Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 10990 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG SSL VPN (Remote) use weaker handshake than specified and UDP failed to connect

VuNguyen

Issue 1: I'm trying to config Sophos XG SSL VPN for remote client (iOS in particular). 

The client connect successful but I see the following when i inspect the connection:

SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

That worries me because the config I have for the connection specify AES-256-CBC SHA2 256 2048bit 

3DES-EDE is known to be weak.

 

 

Issue 2: SSL VPN config with UDP instead of TCP and the client will time out trying to connect

INFORMATION:

- The client can connect and access all resources as intended (LAN + WAN - There are Firewall rules to allow that)

- The only issue so far is the weak hanshake and UDP would not connect.

 

Version:

- Sophos XG: SFOS 16.01.2

- iOS Open VPN client: Latest: 1.0.7 Build 199 (iOS 64 bit)

Please see the SSL client log and cofig screenshot below.

 

Any info is appreciated.

2016-12-29 10:43:27 ----- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2016-12-29 10:43:27 Frame=512/2048/512 mssfix-ctrl=1250
2016-12-29 10:43:27 UNUSED OPTIONS
3 [resolv-retry] [infinite]
4 [nobind]
5 [persist-key]
6 [persist-tun]
14 [route-delay] [4]
15 [verb] [3]
2016-12-29 10:43:27 EVENT: RESOLVE
2016-12-29 10:43:27 Contacting xxx.xxx.xxx.xxx:8443 via TCP
2016-12-29 10:43:27 EVENT: WAIT
2016-12-29 10:43:27 SetTunnelSocket returned 1
2016-12-29 10:43:27 Connecting to [xxx.xxx.xxx.xxx]:8443 (xxx.xxx.xxx.xxx) via TCPv4
2016-12-29 10:43:28 NET WiFi:NotReachable/WR t------
2016-12-29 10:43:28 NET Internet:ReachableViaWWAN/WR t------
2016-12-29 10:43:28 EVENT: CONNECTING
2016-12-29 10:43:28 Tunnel Options:V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client
2016-12-29 10:43:28 Creds: Username/Password
2016-12-29 10:43:28 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199
IV_VER=3.0.11
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_LZ4v2=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
2016-12-29 10:43:29 VERIFY OK: depth=1
cert. version : 3
serial number : 00:00:00:00:00:00:00:00
issuer name : C=US, ST=NA, L=NA, O=home, OU=OU, CN=Sophos_CA_SOPHOSSERIAL, emailAddress=example@company.com
subject name : C=US, ST=NA, L=NA, O=home, OU=OU, CN=Sophos_CA_SOPHOSSERIAL, emailAddress=example@company.com
issued on : 2016-07-25 00:45:05
expires on : 2036-12-31 00:45:05
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true
2016-12-29 10:43:29 VERIFY OK: depth=0
cert. version : 3
serial number : 11:11:11:11:11
issuer name : C=US, ST=NA, L=NA, O=home, OU=OU, CN=Sophos_CA_SOPHOSSERIAL, emailAddress=example@company.com
subject name : C=US, ST=NA, L=NA, O=home, OU=OU, CN=SophosApplianceCertificate_SOPHOSSERIAL, emailAddress=example@company.com
issued on : 2015-08-01 00:00:00
expires on : 2036-12-31 23:59:59
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
2016-12-29 10:43:30 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
2016-12-29 10:43:30 Session is ACTIVE
2016-12-29 10:43:30 EVENT: GET_CONFIG
2016-12-29 10:43:30 Sending PUSH_REQUEST to server...
2016-12-29 10:43:31 OPTIONS:
0 [route-gateway] [10.10.11.1]
1 [ping] [45]
2 [ping-restart] [180]
3 [redirect-gateway] [def1]
4 [topology] [subnet]
5 [route] [remote_host] [255.255.255.255] [net_gateway]
6 [dhcp-option] [DNS] [10.10.10.1]
7 [ifconfig] [10.10.11.2] [255.255.255.0]
2016-12-29 10:43:31 PROTOCOL OPTIONS:
 cipher: AES-256-CBC
 digest: SHA256
 compress: ANY
 peer ID: -1
2016-12-29 10:43:31 EVENT: ASSIGN_IP
2016-12-29 10:43:31 Error parsing IPv4 route: [route] [remote_host] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair parse error 'route': remote_host/255.255.255.255 : ip_exception: error parsing route IP address 'remote_host' : Invalid argument
2016-12-29 10:43:31 Connected via tun
2016-12-29 10:43:31 EVENT: CONNECTED example@xxx.xxx.xxx.xxx:8443 (xxx.xxx.xxx.xxx) via /TCPv4 on tun/10.10.11.2/
2016-12-29 10:43:31 LZO-ASYM init swap=0 asym=1
2016-12-29 10:43:31 Comp-stub init swap=0
2016-12-29 10:43:31 SetStatus Connected
2016-12-29 10:51:08 TUN reset routes
2016-12-29 10:51:08 EVENT: DISCONNECTED
2016-12-29 10:51:08 Raw stats on disconnect:
 BYTES_IN : 134137
 BYTES_OUT : 47513
 PACKETS_IN : 168
 PACKETS_OUT : 221
 TUN_BYTES_IN : 33619
 TUN_BYTES_OUT : 122868
 TUN_PACKETS_IN : 167
 TUN_PACKETS_OUT : 185
2016-12-29 10:51:08 Performance stats on disconnect:
 CPU usage (microseconds): 264665
 Tunnel compression ratio (uplink): 1.41328
 Tunnel compression ratio (downlink): 1.09172
 Network bytes per CPU second: 686339
 Tunnel bytes per CPU second: 591264
2016-12-29 10:51:08 ----- OpenVPN Stop -----
 
