Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 10925 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN

Jon Eyre

Hi

I have searched through the forums and google to try and get SSL VPN to work properly to no avail. Tried all sorts, nothing, does not work.

I need an SSL VPN connection to be able to see the internal LAN, not worried about internet access. SSL VPN connects but nothing after that.

Can someone please post a definitive guide on how to achieve what i am struggling to achieve. This is driving me insane.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Jon Eyre,

    Would be very helpful if you add screenshots of your current configuration and also the log file from the SSL client.

    You can check this guide too:

    https://sophserv.sophos.com/repo_kb/122769/file/SFOSv1_Remote_Access_Via_SSL_gengv2.pdf

  • 0 in reply to John Henry Vindas Carballo

    Hi John

    Following that guide was my first attempt, could not see anything in the LAN from the SSL VPN. This did not work. I have XG 16 which is not the version in the guide.

    Below is the client log file

    Mon Jun 05 16:42:51 2017 VERIFY OK: depth=1, C=ZA, ST=Johannesburg, L=Sundowner, O=MTechSA, OU=OU, CN=Sophos_CA_C1403A76RT2CK9D, emailAddress=jon.eyre@mtechsa.co.za
    Mon Jun 05 16:42:51 2017 VERIFY X509NAME OK: C=ZA, ST=Johannesburg, L=Sundowner, O=MTechSA, OU=OU, CN=SophosApplianceCertificate_C1403A76RT2CK9D, emailAddress=jon.eyre@mtechsa.co.za
    Mon Jun 05 16:42:51 2017 VERIFY OK: depth=0, C=ZA, ST=Johannesburg, L=Sundowner, O=MTechSA, OU=OU, CN=SophosApplianceCertificate_C1403A76RT2CK9D, emailAddress=jon.eyre@mtechsa.co.za
    Mon Jun 05 16:42:53 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Mon Jun 05 16:42:53 2017 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Mon Jun 05 16:42:53 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Mon Jun 05 16:42:53 2017 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Mon Jun 05 16:42:53 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Mon Jun 05 16:42:53 2017 [SophosApplianceCertificate_C1403A76RT2CK9D] Peer Connection Initiated with [AF_INET]196.2.98.97:8443
    Mon Jun 05 16:42:54 2017 MANAGEMENT: >STATE:1496673774,GET_CONFIG,,,,,,
    Mon Jun 05 16:42:55 2017 SENT CONTROL [SophosApplianceCertificate_C1403A76RT2CK9D]: 'PUSH_REQUEST' (status=1)
    Mon Jun 05 16:42:55 2017 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.5,ping 45,ping-restart 180,route 192.168.0.1 255.255.255.255,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 900 7680,ifconfig 10.81.234.6 255.255.255.0'
    Mon Jun 05 16:42:55 2017 OPTIONS IMPORT: timers and/or timeouts modified
    Mon Jun 05 16:42:55 2017 OPTIONS IMPORT: --ifconfig/up options modified
    Mon Jun 05 16:42:55 2017 OPTIONS IMPORT: route options modified
    Mon Jun 05 16:42:55 2017 OPTIONS IMPORT: route-related options modified
    Mon Jun 05 16:42:55 2017 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 I=22 HWADDR=40:f0:2f:6a:e8:97
    Mon Jun 05 16:42:55 2017 open_tun, tt->ipv6=0
    Mon Jun 05 16:42:55 2017 TAP-WIN32 device [Ethernet 4] opened: \\.\Global\{90CF38D5-5CD8-450F-B351-E60535F9447A}.tap
    Mon Jun 05 16:42:55 2017 TAP-Windows Driver Version 9.21
    Mon Jun 05 16:42:55 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.6/255.255.255.0 [SUCCEEDED]
    Mon Jun 05 16:42:55 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.6/255.255.255.0 on interface {90CF38D5-5CD8-450F-B351-E60535F9447A} [DHCP-serv: 10.81.234.254, lease-time: 31536000]
    Mon Jun 05 16:42:55 2017 Successful ARP Flush on interface [20] {90CF38D5-5CD8-450F-B351-E60535F9447A}
    Mon Jun 05 16:42:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Mon Jun 05 16:42:55 2017 MANAGEMENT: >STATE:1496673775,ASSIGN_IP,,10.81.234.6,,,,
    Mon Jun 05 16:42:59 2017 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
    Mon Jun 05 16:42:59 2017 MANAGEMENT: >STATE:1496673779,ADD_ROUTES,,,,,,
    Mon Jun 05 16:42:59 2017 C:\WINDOWS\system32\route.exe ADD 196.2.98.97 MASK 255.255.255.255 192.168.43.1
    Mon Jun 05 16:42:59 2017 Route addition via service succeeded
    Mon Jun 05 16:42:59 2017 C:\WINDOWS\system32\route.exe ADD 192.168.0.1 MASK 255.255.255.255 10.81.234.5
    Mon Jun 05 16:42:59 2017 Route addition via service succeeded
    Mon Jun 05 16:42:59 2017 C:\WINDOWS\system32\route.exe ADD 196.2.98.97 MASK 255.255.255.255 192.168.43.1
    Mon Jun 05 16:42:59 2017 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=22]
    Mon Jun 05 16:42:59 2017 Route addition via service failed
    Mon Jun 05 16:42:59 2017 Initialization Sequence Completed
    Mon Jun 05 16:42:59 2017 MANAGEMENT: >STATE:1496673779,CONNECTED,SUCCESS,10.81.234.6,196.2.98.97,8443,192.168.43.43,65496
    Mon Jun 05 16:43:20 2017 C:\WINDOWS\system32\route.exe DELETE 192.168.0.1 MASK 255.255.255.255 10.81.234.5
    Mon Jun 05 16:43:20 2017 Route deletion via service succeeded
    Mon Jun 05 16:43:20 2017 C:\WINDOWS\system32\route.exe DELETE 196.2.98.97 MASK 255.255.255.255 192.168.43.1
    Mon Jun 05 16:43:20 2017 Route deletion via service succeeded
    Mon Jun 05 16:43:20 2017 Closing TUN/TAP interface
    Mon Jun 05 16:43:20 2017 SIGTERM[hard,] received, process exiting
    Mon Jun 05 16:43:20 2017 MANAGEMENT: >STATE:1496673800,EXITING,SIGTERM,,,,,

    Client connects, i get the green light.

    I read on here someone said add a second firewall policy so my config is pretty messed up by now.

  • 0 in reply to Jon Eyre

    Jon Eyre said:

     

     

    I read on here someone said add a second firewall policy so my config is pretty messed up by now.

     

    Yes, you can configure two rules to test:

    VPN to LAN 

    LAN to VPN

  • 0 in reply to John Henry Vindas Carballo

    HI John,

    Could you check on another system, according to the logs it would seem there was an issue while adding the route ? I would recommend adding SSL VPN with elevated access. 

  • 0 in reply to Aditya Patel

    Hi

    Forgive me, i am a total newb to this. Elevated access?

Reply Children
No Data