by using the web proxy and put your ports in the that firewall rule andif you don't scan anything then you are okay.

    Ian

  • 0 in reply to rfcat_vk

    Hello Ian, I tryed out but not working.

    This rule is on TOP of all other.

     

    If DPI is enabled I get these drop packets:

    2020-05-10 11:26:16 0102021 IP 192.168.2.16.3389 > 192.168.250.100.38982 : proto TCP: R 2853802065:2853802065(0) checksum : 47839
    0x0000: 4500 0028 c9f5 4000 8006 b314 c0a8 0210 E..(..@.........
    0x0010: c0a8 fa64 0d3d 9846 aa19 9051 76c3 2079 ...d.=.F...Qv..y
    0x0020: 5014 0000 badf 0000 P.......
    Date=2020-05-10 Time=11:26:16 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=0 outzone_id=0 source_mac=######### dest_mac=########### bridge_name= l3_protocol=IPv4 source_ip=192.168.2.16 dest_ip=192.168.250.100 l4_protocol=TCP source_port=3389 dest_port=38982 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0

  • 0 in reply to XGMajo

    Try changing your web policy to allow all.

    Ian

  • 0 in reply to XGMajo

    Hi,

    I am not sure what you are trying to achieve because your description and your rules are different.

    Rule should look a bit like this

    source VPN -> VPN network -> destination LAN -> network of server -> all services (at this stage) -> log -> http -> allow all. I suspect you will need a linked NAT.

    Ian

  • 0 in reply to rfcat_vk

    I try to find out the problem because why I am not able to connect RDP to my server over the Sophos Connect Client IPSec connection with an android client.

    All other services on VPN are working without problems!

    The roule above I only make to isolate the fault.

    Only if I deactivate the new DPI Engine the connection is going online.

    Maybe you can try it @your workbench.

    Configure Sophos Connect Client, connect a android or iOS device and then open a RDP connection.

    If not working, toggle DPI engine an test again.

  • 0 in reply to XGMajo

    Hi,

    Sorry I can be of no further help with this issue. I don't use a VPN or Sophos connect because I don't require or have the means of remote access at the moment.

    Ian

  • 0 in reply to rfcat_vk

    So new news. A RDP Connection from a Windows Client is also not possible.

    I have installed a complete fresh VI-18.0.1_MR-1-Build396.HYV-396

    Just only configured a FW rule ANY ANY ANY with no security features and ConnectClient VPN

    Client is connected directly to WAN interface.

    ConnectClient VPN config exported from XG and imported to ConnectClient 1.4.45.1015

    If SSL/TLS inspection is disabled a RDP connection is working without any problems.

    After enabling SSL/TLS inspection with only the default "Exclusions by website or category" a RDP connection won´t go online.

    ips.log

    [Jun 10 21:58:16 :13442]:common_inject:[S:138:41623] Failed to send packet, dir 1, sent bytes -1, errno 22, IPv4 pkt, non-nated connection
    [Jun 10 21:58:16 :13442]:daq_nmsp_pkt_inject:Failed to send packet on session 138, revision 41623, dir 1 ret -1
    [Jun 10 21:58:16 :13442]:nse_msg_transmit:Failed to send verdict through Child DAQs
    1591819096.101490300 [13442/0x0] [nsg_nse_policy.c:1350:__nsg_error] 172.200.100.100:60970 to 192.168.2.17:3389: Error from nse: NSE:Stream [0xbe00684b;code:75;sub:104] Stream interface error

     

    TCPDUMP

    SFVH_HV01_SFOS 18.0.1 MR-1-Build396# tcpdump 'host 172.200.100.100 and 192.168.2.17'
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
    22:00:47.847773 ipsec0, IN: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [S], seq 3746528410, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    22:00:47.848204 PortA, OUT: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [S], seq 3746528410, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
    22:00:47.848682 PortA, IN: IP 192.168.2.17.3389 > 172.200.100.100.61240: Flags [S.], seq 3070001711, ack 3746528411, win 64000, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
    22:00:47.853292 ipsec0, IN: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [.], ack 1, win 515, length 0
    22:00:47.853445 PortA, OUT: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [.], ack 1, win 515, length 0
    22:00:47.856493 ipsec0, IN: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [P.], seq 1:84, ack 1, win 515, length 83
    22:00:47.856778 PortA, OUT: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [P.], seq 1:84, ack 1, win 515, length 83
    22:00:47.859786 PortA, IN: IP 192.168.2.17.3389 > 172.200.100.100.61240: Flags [P.], seq 1:20, ack 84, win 63917, length 19
    22:00:47.892126 PortA, IN: IP 192.168.2.17.3389 > 172.200.100.100.61240: Flags [P.], seq 1:20, ack 84, win 63917, length 19
    22:00:47.895648 ipsec0, IN: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [.], ack 20, win 515, options [nop,nop,sack 1 {1:20}], length 0
    22:00:47.895741 PortA, OUT: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [.], ack 20, win 515, options [nop,nop,sack 1 {1:20}], length 0
    22:00:53.316084 ipsec0, IN: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [P.], seq 84:267, ack 20, win 515, length 183
    22:00:53.331258 PortA, OUT: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [P.], seq 84:267, ack 20, win 256, length 183
    22:00:53.333531 PortA, IN: IP 192.168.2.17.3389 > 172.200.100.100.61240: Flags [P.], seq 20:1231, ack 267, win 63734, length 1211
    22:00:53.334335 PortA, OUT: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [P.], seq 267:274, ack 1231, win 256, length 7
    22:00:53.335304 PortA, IN: IP 192.168.2.17.3389 > 172.200.100.100.61240: Flags [R.], seq 1231, ack 274, win 0, length 0
    22:00:53.341184 PortA, OUT: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [R.], seq 274, ack 1231, win 256, length 0
    22:00:53.622259 ipsec0, IN: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [P.], seq 84:267, ack 20, win 515, length 183
    22:00:53.622879 PortA, OUT: IP 172.200.100.100.61240 > 192.168.2.17.3389: Flags [P.], seq 84:267, ack 20, win 515, length 183

