Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 10 replies
  • Subscribers 3 subscribers
  • Views 21147 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot browse external web when SSL VPN is connected

DrMeskon

Hello,

I cannot browse webpages when my SSL VPN is connected. 

In remote access -> SSL -> local networks, there is included any network.

Should I use config-file settings in SSL VPN Client Settings?

Here are logs if that helps solve the problem:

Sun Sep 18 04:32:01 2016 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Mar 23 2015
Enter Management Password:
Sun Sep 18 04:32:01 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Sep 18 04:32:01 2016 Need hold release from management interface, waiting...
Sun Sep 18 04:32:02 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Sep 18 04:32:02 2016 MANAGEMENT: CMD 'state on'
Sun Sep 18 04:32:02 2016 MANAGEMENT: CMD 'log all on'
Sun Sep 18 04:32:02 2016 MANAGEMENT: CMD 'hold off'
Sun Sep 18 04:32:02 2016 MANAGEMENT: CMD 'hold release'
Sun Sep 18 04:32:11 2016 MANAGEMENT: CMD 'username "Auth" "xxx"'
Sun Sep 18 04:32:11 2016 MANAGEMENT: CMD 'password [...]'
Sun Sep 18 04:32:11 2016 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sun Sep 18 04:32:11 2016 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Sep 18 04:32:12 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Sep 18 04:32:12 2016 Attempting to establish TCP connection with [AF_INET]xxx:8833 [nonblock]
Sun Sep 18 04:32:12 2016 MANAGEMENT: >STATE:1474162332,TCP_CONNECT,,,
Sun Sep 18 04:32:13 2016 TCP connection established with [AF_INET]xxx:8833
Sun Sep 18 04:32:13 2016 TCPv4_CLIENT link local: [undef]
Sun Sep 18 04:32:13 2016 TCPv4_CLIENT link remote: [AF_INET]xxx:8833
Sun Sep 18 04:32:13 2016 MANAGEMENT: >STATE:1474162333,WAIT,,,
Sun Sep 18 04:32:13 2016 MANAGEMENT: >STATE:1474162333,AUTH,,,
Sun Sep 18 04:32:13 2016 TLS: Initial packet from [AF_INET]xxx:8833, sid=11327cb6 cee03a
Sun Sep 18 04:32:13 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Sep 18 04:32:13 2016 VERIFY OK: depth=1, C=xx, L=xx, O=xx, CN=xxx VPN CA, emailAddress=xxx
Sun Sep 18 04:32:13 2016 VERIFY X509NAME OK: C=xx, L=xx, O=xx, CN=xxx_SOPHOS_1, emailAddress=xxx
Sun Sep 18 04:32:13 2016 VERIFY OK: depth=0, C=xx, L=xx, O=xxx, CN=xxx_SOPHOS_1, emailAddress=xxx
Sun Sep 18 04:32:13 2016 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Sep 18 04:32:13 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 18 04:32:13 2016 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Sun Sep 18 04:32:13 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Sep 18 04:32:13 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Sep 18 04:32:13 2016 [xxx_SOPHOS_1] Peer Connection Initiated with [AF_INET]xxx:8833
Sun Sep 18 04:32:14 2016 MANAGEMENT: >STATE:1474162334,GET_CONFIG,,,
Sun Sep 18 04:32:15 2016 SENT CONTROL [xxx_SOPHOS_1]: 'PUSH_REQUEST' (status=1)
Sun Sep 18 04:32:15 2016 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.xxx.2.1,route-gateway 10.xxx.2.1,topology subnet,ping 10,ping-restart 120,redirect-gateway def1,dhcp-option DNS xxx,dhcp-option DNS 8.8.8.8,ifconfig 10.xxx.2.2 255.255.255.0'
Sun Sep 18 04:32:15 2016 OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 18 04:32:15 2016 OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep 18 04:32:15 2016 OPTIONS IMPORT: route options modified
Sun Sep 18 04:32:15 2016 OPTIONS IMPORT: route-related options modified
Sun Sep 18 04:32:15 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Sep 18 04:32:15 2016 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=5 HWADDR=xxx
Sun Sep 18 04:32:15 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Sep 18 04:32:15 2016 MANAGEMENT: >STATE:1474162335,ASSIGN_IP,,10.xx.2.2,
Sun Sep 18 04:32:15 2016 open_tun, tt->ipv6=0
Sun Sep 18 04:32:15 2016 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{xx-B74E-4C9E-8F09-23F7247681xx}.tap
Sun Sep 18 04:32:15 2016 TAP-Windows Driver Version 9.20
Sun Sep 18 04:32:15 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 10.xx.2.0/10.xx.2.2/255.255.255.0 [SUCCEEDED]
Sun Sep 18 04:32:15 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.xx.2.2/255.255.255.0 on interface {xx-B74E-4C9E-8F09-23F7247681xx} [DHCP-serv: 10.xx.2.254, lease-time: 31536000]
Sun Sep 18 04:32:15 2016 NOTE: FlushIpNetTable failed on interface [2] {xx-B74E-4C9E-8F09-23F7247681xx} (status=5) : Access is denied.
Sun Sep 18 04:32:19 2016 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Sep 18 04:32:19 2016 C:\WINDOWS\system32\route.exe ADD xx MASK 255.255.255.255 192.168.1.1
Sun Sep 18 04:32:19 2016 Route addition via service succeeded
Sun Sep 18 04:32:19 2016 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.xx.2.1
Sun Sep 18 04:32:19 2016 Route addition via service succeeded
Sun Sep 18 04:32:19 2016 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.xx.2.1
Sun Sep 18 04:32:19 2016 Route addition via service succeeded
Sun Sep 18 04:32:19 2016 MANAGEMENT: >STATE:1474162339,ADD_ROUTES,,,
Sun Sep 18 04:32:19 2016 C:\WINDOWS\system32\route.exe ADD xxx MASK 255.255.255.255 192.168.1.1
Sun Sep 18 04:32:19 2016 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=5]
Sun Sep 18 04:32:19 2016 Route addition via service failed
Sun Sep 18 04:32:19 2016 Initialization Sequence Completed
Sun Sep 18 04:32:19 2016 MANAGEMENT: >STATE:1474162339,CONNECTED,SUCCESS,10.xx.2.2,xxx