2016-12-29 10:57:07 ----- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2016-12-29 10:57:07 Frame=512/2048/512 mssfix-ctrl=1250
2016-12-29 10:57:07 UNUSED OPTIONS
3 [explicit-exit-notify]
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
15 [route-delay] [4]
16 [verb] [3]
2016-12-29 10:57:07 EVENT: RESOLVE
2016-12-29 10:57:07 Contacting xxx.xxx.xxx.xxx:8443 via UDP
2016-12-29 10:57:07 EVENT: WAIT
2016-12-29 10:57:07 SetTunnelSocket returned 1
2016-12-29 10:57:07 Connecting to [xxx.xxx.xxx.xxx]:8443 (xxx.xxx.xxx.xxx) via UDPv4
2016-12-29 10:57:08 NET WiFi:NotReachable/WR t------
2016-12-29 10:57:08 NET Internet:ReachableViaWWAN/WR t------
2016-12-29 10:57:17 Server poll timeout, trying next remote entry...
2016-12-29 10:57:17 EVENT: RECONNECTING
2016-12-29 10:57:17 EVENT: RESOLVE
2016-12-29 10:57:17 Contacting 10.10.10.1:8443 via UDP
2016-12-29 10:57:17 EVENT: WAIT
2016-12-29 10:57:17 SetTunnelSocket returned 1
2016-12-29 10:57:17 Connecting to [10.10.10.1]:8443 (10.10.10.1) via UDPv4
2016-12-29 10:57:27 Server poll timeout, trying next remote entry...
2016-12-29 10:57:27 EVENT: RECONNECTING
2016-12-29 10:57:27 EVENT: RESOLVE
2016-12-29 10:57:27 Contacting 10.10.16.1:8443 via UDP
2016-12-29 10:57:27 EVENT: WAIT
2016-12-29 10:57:27 SetTunnelSocket returned 1
2016-12-29 10:57:27 Connecting to [10.10.16.1]:8443 (10.10.16.1) via UDPv4
2016-12-29 10:57:37 Server poll timeout, trying next remote entry...
2016-12-29 10:57:37 EVENT: RECONNECTING
2016-12-29 10:57:37 EVENT: RESOLVE
2016-12-29 10:57:37 Contacting xxx.xxx.xxx.xxx:8443 via UDP
2016-12-29 10:57:37 EVENT: WAIT
2016-12-29 10:57:37 SetTunnelSocket returned 1
2016-12-29 10:57:37 Connecting to [xxx.xxx.xxx.xxx]:8443 (xxx.xxx.xxx.xxx) via UDPv4
2016-12-29 10:57:47 Server poll timeout, trying next remote entry...
2016-12-29 10:57:47 EVENT: RECONNECTING
2016-12-29 10:57:47 EVENT: RESOLVE
2016-12-29 10:57:47 Contacting 10.10.10.1:8443 via UDP
2016-12-29 10:57:47 EVENT: WAIT
2016-12-29 10:57:47 SetTunnelSocket returned 1
2016-12-29 10:57:47 Connecting to [10.10.10.1]:8443 (10.10.10.1) via UDPv4
2016-12-29 10:57:57 Server poll timeout, trying next remote entry...
2016-12-29 10:57:57 EVENT: RECONNECTING
2016-12-29 10:57:57 EVENT: RESOLVE
2016-12-29 10:57:57 Contacting 10.10.16.1:8443 via UDP
2016-12-29 10:57:57 EVENT: WAIT
2016-12-29 10:57:57 SetTunnelSocket returned 1
2016-12-29 10:57:57 Connecting to [10.10.16.1]:8443 (10.10.16.1) via UDPv4
2016-12-29 10:58:07 EVENT: CONNECTION_TIMEOUT [ERR]
2016-12-29 10:58:07 EVENT: DISCONNECTED
2016-12-29 10:58:07 Raw stats on disconnect:
 BYTES_OUT : 420
 PACKETS_OUT : 30
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 5
2016-12-29 10:58:07 Performance stats on disconnect:
 CPU usage (microseconds): 41051
 Network bytes per CPU second: 10231
 Tunnel bytes per CPU second: 0
2016-12-29 10:58:07 EVENT: DISCONNECT_PENDING
2016-12-29 10:58:07 ----- OpenVPN Stop -----
 


