Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 14319 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - VPN Tunnel - SSL Connect - Broken Pipe

Tobias van der Plas

Dear all,

i´ve been struggling to get a Sophos XG up and running for some time. Most of the things do work now, there is only one thing i seem to be unable to solve, do you have some idea how to solve this:

a) ipsec site 2 site vpn tunnel to some remote location defined and established

b) http / https / rdp connects to this remote locations internal network are up and running

c) as soon as i try to open a ssh connection from remote location to local one or from local one to remote, the ssh client exits with a broken pipe error

d) if i shutdown the sophos and use the old kerio appliance instead, the ssh connection works immediately

e) if i use the sophos and open a separate vpn connect on the client to the target system, the ssh connection works as well, so i suppose it might be some filtering / rewriting issue on the sophos

what i don´t understand: why is sophos inspecting / filtering the ssh vpn traffic even when the following settings are applied:

  • firewall is defined without any filtering / protection
  • intrusion prevention is off
  • advanced threat protection & security heartbeat are off



This thread was automatically locked due to age.
  • 0

    p.s. packet capture seems to be ok as well:

  • 0 in reply to Tobias van der Plas

    p.s. and some info from ssh -v:

    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.3
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
    debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
    debug1: Authenticating to 192.168.100.2:22 as 'user'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ssh-rsa SHA256:EZM7vbe4nrnb9hG58A3iUEMbG4Qn5joPBl+3pB4vHX8
    debug1: Host '192.168.100.2' is known and matches the RSA host key.
    debug1: Found key in /Users/user/.ssh/known_hosts:12
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Authentication succeeded (none).
    Authenticated to 192.168.100.2 ([192.168.100.2]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: pledge: network
    packet_write_wait: Connection to 192.168.100.2 port 22: Broken pipe

  • 0

    Hi Tobias,

    There is an unwritten rule on Community that we follow i.e., one question per thread. This makes other members to search for the similar answer with more transparency and  one step search.

    Considering you first question on IPSec refer this KBA.

    Hope that helps.

  • 0 in reply to sachingurung

    Hi,

    thanks and sorry for the confusion - to be more clear: vpn tunnel is working - i can connect via rdp and http / https to the remote servers but NOT ssh, i always get a broken pipe - so the question is how can i change a setting in sophos xg to allow ssh traffic to work properly

  • 0 in reply to Tobias van der Plas

    HI Tobias, 

    Are you testing Locally ? Could you check via another ISP connection and test again.

  • 0 in reply to Aditya Patel

    no local testing - it can´t be the ISP connection - some reasons:

    - if i shutdown Sophos and use the old Kerio appliance instead, ssh works

    - if i use a client side vpn connection on top of  sophos, ssh works

    - other services, like http / https / rdp are working with the ssl tunnel between the sophos and a kerio

    - only ssh via ssl tunnel shows a broken pipe

  • 0 in reply to Tobias van der Plas

    Can this be MTU/fragmentation issue ?  Use tcpdump on ssh server and sshclient to:

    -Check negotiated mss size during 3 way handshake
    -Watch for packets fragments

  • 0 in reply to sixteen again

    i thought so as well, but the logs look somewhat different:

    a) client set to mtu 600, whereas kerio, sophos, and the server are set to mtu 1500

    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    ssh_dispatch_run_fatal: Connection to 192.168.100.11 port 22: Operation timed out

    b) client set to mtu 1500, all others remain on 1500:

    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ssh-rsa SHA256:wr8QGslDYZ/8wBQokZC3qIXpbxTq/GZ67A3P89V8mOI
    debug1: Host '192.168.100.11' is known and matches the RSA host key.
    debug1: Found key in /Users/user/.ssh/known_hosts:23
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentication succeeded (none).
    Authenticated to 192.168.100.11 ([192.168.100.11]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: pledge: network
    packet_write_wait: Connection to 192.168.100.11 port 22: Broken pipe

  • 0 in reply to Tobias van der Plas

    Solution:

    the endpoint on the other side was the Problem (Kerio Control Firewall, Software Version 9.1.4) - in order to have stable ssh connects via vpn tunnel, the following settings need to be adjusted on Kerio:

    Intrusion Prevention - severity levels -> low -> log, don´t drop

    Security Settings - Miscellaneous -> enable anti-spoofing needs to be deactivated.