Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 2 subscribers
  • Views 10864 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote access - IPsec (Cisco Client & Shrewsoft Client

Louis-M

I've been playing about with these for a few days and I'm getting stumped a little.

The only way I can connect both clients is by placing an "Any IPv4" or "Any" in the local networks tab.
That then gives the remote client access to all (as you would expect)

However, the issue is......... I've not put any firewall rules in to allow it!! 

Using a Preshared Key
If I use a preshared key, I don't get any option to allow automatic firewall rules. Nothing. So I can only assume it puts them in although I can't see them under any rule (manual or automatic). So not quite sure whats going on there. If I place a manual firewall rule at the top with the source of the remote ipsec vpn pool, any service, anywhere, block, it doesn't have any effect?? That's serious stuff!

If I use a certificate
If I use a certificate, I get the option to use automatic firewall rules. If I choose not to (ie leave it unticked), access is granted to everything as above. So that's not right either.

If I use a more restrictive network (rather than any)
Both clients won't connect as there is no policy for 0.0.0.0/0. I can also use "internet" instead of "Any" but get the same results ie access to everything

I'm stuck and can't use IPsec (which I need to use) and can't understand why a remote client can bypass the top firewall rule which is set to block anything coming from it?



This thread was automatically locked due to age.
Parents
  • 0

    Further to this, I tried the same setup with with SSL and it works as it should. So its definitely an issue with the IPsec.

    Could do with a link directly from remote access tabs into the logging tab though. Sometimes I want to see a little more detail than it shows

  • 0 in reply to Louis-M

    Louis, look first at #2 in Rulz to understand why your manual firewall rule couldn't block a packet already allowed in the Remote Access definition.

    I don't have a Shrewsoft client handy, but the Cisco client works fine in my iPhone with only "Internal (Network)" in 'Local Networks'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    as I understand it:

    it doesn't really matter what I put in the local networks if I don't tick "automatic firewall" rules. By not ticking "automatic firewall" rules, you have to create your own to allow/disallow traffic

    So in the above case, I'm finding that I can only get access with "any" or "internet" in the local networks. Anything else and the Ipsec tunnel won't come up.
    When It does come up with "any" or "internet" and without any automatic firewall rules or manual rules, the remote user can access all.

    This isn't the Cisco client option on the firewall. This is the ipsec section. SSL works as expected and maybe the Cisco Client too but ipsec certainly doesn't.

  • 0 in reply to Louis-M

    Just following up on this one. Have to say I'm not that impressed with Sophos (Premium??) support. Been a week now without any pointers. The silence is deafening!

    You can see in the screenshots below that no automatic firewall rules are offered. Even if you do select them, they are no good and are overrode.


    The above one offers firewall rules if a certificate is used. They don't work though!


    This one doesn't offer automatic firewall rules if you use a preshared key

    As with both above, I have to enter "internet" or "any". If i enter a subnet eg 10.1.1.0/24, the ipsec tunnel won't come up full stop and fails at phase 2.

    This only affects IPsec, not the Cisco client or SSL

  • 0 in reply to Louis-M

    And...... due to the firewall rules not having any effect, I can't limit access via rules & time of day eg only allow ACME support access to HOST A during weekday work hours etc.

  • 0 in reply to Louis-M

    "If i enter a subnet eg 10.1.1.0/24, the ipsec tunnel won't come up full stop and fails at phase 2."

    Louis, can you show us the 50-60 lines from the log for a single connection attempt?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Here is a log that doesn't allow me to connect. This one is restricting the network to 10.1.1.0/24

     pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [RFC 3947]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: received Vendor ID payload [Dead Peer Detection]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: packet from 111.222.333.444:500: ignoring Vendor ID payload [Cisco-Unity]
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[1] 111.222.333.444 #4: responding to Main Mode from unknown peer 111.222.333.444
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[1] 111.222.333.444 #4: NAT-Traversal: Result using RFC 3947: peer is NATed
    2016:08:09-18:20:51 gw01-1 pluto[7031]: | NAT-T: new mapping 111.222.333.444:500/4500)
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[1] 111.222.333.444:4500 #4: Peer ID is ID_IPV4_ADDR: '192.168.254.200'
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: deleting connection "S_SUPPORT_MYSUPPORT"[1] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Dead Peer Detection (RFC 3706) enabled
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sent MR3, ISAKMP SA established
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: parsing ModeCfg request
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: peer requested virtual IP %any
    2016:08:09-18:20:51 gw01-1 pluto[7031]: acquired existing lease for address 10.242.4.1 in pool 'VPN Pool (IPsec)'
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: assigning virtual IP 10.242.4.1 to peer
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending ModeCfg reply
    2016:08:09-18:20:51 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sent ModeCfg reply, established
    2016:08:09-18:20:51 gw01-2 pluto[7091]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500: deleting connection "S_SUPPORT_MYSUPPORT"[2] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}
    2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===555.666.777.888:4500[555.666.777.888]...111.222.333.444:4500[192.168.254.200]===10.242.4.1/32
    2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 111.222.333.444:4500
    2016:08:09-18:20:55 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===555.666.777.888:4500[555.666.777.888]...111.222.333.444:4500[192.168.254.200]===10.242.4.1/32
    2016:08:09-18:20:55 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 111.222.333.444:4500
    2016:08:09-18:20:57 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x264463ad (perhaps this is a duplicated packet)
    2016:08:09-18:20:57 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
    2016:08:09-18:21:00 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x23ee3e6f (perhaps this is a duplicated packet)
    2016:08:09-18:21:00 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
    2016:08:09-18:21:02 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x264463ad (perhaps this is a duplicated packet)
    2016:08:09-18:21:02 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
    2016:08:09-18:21:05 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x23ee3e6f (perhaps this is a duplicated packet)
    2016:08:09-18:21:05 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
    2016:08:09-18:21:07 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x264463ad (perhaps this is a duplicated packet)
    2016:08:09-18:21:07 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
    2016:08:09-18:21:10 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x23ee3e6f (perhaps this is a duplicated packet)
    2016:08:09-18:21:10 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
    2016:08:09-18:21:11 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===555.666.777.888:4500[555.666.777.888]...111.222.333.444:4500[192.168.254.200]===10.242.4.1/32
    2016:08:09-18:21:11 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 111.222.333.444:4500
    2016:08:09-18:21:16 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x9233fb68 (perhaps this is a duplicated packet)
    2016:08:09-18:21:16 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_MESSAGE_ID to 111.222.333.444:4500
    2016:08:09-18:21:21 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: received Delete SA payload: deleting ISAKMP State #4
    2016:08:09-18:21:21 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500: deleting connection "S_SUPPORT_MYSUPPORT"[2] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}
    2016:08:09-18:21:21 gw01-2 pluto[7091]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500: deleting connection "S_SUPPORT_MYSUPPORT"[2] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}

  • 0 in reply to Louis-M

    The main line is:

    pluto[7091]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500: deleting connection "S_SUPPORT_MYSUPPORT"[2] instance with peer 111.222.333.444 {isakmp=#0/ipsec=#0}
    2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===555.666.777.888:4500[555.666.777.888]...111.222.333.444:4500[192.168.254.200]===10.242.4.1/32
    2016:08:09-18:20:52 gw01-1 pluto[7031]: "S_SUPPORT_MYSUPPORT"[2] 111.222.333.444:4500 #4: sending encrypted notification INVALID_ID_INFORMATION to 111.222.333.444:4500

  • 0 in reply to Louis-M

    Louis, see if my post from four years ago applies.  I had to scratch my head a bit on this one as that error is one that is not uncommon when configuring IPsec site-to-site connections.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    many thanks for still replying and looking. Better than Sophos "Premium" support which shall we say is a little lacking to say the least. If that is their premium support, they are lucky they haven't been sued!

    Anyway, your reply wouldn't be far out and I'd already tried this.

    1. I can actually limit the client to a subnet if I put that subnet AND internet in the local networks on the UTM.

    2. If I put a manual firewall rule in at the top (as it doesn't offer auto) to limit the ipsec client to a specific host on that subnet set in the UTM, it doesn't have an effect. The ipsec client can reach everything on that subnet.

    3. If I just put the host in that I want it restricted to eg 10.1.1.100/32 on the UTM (as well as internet as I have to put this in for the tunnel come up), the ipsec client can still reach everything on that subnet eg 10.1.1.0/24. Add a firewall rule again and it doesn't matter.

    It's really strange and still waiting for Sophos PREMIUM support to answer after 6 weeks!! They pop in from time to time, have a look and off they go. Not a word!

  • 0 in reply to Louis-M

    Louis, the only real difference between Premium and Standard support is that you can open your own support ticket instead of going through your reseller - it's still the same people that handle the cases.  It sounds like you should ask for escalation of your issue.

    When logged into a Remote Access session as john1, the "john1 (User Network)" object is populated with the IP assigned.  This lets you make Firewall rules like 'john1 (User Network) -> Any -> Server : Allow' and 'john1 (User Network) -> Any -> Any : Drop'.  I don't understand why the second would be necessary just as I don't understand why you're having to use "Internet" in the definition.  When you get this escalated, be sure to have them look at these two issues.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Louis-M

    Louis, the only real difference between Premium and Standard support is that you can open your own support ticket instead of going through your reseller - it's still the same people that handle the cases.  It sounds like you should ask for escalation of your issue.

    When logged into a Remote Access session as john1, the "john1 (User Network)" object is populated with the IP assigned.  This lets you make Firewall rules like 'john1 (User Network) -> Any -> Server : Allow' and 'john1 (User Network) -> Any -> Any : Drop'.  I don't understand why the second would be necessary just as I don't understand why you're having to use "Internet" in the definition.  When you get this escalated, be sure to have them look at these two issues.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML