VPN Split Tunnel traffic Issues

Hi Aaron,

As suggested by Bob, please check if there are any related drops in the UTM and it will be interesting to learn where is the traffic directed after connecting via VPN to the UTM. Can you please take a look at the PCAP from the UTM end. 

You can refer the KBA for more information on how to take a PCAP in Sophos UTM.

Thanks

Thanks for the continued support, I really appreciate it.

I feel this is relevant to share: The VPN pool is 10.11.6.x, and the Sophos is pingable at 10.11.6.1, but not 10.13.2.1 as it normally is in a full-tunnel config. Why would I only be able to ping one portion of the UTM on a split-tunnel? Sorry I don't know the correct terminology for all this.

It seems the routing doesn't exist from VPN>LAN from 192.168.6.1>LAN. I have no idea how to make that work, because 192.168.6.1 isn't configured anywhere in the firewall that I'm aware of.

Which PCAP commands should I be using to capture the traffic I need to look at?

Hi Aaron,

Can you please show us a network diagram which could help us provide you our inputs on configuration and we could start over instead of finding a pin in a haystack.

Cheers

[IMG REMOVED]

Does this help?

Aaron, what was the result of doing #1 in Rulz?

Where is the Remote Access VPN Pool in the diagram and which method are you using?  Show us the Edit of that definition.

Cheers - Bob

Aaron, what was the result of doing #1 in Rulz?

Where is the Remote Access VPN Pool in the diagram and which method are you using?  Show us the Edit of that definition.

Cheers - Bob

[IMG REMOVED]

Does this help at all? Protocol is PPTP and is connected via AD/Radius authentication on the Sophos UTM.

It's still a confusing picture, Aaron.  What does "[masked] 192.168.0.0/21" mean?  What happens when you connect from outside of that subnet - directly from home or a public hotspot, for example?

Cheers - Bob

Masked is simply restricting the company name from public view in this particular document. 

When connecting from home or a public hotspot and configuring the client in "full tunnel" - I have access to all VPN resources, everything works as it should (for all intent and purpose of this discussion). 

When connecting on a split tunnel configuration on the client, I am still assigned the 192.168.6.2 IP address, but cannot talk to, ping, access, telnet, you name it, anything on the VPN resources, however internet does go out locally and not through the tunnel. 

I'm sorry the picture isn't clear, and I appreciate the help. This isn't what I do for a day job and am just scraping by to make this all work.

Try a test from outside with a split tunnel, noting the assigned IP and the exact time of the test.  Connect to WebAdmin, Search the Firewall log file for your IP and show us a line or two from your test where the ping was blocked.

Cheers - Bob

I'll do that in a bit once I'm off site. Meanwhile - food for thought- , I think when I tried this in the past, the dropped ping was not showing up in the firewall logs, however. Regardless, I'll try again for the sake of testing. IIRC, it was a routing issue of the client not knowing where to find the 192.168.6.1, or anything on the VPN side. Sorry if that makes no sense, I'll post test results shortly. Thanks again.

If it is not a firewall block, then show us the section of the PPTP log with the startup of your connection.

Cheers - Bob

2017:06:05-13:34:28 sophos pppd-pptp[27038]: Starting negotiation on /dev/pts/0
2017:06:05-13:34:28 sophos pptpd[27037]: GRE: Bad checksum from pppd.
2017:06:05-13:34:28 sophos pptpd[27037]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
2017:06:05-13:34:28 sophos pppd-pptp[27038]: rc_map2id: can't find tty /dev/ in map database
2017:06:05-13:34:28 sophos pppd-pptp[27038]: Using interface ppp0
2017:06:05-13:34:28 sophos pppd-pptp[27038]: MPPE 128-bit stateless compression enabled
2017:06:05-13:34:30 sophos pppd-pptp[27038]: Cannot determine ethernet address for proxy ARP
2017:06:05-13:34:30 sophos pppd-pptp[27038]: local IP address 192.168.6.1
2017:06:05-13:34:30 sophos pppd-pptp[27038]: remote IP address 192.168.6.2
2017:06:05-13:34:31 sophos pppd-pptp[27041]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="domain.com\user" variant="pptp" srcip="[public.ip.adr.here]" virtual_ip="192.168.6.2"

That's the logs for the connection (I've masked the domain, public IP, and usernames). 

Confirmed the firewall is not blocking any packets from the 192.168.6.x into the LAN (from what I can tell). 

I don't often use PPTP and don't configure it for my clients.  I remember now that the only solution is to make a permanent route in the PC dialing into the UTM.

This is another reason that I prefer SSL VPN.  There are free clients for Mac, Windows, iOS and Android.  Control over the traffic is determined by the UTM, not the client.  Configuring with UDP protocol makes the tunnel about as fast as L2TP/IPsec.  Using certificates instead of pre-shared keys makes the tunnel more secure than even 128-bit encryption for PPTP.  Etc.

Cheers - Bob