Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 26 subscribers
  • Views 3840 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN problem: no access to internal network

Udo Eber

I have set up SFOS 18.0.1 MR-1 Build 396 and want to connect remotely with a client to internal network via OpenVPN. Internet Router is an AVM Fritz!Box and XG Firewall uses AVM Fritz!Box as gateway. The OpenVPN Windows 10 client connects with XG Firewall and can ping to both network interface addresses of the XG Firewall but nothing else. No other IP addresses within local network or any network services.

 The connection log in the OpenVPN client software shows at the end that a route is set from VPN Pool SSL network 192.168.11.0/25 with gateway 192.168.11.1 to internal network 192.168.9.0/24:

Mon Jul 13 13:51:31 2020 C:\WINDOWS\system32\route.exe ADD 192.168.9.0 MASK 255.255.255.0 192.168.11.1
Mon Jul 13 13:51:31 2020 Route addition via service succeeded

I assume that additional firewall rules and NAT rules have to be added?

I set up the SSL VPN connection according to the knowledge base article 122769. I also checked other forum posts and videos regarding SSL VPN client connections.

Any help is greatly appreciated to gain access to internal network from VPN Pool (SSL) network!

 

Firewall and NAT rules

 

VPN Connection Log

Mon Jul 13 13:51:23 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Mon Jul 13 13:51:23 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Jul 13 13:51:23 2020 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Mon Jul 13 13:51:23 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Mon Jul 13 13:51:23 2020 Need hold release from management interface, waiting...
Mon Jul 13 13:51:23 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Mon Jul 13 13:51:23 2020 MANAGEMENT: CMD 'state on'
Mon Jul 13 13:51:23 2020 MANAGEMENT: CMD 'log all on'
Mon Jul 13 13:51:23 2020 MANAGEMENT: CMD 'echo all on'
Mon Jul 13 13:51:23 2020 MANAGEMENT: CMD 'bytecount 5'
Mon Jul 13 13:51:23 2020 MANAGEMENT: CMD 'hold off'
Mon Jul 13 13:51:23 2020 MANAGEMENT: CMD 'hold release'
Mon Jul 13 13:51:23 2020 MANAGEMENT: >STATE:1594641083,RESOLVE,,,,,,
Mon Jul 13 13:51:24 2020 TCP/UDP: Preserving recently used remote address: [AF_INET][public ip address]:8443
Mon Jul 13 13:51:24 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Jul 13 13:51:24 2020 UDP link local: (not bound)
Mon Jul 13 13:51:24 2020 UDP link remote: [AF_INET][public ip address]:8443
Mon Jul 13 13:51:24 2020 MANAGEMENT: >STATE:1594641084,WAIT,,,,,,
Mon Jul 13 13:51:24 2020 MANAGEMENT: >STATE:1594641084,AUTH,,,,,,
Mon Jul 13 13:51:24 2020 TLS: Initial packet from [AF_INET][public ip address]:8443, sid=11c03903 e58558d8
Mon Jul 13 13:51:24 2020 VERIFY OK: depth=1, C=DE, ST=[state], L=[city], O=[company], OU=OU, CN=Sophos_CA_C01001YMMGFPQ0C, emailAddress=[email]
Mon Jul 13 13:51:24 2020 VERIFY X509NAME OK: C=DE, ST=[state], L=[city], O=[company], OU=OU, CN=SophosApplianceCertificate_C01001YMMGFPQ0C, emailAddress=[email]
Mon Jul 13 13:51:24 2020 VERIFY OK: depth=0, C=DE, ST=[state], L=[city], O=[company], OU=OU, CN=SophosApplianceCertificate_C01001YMMGFPQ0C, emailAddress=[email]
Mon Jul 13 13:51:25 2020 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Jul 13 13:51:25 2020 [SophosApplianceCertificate_C01001YMMGFPQ0C] Peer Connection Initiated with [AF_INET][public ip address]:8443
Mon Jul 13 13:51:26 2020 MANAGEMENT: >STATE:1594641086,GET_CONFIG,,,,,,
Mon Jul 13 13:51:26 2020 SENT CONTROL [SophosApplianceCertificate_C01001YMMGFPQ0C]: 'PUSH_REQUEST' (status=1)
Mon Jul 13 13:51:27 2020 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.11.1,ping 45,ping-restart 180,route 192.168.9.0 255.255.255.0,route 192.168.11.0 255.255.255.128,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 900 7680,dhcp-option DNS 192.168.9.2,dhcp-option DOMAIN [domain],ifconfig 192.168.11.2 255.255.255.128'
Mon Jul 13 13:51:27 2020 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jul 13 13:51:27 2020 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jul 13 13:51:27 2020 OPTIONS IMPORT: route options modified
Mon Jul 13 13:51:27 2020 OPTIONS IMPORT: route-related options modified
Mon Jul 13 13:51:27 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jul 13 13:51:27 2020 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jul 13 13:51:27 2020 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jul 13 13:51:27 2020 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jul 13 13:51:27 2020 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jul 13 13:51:27 2020 interactive service msg_channel=608
Mon Jul 13 13:51:27 2020 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=17 HWADDR=50:7b:9d:58:72:a3
Mon Jul 13 13:51:27 2020 open_tun
Mon Jul 13 13:51:27 2020 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{F3D0D5AF-3FB6-4A43-AE4B-29A0D4432B11}.tap
Mon Jul 13 13:51:27 2020 TAP-Windows Driver Version 9.24
Mon Jul 13 13:51:27 2020 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.11.0/192.168.11.2/255.255.255.128 [SUCCEEDED]
Mon Jul 13 13:51:27 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.11.2/255.255.255.128 on interface {F3D0D5AF-3FB6-4A43-AE4B-29A0D4432B11} [DHCP-serv: 192.168.11.126, lease-time: 31536000]
Mon Jul 13 13:51:27 2020 Successful ARP Flush on interface [21] {F3D0D5AF-3FB6-4A43-AE4B-29A0D4432B11}
Mon Jul 13 13:51:27 2020 MANAGEMENT: >STATE:1594641087,ASSIGN_IP,,192.168.11.2,,,,
Mon Jul 13 13:51:31 2020 TEST ROUTES: 4/4 succeeded len=4 ret=1 a=0 u/d=up
Mon Jul 13 13:51:31 2020 MANAGEMENT: >STATE:1594641091,ADD_ROUTES,,,,,,
Mon Jul 13 13:51:31 2020 C:\WINDOWS\system32\route.exe ADD [public ip address] MASK 255.255.255.255 192.168.1.1
Mon Jul 13 13:51:31 2020 Route addition via service succeeded
Mon Jul 13 13:51:31 2020 C:\WINDOWS\system32\route.exe ADD 192.168.9.0 MASK 255.255.255.0 192.168.11.1
Mon Jul 13 13:51:31 2020 Route addition via service succeeded
Mon Jul 13 13:51:31 2020 C:\WINDOWS\system32\route.exe ADD 192.168.11.0 MASK 255.255.255.128 192.168.11.1
Mon Jul 13 13:51:31 2020 Route addition via service succeeded
Mon Jul 13 13:51:31 2020 C:\WINDOWS\system32\route.exe ADD [public ip address] MASK 255.255.255.255 192.168.1.1
Mon Jul 13 13:51:31 2020 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=17]
Mon Jul 13 13:51:31 2020 Route addition via service failed
Mon Jul 13 13:51:31 2020 Initialization Sequence Completed
Mon Jul 13 13:51:31 2020 MANAGEMENT: >STATE:1594641091,CONNECTED,SUCCESS,192.168.11.2,[public ip address],8443,,