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Issue 1- Report that to Support team and raise it as an idea on http://ideas.sophos.com/forums/330219-sophos-xg-firewall

    Issue 2- Is reported as a BUG under ID NC-15637 and the fix comes in v16.1 MR3. Try updating on v16.5 and let us know if that works.

    Thanks

    P.S.- There is an unwritten rule for Sophos Community which says; one question per thread. The only reason for this is to keep it simple for other members to find solutions with a single thread.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I'm now on 16.05 RC1.

    For testing, I created a new user, new SSL VPN profile with the same settings, generate new appliance cert, etc. It's still the same.

    Unfortunately, both issues are still here. But like @sachingurung said, let's just confirm one one issue per thread.

    Just to confirm Issue one, I enable debug on SSL VPN and tail the sslvpn log on the box. 

    Data channel is using AES-256-CBC with SHA256 which is looks like what you can config in Sophos. 

    Fri Dec 30 09:00:00 2016 us=54793 ::ffff:xxx.xxx.xxx.xxx Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Fri Dec 30 09:00:00 2016 us=54808 ::ffff:xxx.xxx.xxx.xxx Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication

     

    However, it is confirmed that the box is using weak cipher for control channel

    Fri Dec 30 09:00:00 2016 us=238120 ::ffff:xxx.xxx.xxx.xxx Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA

     

    I'm not an expert in crypto so if someone does and can chime in, that would be great.

Reply
  • 0 in reply to sachingurung

    I'm now on 16.05 RC1.

    For testing, I created a new user, new SSL VPN profile with the same settings, generate new appliance cert, etc. It's still the same.

    Unfortunately, both issues are still here. But like @sachingurung said, let's just confirm one one issue per thread.

    Just to confirm Issue one, I enable debug on SSL VPN and tail the sslvpn log on the box. 

    Data channel is using AES-256-CBC with SHA256 which is looks like what you can config in Sophos. 

    Fri Dec 30 09:00:00 2016 us=54793 ::ffff:xxx.xxx.xxx.xxx Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Fri Dec 30 09:00:00 2016 us=54808 ::ffff:xxx.xxx.xxx.xxx Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication

     

    However, it is confirmed that the box is using weak cipher for control channel

    Fri Dec 30 09:00:00 2016 us=238120 ::ffff:xxx.xxx.xxx.xxx Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA

     

    I'm not an expert in crypto so if someone does and can chime in, that would be great.

Children
  • 0 in reply to VuNguyen

    Hi, 

    With XG v16 MR 2 we have disabled the support of TLSv1 & TLSv1.1 for User Portal and Web Admin. Raise a support ticket and provide me the case# to see if anything is planned for SSL VPN.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi sachingurung,

    Please forgive me if I'm dump but I can't seem really log a ticket for it. I tried to log as Evaluating but the product doesn't exist.

    I'm running Sophos Software as a Virtual Machine on ESXi. In the logging ticket, there is no Sophos Software Appliance option, only hardware appliance.

    Thank you.

Cookie Information Banner