Sophos Connect Problem - Split and Full Tunnel at the same time on different users

Question

This is more of an FYI post, then a support request. Although I'd like to hear from those that have ran into this issue and if you had any alternate ways of mitigating this. 
 I recently upgraded our XG 310 from 17.5-MR10 to 18.0-MR4, then immediately 18.0-MR5. After upgrading it, one of our long-time Sophos Connect VPN feature broke and it finally took 3 months for support to confirm it's broken. 
 I don't know if this existed in v17.5-MR11+ and prior to v18 FW versions. My open case is (04046519) and support has confirmed the problem and also confirmed no plans on fixing it. None of the release notes that I've dived into has indicated this capability being listed as a change, so I'm sure this was new on support's problem. 
 In prior versions of IPSEC-Sophos Connect VPN, you can set either split-tunnel or full-tunnel and deploy it to each client machine via the scx file configured from the SCAdmin utility. With the new firmware upgrade, the split/full tunnel capability is now handled by the Firewall side instead of the endpoints, even though you can still create profiles using the SCAdmin tool and load it onto a client computer. 
 Even though you can still set full-tunnel or split-tunnel using SCAdmin utility, Sophos Connect will not function correctly if you have your client profile set as Full-Tunnel but the firewall is set to split-tunnel (by way of not configuring the firewall as the default gateway option under the VPN menu). 
 I don't think development knew this would impact some customers that want to use both full tunnel and split-tunnel options at the same time and the loss of this capability (as well as the intent not to fix it with any future update) is frustrating, especially since it took ~3 months to confirm this issue. 
 In my use case, I have ~30 active VPN users, and only 10 need to be on full-tunnel to comply with security standards and data compliance. The other 20 can use Split so it doesn't saturate bandwidth. I dont want everyone to be on full tunnel and eating up all the bandwith if they're just generally browing internet. 
 
 With the new changes, it breaks this option. Here's what works/doesn't work. 
 
 FW (use as default gateway) + SCX profile (full tunnel) - Works 
 FW (use as default gateway) + SCX profile (split-tunnel) - Works, but your connections will be all full-tunnel because of the FW setting and the client machine will have the FW internal IP as the default gateway. 
 FW (don't use as default gateway) + SCX profile (full tunnel) - Will not work because the client machine does not get a default route set. 0.0.0.0/0 is used as the default route and since the firewall is set up to not be the default route, packets have no way of routing. 
 FW (don't use as default gateway) + SCX profile (split tunnel) - Works, just make sure network subnets are configured on both the client SCX profile and the FW's allowed subnets under VPN.

LuCar Toni · Answer

Actually this is well known. 
 The reason is the way of implementation. IPsec is a SA based product. And Sophos Firewall using the configuration daemon on Webadmin will limit the SAs, the firewall will build up. 
 If you have a rather special setup of multiple setups, you should not limit the SAs on the firewall itself. 
 
 What is odd to me, i was confidant, this behavior is explained in the online help, which seems not to be the case. Therefore i will create a change request to add this information to the online help for IPsec.

LuCar Toni · Answer

Just to be sure: This function is not removed. You can simply not configure it on the firewall and the SC will interact like before. 
 The option in Webadmin is a security feature to actually force the firewall to only allow the predefined networks and not anything else. 
 Its true, the documentation is lacking this, therefore it will be added. 
 What is missing is the option to have multiple profiles like you have in SSLVPN. In IPsec, you can have a "Give me all SAs i want" and "Here only take those SAs and ignore everything else".

WKEIT · Answer

I can confirm LuCar Toni's suggestion. It does work and both split/full tunnel did function. 
 
 (top using full tunnel, bottom trace using split-tunnel)

WARNING: BACKUP CONFIGS BEFORE HITTING RESET . Reset will wipe out and disable IPSEC (remote access) settings. If it's not obvious, don't do this when you're connected remotely via IPSEC. 
 After resetting, you'll have to reconfigure pretty much everything again, but leave the advanced section alone . The Advanced section will have the "use as default gateway" option enabled by default.

LuCar Toni Do we know if this is just a workaround and ultimately will sunset and stop working? I'm just surprise support didn't know this worked or was an option. Also, do you know if turning off/on "use as default gateway" option is what breaks it? Since I have it working, I don't want to dink with it but it was a curious thing after I posted this up. 
 
 Thanks for your help with this!

WKEIT · Answer

Just wanted to update this as we found a new issue even with the bypass/workaround suggested by LuCar Toni . 
 We have a fleet of Lenovo ThinkPad Yoga Gen 4, equipped with Fibocom 850 WWAN cards and 4G/LTE service with Verizon. When I had followed the suggestion from LuCar Toni to reset the IPSEC Remote Access settings to get both split/full tunnel working - it worked for the bulk of our users who were using WiFi as their source internet. We just found out today that all of our Fibocom 850 WWAN cellular connected devices were having issues with the Sophos Connect profiles. The symptom are as follow: 
 
 User confirms 4G/LTE connectivity is active (turn off WiFi) and can confirm an IPv6 address from VZW 
 Connects Sophos Connect v2 with a Split Tunnel profile 
 After a few seconds, the cellular connection would disconnect and SC would hang for about 30sec to a minute before it re-establishes connectivity. 
 
 The same issue does not occur if the laptop were to use WiFi connected to a hotspot device that has the same 4G/LTE service from VZW. 
 We downgraded SC back down to v1.4 and loaded the same connection profile that was used in v2.x - same symptoms occurred. We then loaded a new connection profile created in SCAdmin for v1.4 - using Split Tunnel and all seems to be more stable via the FIBOCOM WWAN card. It does disconnect anre reconnect, but very infrequent. The one thing we did notice was that when it did disconnect and reconnect, the negotiation process takes less than 10 seconds before the user notices the disconnect occurred. 
 So at the moment, anyone in the organization that has built-in WWAN is moved back to v1.4 Sophos Connect with its version of profile - while anyone using regular WiFi as a source of internet is still on v2.x with a new connection profile. 
 Our best guess is that the new SC v2.x and the profile, has some type of configuration or setting that does not like the IPv6 coming from the cell card. If we use WiFi, it's IPv4 - which is stable and functions fine. Using the hotspot with 4G/LTE as a middle-man, it's accepting IPv6 from Verizon while translating connectivity to IPv4 to WiFi clients and is why this method works. Just a hypothesis.

Sophos Connect Problem - Split and Full Tunnel at the same time on different users

Top Replies