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    Could you please check the Tunnel Access > Permitted network resources? If there are ports(Interface), remove it, and add internal networks. 

    Please check inbound traffic from the remote SSL VPN user by running the packet capture on source IP. Is this traffic forwarded to the internal host? If yes, check the Windows defender or AV configuration. 

    Sophos XG Firewall: How to monitor traffic using packet capture utility in the GUI

    Thanks,

  • 0 in reply to FormerMember

    Hey H_Patel!

    In the SSL VPN Profile I have set "Internal Network" and "VPN Pool SSL" for tunnel access and no other entries like interface ports.

    Yes I checked incoming traffic with packet capture as you can see in screenshot below. There is no problem with a local firewall or antivirus software blocking incoming traffic from clients with ip addresses from VPN Pool SSL. I checked that with a client within the lan network and changed the ip address temporarily to an ip address within VPN Pool SSL and got answers for PING requests and could also access a local webserver and so on. Sadly my vpn clients still can not access hosts within internal network:

    Greetings
    Udo

  • +1 in reply to Udo Eber

    Looks like the problem was, that I had extended the subnet mask of the servers within internal network from 255.255.255.0 to 255.255.252.0 so that the VPN Pool SSL network is directly reachable for them without gateway. I switched the network mask of 2 servers back to 255.255.255.0 and the result is, that I can ping those servers in the internal network with the vpn client. I can also access a sql server. Strangely no remote access via VNC possible (Port 5900). I will examine that a little bit further and post my result later.

  • 0 in reply to Udo Eber

    Wow! Now also VNC remote control (Port 5900) works, DNS-Server, SMB file shares, everything that I tested works now via vpn client. Took some minutes after I had changed the subnet mask. An important point was apparently the dns server. The network mask of the dns and file server I changed at last back to 255.255.255.0.

    What not works is access to the control center and user portal of the xg firewall although I granted access via VPN under "Administration \ Device access":

  • 0 in reply to Udo Eber

    Currently the network access is not stable via XG firewall. It is not an hardware issue cause xg firewall is a virtual machine. I have to examine it. When I last had network access there was also access to control center and user portal.

  • 0 in reply to Udo Eber

    Everything working fine and stable so far.

    There is the issue that ovpn configuration files downloaded from the user portal have the option 'comp-lzo no' instead of 'comp-lzo yes' which has to be edited manually.

    Still some testing and configuration work ahead before I can go live with the firewall for 'normal' users.