vpn ssl and Mac OS High Sierra

Hi to all,

I've setup a vpn ssl config on XG 105 v 17.0.1 MR 1.

Connecting with Tunnelblick 3.7.4b

From El Capitan and High Sierra.

Both machines connect ok (authentication, vpn connected, ping to lan working)

On El capitan I can browse to internal machines web interfaces (Synology, switch, printer) and RDP to Windows server.

On High sierra only RDP is working. All web connections fail. In the Sophos log viewer (firewall part) I can see the connection accepted, then right after another connection denied on rule 0 reason : Could not associate packet to any connection.

Any idea ?

Thks a lot

  • I have good news and bad news.

    The good news: I have the exact same problem!

    The bad news: I have the exact same problem!

    The VPN works fine on Windows and on Mac OSX Sierra.

    On Mac OSX High Sierra with Tunnelblick 3.7.5beta05 I see the same problem as Fabien. The VPN connection comes up, and I can ping anything I like.

    I did discover that I can't ping more than 290 bytes per packet. For example, pinging our DNS server over the VPN at 290 bytes works:

    ping -D -s 290 192.168.1.5

    But change to 291 bytes and it fails.

    ping -D -s 291 192.168.1.5

    I've tried a manual edit of the client VPN config to add an mssfix command, but that doesn't seem to have any effect.

    All internal web sites and file shares just hang. The OpenVPN client for Windows works fine. This is a High Sierra vs. OpenVPN issue I think. Maybe RDP works, due to requiring smaller packets than the typical 1400 bytes. 

    What's weird is the connection comes up working fine according to the debug logs, and then ends up not moving packets larger than 384 bytes to the VPN server just a minute or two later.

  • I've tried with another VN client (Viscosity) : same error.

    I've also tried to connect on an older Sophos (SG115 UTM9) : it's working perfectly with High Sierra

    So the problem seems to be between High Sierra and Sophos XG v17.

    Anybody with an XG model not using v17 to have a try ?

  • I also have this same issue. Exact same symptoms. Hopefully someone here has an answer because I need to get my client the ability to connect to his web interfaces from his Mac at home.

     

  • In reply to Fabien Martinet:

    Short: Ran a test; XG SFOS version likely doesn't matter.

     

    Long:

     

    I feel that my duty calls to run the test for you as I have the stuff needed, and I feel the pain of a fellow user in need. I dug out my iMac which I'm not using and started her up.

     

    MacOS High Sierra 10.13.1 - iMac

    XG running 16.05.8 MR8

     

    I installed Tunnelblick (3.7.4b stable) to also help OP as much as possible during my test, but seems like it won't matter which client I used. After failure, I tried their beta 3.7.5beta05. 

    End result always the same; I can ping resources on remote network, however, cannot get to web page.

  • In reply to apalm123:

    I'd also like to add that I have a sonicwall SSL VPN that I've used before, and connecting from high sierra works just fine. Even http access internally. But I don't know what Sonicwall uses, they have a proprietary VPN client on the app store that I am using. So something that Apple changed isn't compatible with Sophos XG's implementation. Plus you mentioned that your UTM works fine.

  • In reply to apalm123:

    Some news.

    I've opened a ticket with Sophos support. Strange issue : they cannot reproduce the error. XG125w, 17.03, High Sierra : ping -D -s 291 works fine.

    I give support access to one of my boxes and the error appears.

    Now it's on next support level, waiting for news.

    I've done some tests with XG 105, 115 and 125 : all the same. 

  • I have someone who uses OpenSSL on High Sierra to connect to a different brand firewall with no issue. No issues opening up web interfaces over the VPN. So it is definitely limited to a Sophos thing it appears.

     

    I also opened up a ticket with Sophos and linked this thread in my ticket. So far the only reply I have gotten is links to basic set up guides for SSL VPN and Macs. Hopefully the tech can help me troubleshoot this issue further because it seems to be a little more common than I initially thought. 


    Edit:

    Also, I, like someone else mentioned above, use my Mac OSX High Sierra to connect to a Sophos UTM using Tunnelblick with no issue whatsoever. It's definitely isolated to just the XG.

  • In reply to Devan Ito:

    Hi,

    I've got confirmation from Sophos lvl 2 support that it's a bug.

    Now to dev team for patching. I hope it will be ok in next version.

     

    See you

  • Hi,

     

    There is a workaround, i have the same problem with http/https connection to switches from my mac os high sierra. In tunnelblick change the Open ssl version (see picture) and all works without problem, all http https connections ar working.

  • In reply to peterstebri:

    Hi Peterstebri,

     

    it works, thanks a lot.

    See ya

  • In reply to peterstebri:

    Can confirm this issue as well after upgrading to High Sierra - Workaround fixed my problem. Thanks

    I am curious to know what changed though. Sounds like more of an OpenSSL bug than a Sophos problem. Any thoughts?

  • In reply to peterstebri:

    Thanks for this, had me pulling my hair out.

  • Is there a long term solution? I just setup a new station today and I still had to do the same thing. Shouldn't the newest Sophos firmware keep up with the latest SSL standards?

  • In reply to DanielConley:

    I'm running in to the same issue today. Is there any solution that works with Viscosity? That's our standard VPN client. I don't think Viscosity has a choice to change OpenSSL version used.