This thread was automatically locked due to age.
Parents

  •  

    Can you please tell me what Sophos product you are using?

    Thank you,

    Bob

  • in reply to Bianson

    Hi,

    Sophos UTM9, SG330

    Firmware 9.404-5

  • in reply to DrMeskon

    Hi, Almis, and welcome to the UTM Community!

    To browse using Web Filtering, you will need to add "VPN Pool (SSL)" to 'Allowed Networks'.  In any case, you will want a Masquerading rule 'VPN Pool (SSL) -> External'.  Was that it?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Thanks,
    I know that, but I need to go directly to Internet, without all the filtering.

  • in reply to DrMeskon

    OK, I understand now.  In 'Local Networks' in the SSL VPN Profile, instead of the "Any" object, use objects for the internal networks the the VPN client should be able to access and add the "Internet" object to allow the client to browse.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi,

    there is already Internet IPv4 object in SSL VPN profile

    Internet IPv4 0.0.0.0/0
    Bound to Uplink Interfaces
    "Any" network, bound to interfaces with default IPv4 gateway

    But browsing the internet is not working.

  • in reply to DrMeskon

    Hi Almis,

    To configure a Full tunnel so that internet requests are sufficed through the UTM over SSL connection, you need to configure an SSL VPN policy as shown in the screenshot:

    Make sure to have the NAT-MASQ policy and firewall rule is configured. Bob's answer is to the point. 

    You need not define the SSL VPN network object in the web protection allowed network box.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to sachingurung

    I don't want Internet traffic to go through UTM. Just pass directly to my ISP when i'm connected with VPN.

  • in reply to DrMeskon

    That's what Sachin is telling you.  Here's a response I wrote last week but did not submit:

    For an SSL VPN User to be able to browse the Internet, assuming that "VPN Pool (SSL)" is not in 'Allowed Networks' in Web Filtering, four things are necessary and sufficient:

    1. DNS servers have been added to 'Remote Access >> Advanced'.
    2. The SSL VPN Profile has "Internet" in 'Local Networks'.
    3. Either you have a firewall rule like 'VPN Pool (SSL) -> Web Surfing & DNS -> Internet : Allow' or you have selected 'Automatic firewall rules' in the SSL VPN Profile.
    4. An SNAT or Masquerading rule that assigns one of your public IPs as the source of the packet when it leaves your External interface.

    If you believe you have of those things in place, check the Web Filtering log and #1 in Rulz.  If nothing comes from any of that, I can only guess that you've created a routing problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to DrMeskon

    Hi Almis,

    Out of curiosity, did you mean that you have an ISP connection at your home called ISP A and you connect through SSL VPN with the UTM. Now, you want to route all your internet traffic from ISP A and use SSL VPN just to access all the UTM network resources? Is that your requirement?

    In that case, you just need to make sure no NAT-MASQ policy is configured for ANY or SSL VPN, FW rule must not have ANY/SSL VPN Pool > Any > Any. Last but not the least go to Advance tab in the Remote Access option on the Web Admin. PFA screenshot:

    Reimport the config file and you are good to go.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • in reply to DrMeskon

    Hi Almis,

    Out of curiosity, did you mean that you have an ISP connection at your home called ISP A and you connect through SSL VPN with the UTM. Now, you want to route all your internet traffic from ISP A and use SSL VPN just to access all the UTM network resources? Is that your requirement?

    In that case, you just need to make sure no NAT-MASQ policy is configured for ANY or SSL VPN, FW rule must not have ANY/SSL VPN Pool > Any > Any. Last but not the least go to Advance tab in the Remote Access option on the Web Admin. PFA screenshot:

    Reimport the config file and you are good to go.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
No Data
Unfiltered HTML