Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 14326 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - VPN Tunnel - SSL Connect - Broken Pipe

Tobias van der Plas

Dear all,

i´ve been struggling to get a Sophos XG up and running for some time. Most of the things do work now, there is only one thing i seem to be unable to solve, do you have some idea how to solve this:

a) ipsec site 2 site vpn tunnel to some remote location defined and established

b) http / https / rdp connects to this remote locations internal network are up and running

c) as soon as i try to open a ssh connection from remote location to local one or from local one to remote, the ssh client exits with a broken pipe error

d) if i shutdown the sophos and use the old kerio appliance instead, the ssh connection works immediately

e) if i use the sophos and open a separate vpn connect on the client to the target system, the ssh connection works as well, so i suppose it might be some filtering / rewriting issue on the sophos

what i don´t understand: why is sophos inspecting / filtering the ssh vpn traffic even when the following settings are applied:

  • firewall is defined without any filtering / protection
  • intrusion prevention is off
  • advanced threat protection & security heartbeat are off



This thread was automatically locked due to age.
Parents
  • 0

    p.s. packet capture seems to be ok as well:

  • 0 in reply to Tobias van der Plas

    p.s. and some info from ssh -v:

    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.3
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
    debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
    debug1: Authenticating to 192.168.100.2:22 as 'user'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ssh-rsa SHA256:EZM7vbe4nrnb9hG58A3iUEMbG4Qn5joPBl+3pB4vHX8
    debug1: Host '192.168.100.2' is known and matches the RSA host key.
    debug1: Found key in /Users/user/.ssh/known_hosts:12
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Authentication succeeded (none).
    Authenticated to 192.168.100.2 ([192.168.100.2]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: pledge: network
    packet_write_wait: Connection to 192.168.100.2 port 22: Broken pipe

Reply
  • 0 in reply to Tobias van der Plas

    p.s. and some info from ssh -v:

    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.3
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
    debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
    debug1: Authenticating to 192.168.100.2:22 as 'user'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ssh-rsa SHA256:EZM7vbe4nrnb9hG58A3iUEMbG4Qn5joPBl+3pB4vHX8
    debug1: Host '192.168.100.2' is known and matches the RSA host key.
    debug1: Found key in /Users/user/.ssh/known_hosts:12
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Authentication succeeded (none).
    Authenticated to 192.168.100.2 ([192.168.100.2]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: pledge: network
    packet_write_wait: Connection to 192.168.100.2 port 22: Broken pipe

Children
  • 0 in reply to Tobias van der Plas

    HI Tobias, 

    Are you testing Locally ? Could you check via another ISP connection and test again.

  • 0 in reply to Aditya Patel

    no local testing - it can´t be the ISP connection - some reasons:

    - if i shutdown Sophos and use the old Kerio appliance instead, ssh works

    - if i use a client side vpn connection on top of  sophos, ssh works

    - other services, like http / https / rdp are working with the ssl tunnel between the sophos and a kerio

    - only ssh via ssl tunnel shows a broken pipe

  • 0 in reply to Tobias van der Plas

    Can this be MTU/fragmentation issue ?  Use tcpdump on ssh server and sshclient to:

    -Check negotiated mss size during 3 way handshake
    -Watch for packets fragments

  • 0 in reply to sixteen again

    i thought so as well, but the logs look somewhat different:

    a) client set to mtu 600, whereas kerio, sophos, and the server are set to mtu 1500

    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    ssh_dispatch_run_fatal: Connection to 192.168.100.11 port 22: Operation timed out

    b) client set to mtu 1500, all others remain on 1500:

    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ssh-rsa
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ssh-rsa SHA256:wr8QGslDYZ/8wBQokZC3qIXpbxTq/GZ67A3P89V8mOI
    debug1: Host '192.168.100.11' is known and matches the RSA host key.
    debug1: Found key in /Users/user/.ssh/known_hosts:23
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentication succeeded (none).
    Authenticated to 192.168.100.11 ([192.168.100.11]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: pledge: network
    packet_write_wait: Connection to 192.168.100.11 port 22: Broken pipe

  • 0 in reply to Tobias van der Plas

    Solution:

    the endpoint on the other side was the Problem (Kerio Control Firewall, Software Version 9.1.4) - in order to have stable ssh connects via vpn tunnel, the following settings need to be adjusted on Kerio:

    Intrusion Prevention - severity levels -> low -> log, don´t drop

    Security Settings - Miscellaneous -> enable anti-spoofing needs to be deactivated.