Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 8056 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Oversight by Sophos?

Louis-M

Hi,

I was playing around with Shrewsoft VPN client and our UTM (latest version). I have a few observations with this.

1. If you purely use "Preshared key" (without Xauth), a user can connect to the UTM and it is recorded in the log file. Problem is, It does not show up in the GUI anywhere eg nothing under online users or in the reporting etc. If you switch on PSK and Xauth, it works as it should. This isn't good if you are trying to keep an eye on who connects.

2. Using Shrewsoft VPN client will result in an error " can't establish IPSEC SA because nothing is known about 0.0.0.0/0" and the vpn can't be established. However, if you place "any" into allowed local networks on the UTM for this connection, it works. Full access with no issues. Try and tighten it down a little by restricting the network eg 10.1.1.0/24, and it doesn't work.

3. By doing the above (and without adding any automatic firewall rules) the remote user has full unrestricted access to the network which isn't good either.

4. If I add a firewall rule (and place it at the top) with the vpn ipsec pool as the source, service any, destination any, BLOCK, it doesn't make any difference. Traffic still gets through. Tried all sorts of combinations here and nothing works.



This thread was automatically locked due to age.
Parents
  • 0

    I like the SSL VPN Remote Access method, so it's been a long time since I played with the Shrewsoft client.  I don't recall these problems though. I always used X509 certs, and didn't try with PSKs.

    Please insert a picture of the Edit of your 'IPsec Remote Access Rule' and of your Shrewsoft configuration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    There's really not much to see Bob.

    On the UTM:

    Remote Access > IPSEC Client

    Name= My connection
    Interface= WAN
    Local Networks= Any   <<<< has to be set to ANY otherwise shrewsoft won't connect
    Virtual Pool= default pool
    Policy = Triple DES     <<< I've tried different combinations and they do the same
    Authentication= PSK
    PSK= **********


    And that is it. The Shrewsoft client can connect and shows in the log files. It doesn't show anywhere in the GUI so you wouldn't know it is connected.

    The worrying thing is I haven't made any firewall rules to allow access but with this config, I can reach anything on my networks. I know that placing "Any" into local networks will allow this but I thought it would be fully blocked until I put appropriate firewall rules in eg only allow ipsec vpn pool access to x host, y host, z network etc

    As for the shrewsoft client, there's nothing special on there either. Just entries to match up with the above. It's a bit of a serious flaw I think

  • 0 in reply to Louis-M

    You don't have 'Automatic Firewall Rules' selected in the IPsec Remote Access Rule?  You tried "Internet" instead of "Any" in 'Local Networks'?

    FWIW, I would use AES-128-PFS as the fastest, most secure Policy, auth with X509 certs and enable XAUTH.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    no no automatic firewall rules enable for it. I made sure of that and I've checked under auto generated rules to make sure nothing is there.

    I haven't tried "internet" under local networks as i'm not sure what that would achieve?

    I did start of with AES256 and generally use that as a standard but have worked my way down to triple DES/MD5 to see if there was any difference

    I also tried with xauth. The only difference that made was to show the user in the GUI.

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    no no automatic firewall rules enable for it. I made sure of that and I've checked under auto generated rules to make sure nothing is there.

    I haven't tried "internet" under local networks as i'm not sure what that would achieve?

    I did start of with AES256 and generally use that as a standard but have worked my way down to triple DES/MD5 to see if there was any difference

    I also tried with xauth. The only difference that made was to show the user in the GUI.

Children
  • 0 in reply to Louis-M

    Louis-M said:
    I haven't tried "internet" under local networks as i'm not sure what that would achieve?

    I only use ssl vpn but generally  ...

    LOCAL NETWORKS:LAN

    Bridge VPN traffic to LAN. No firewall/masq rules required

    LOCAL Networks: Interet

    Bridge VPN traffic to Internet. Firewall and masq rules required.

    LOCAL Network: ANY

    Allow traffic to any firewall interface. LAN traffic would flow without any fireall/masq rules. However you will have to create firewall/masq rules for internet/dmz networks in addition to the UTM DNS server for any kind of functional internet experience.

    Also remember to re-establish VPN tunnel after you make any changes to routing configuration on the UTM. 

Unfiltered HTML