     

    drop-packet-capture

    console> drop-packet-capture 'host 172.200.100'
    2020-06-10 22:03:41 010202123 IP 192.168.2.17.3389 > 172.200.100.100.61509 : proto TCP: R 986073383:986073383(0) checksum : 56183
    0x0000: 4500 0028 8254 4000 8006 a495 c0a8 0211 E..(.T@.........
    0x0010: acc8 6464 0d3d f045 3ac6 4927 da99 a468 ..dd.=.E:.I'...h
    0x0020: 5014 0000 db77 0000 P....w..
    Date=2020-06-10 Time=22:03:41 log_id=010202123 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=5 outzone_id=1 source_mac= dest_mac= bridge_name= l3_protocol=IPv4 source_ip=192.168.2.17 dest_ip=172.200.100.100 l4_protocol=TCP source_port=3389 dest_port=61509 fw_rule_id=6 policytype=1 live_userid=1 userid=6 user_gp=1 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=9 app_id=25 category_id=83 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x200 nfqueue=0 gateway_offset=0 connid=1545098880 masterid=0 status=398 state=3, flag0=10995118374912 flags1=1103814983680 pbdid_dir0=0 pbrid_dir1=0

    2020-06-10 22:03:41 0102021 IP 192.168.2.17.3389 > 172.200.100.100.61509 : proto TCP: R 986073383:986073383(0) checksum : 56183
    0x0000: 4500 0028 8254 4000 8006 a495 c0a8 0211 E..(.T@.........
    0x0010: acc8 6464 0d3d f045 3ac6 4927 da99 a468 ..dd.=.E:.I'...h
    0x0020: 5014 0000 db77 0000 P....w..
    Date=2020-06-10 Time=22:03:41 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=0 outzone_id=0 source_mac=00:15:5d:85:d1:31 dest_mac=00:15:5d:85:d1:35 bridge_name= l3_protocol=IPv4 source_ip=192.168.2.17 dest_ip=172.200.100.100 l4_protocol=TCP source_port=3389 dest_port=61509 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0

    2020-06-10 22:03:42 0102021 IP 192.168.2.17.3389 > 172.200.100.100.61509 : proto TCP: R 986072172:986072172(0) checksum : 57362
    0x0000: 4500 0028 8255 4000 8006 a494 c0a8 0211 E..(.U@.........
    0x0010: acc8 6464 0d3d f045 3ac6 446c 3ac6 446c ..dd.=.E:.Dl:.Dl
    0x0020: 5004 0000 e012 0000 P.......
    Date=2020-06-10 Time=22:03:42 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=0 outzone_id=0 source_mac=00:15:5d:85:d1:31 dest_mac=00:15:5d:85:d1:35 bridge_name= l3_protocol=IPv4 source_ip=192.168.2.17 dest_ip=172.200.100.100 l4_protocol=TCP source_port=3389 dest_port=61509 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0

     

    After getting these logfiles I also tested other services.

    SMB working, DNS working, HTTP to IIS working

    HTTPS to IIS NOT working, if SL/TLS inspection disable 

    [Jun 10 22:16:51 :13442]:common_inject:[S:306:15518] Failed to send packet, dir 1, sent bytes -1, errno 22, IPv4 pkt, non-nated connection
    [Jun 10 22:16:51 :13442]:daq_nmsp_pkt_inject:Failed to send packet on session 306, revision 15518, dir 1 ret -1
    [Jun 10 22:16:51 :13442]:nse_msg_transmit:Failed to send verdict through Child DAQs
    1591820211.921200600 [13442/0x0] [nsg_nse_policy.c:1350:__nsg_error] 172.200.100.100:63083 to 192.168.2.17:443: Error from nse: NSE:Stream [0xbe00684b;code:75;sub:104] Stream interface error

     

    Next, created a "don't decrypt" ANY tls rule.

    Now I get some logs in logviewer: Dropped due to TLS engine error: STREAM_INTERFACE_ERROR[104]

     

    So what's going on with IPS here?

    writing these text and searching...
    looks like its found from some other guys too

    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/119736/tls-sll-error-message

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/119863/strange-behavior-when-using-sophos-connect-vpn/435411