sophos xg home SSL VPN Split Tunneling iphone not not working

I set up SSL VPN Split Tunneling on XG, but I cannot access the Internet on the iPhone.

The same setting works on PC and android.

I disable Use as default gateway



Added TAGs
[edited by: emmosophos at 10:52 PM (GMT -7) on 14 Sep 2021]
Parents
  • Hi ,

    Thank you for reaching out to Sophos Community.

    Could you please share OpenVPN log events?

    Click the symbol shown in the below snapshot to obtain a log file.

    What's the current running firmware version on the XG firewall?

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Thank you for your response

    iphone ios 14.7.1

    SFVH (SFOS 18.0.5 MR-5-Build586)

    I masked Public IP.

    openvpn log

    2021-09-14 19:49:06 1
    2021-09-14 19:49:06 ----- OpenVPN Start -----
    OpenVPN core 3.git::58b92569 ios arm64 64-bit
    2021-09-14 19:49:06 OpenVPN core 3.git::58b92569 ios arm64 64-bit
    2021-09-14 19:49:06 Frame=512/2048/512 mssfix-ctrl=1250
    2021-09-14 19:49:06 UNUSED OPTIONS
    3 [resolv-retry] [infinite]
    4 [nobind]
    5 [persist-key]
    6 [persist-tun]
    14 [route-delay] [4]
    15 [verb] [3]
    2021-09-14 19:49:06 EVENT: RESOLVE
    2021-09-14 19:49:06 Contacting [*.*.*.*]:8443/TCP via TCPv4
    2021-09-14 19:49:06 EVENT: WAIT
    2021-09-14 19:49:06 Connecting to [*.*.*.*]:8443 (*.*.*.*) via TCPv4
    2021-09-14 19:49:06 EVENT: CONNECTING
    2021-09-14 19:49:06 Tunnel Options:V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client
    2021-09-14 19:49:06 Creds: Username/Password
    2021-09-14 19:49:06 Peer Info:
    IV_VER=3.git::58b92569
    IV_PLAT=ios
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=2
    IV_LZO_STUB=1
    IV_COMP_STUB=1
    IV_COMP_STUBv2=1
    IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
    IV_SSO=openurl
    2021-09-14 19:49:07 VERIFY OK: depth=1, /C=TW/ST=NA/L=NA/O=free/OU=OU/CN=Sophos_CA_*/emailAddress=*@*.*
    2021-09-14 19:49:07 VERIFY OK: depth=0, /C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=Appliance_Certificate_jk4Lp8ZesSNDjQ5/emailAddress=na@example.com
    2021-09-14 19:49:09 SSL Handshake: CN=Appliance_Certificate_jk4Lp8ZesSNDjQ5, TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    2021-09-14 19:49:09 Session is ACTIVE
    2021-09-14 19:49:09 EVENT: GET_CONFIG
    2021-09-14 19:49:09 Sending PUSH_REQUEST to server...
    2021-09-14 19:49:10 Sending PUSH_REQUEST to server...
    2021-09-14 19:49:12 Sending PUSH_REQUEST to server...
    2021-09-14 19:49:12 OPTIONS:
    0 [route-gateway] [10.81.234.5]
    1 [sndbuf] [0]
    2 [rcvbuf] [0]
    3 [sndbuf] [0]
    4 [rcvbuf] [0]
    5 [ping] [45]
    6 [ping-restart] [180]
    7 [route] [192.168.99.0] [255.255.255.0]
    8 [topology] [subnet]
    9 [route] [remote_host] [255.255.255.255] [net_gateway]
    10 [inactive] [900] [7680]
    11 [dhcp-option] [DNS] [8.8.8.8]
    12 [dhcp-option] [DNS] [168.95.1.1]
    13 [ifconfig] [10.81.234.6] [255.255.255.0]
    2021-09-14 19:49:12 PROTOCOL OPTIONS:
    cipher: AES-128-CBC
    digest: SHA256
    compress: LZO_STUB
    peer ID: -1
    2021-09-14 19:49:12 EVENT: ASSIGN_IP
    2021-09-14 19:49:12 NIP: preparing TUN network settings
    2021-09-14 19:49:12 NIP: init TUN network settings with endpoint: *.*.*.*
    2021-09-14 19:49:12 NIP: adding IPv4 address to network settings 10.81.234.6/255.255.255.0
    2021-09-14 19:49:12 NIP: adding (included) IPv4 route 10.81.234.0/24
    2021-09-14 19:49:12 NIP: adding (included) IPv4 route 192.168.99.0/24
    2021-09-14 19:49:12 NIP: adding DNS 8.8.8.8
    2021-09-14 19:49:12 NIP: adding DNS 168.95.1.1
    2021-09-14 19:49:12 NIP: adding match domain ALL
    2021-09-14 19:49:12 NIP: adding DNS specific routes:
    2021-09-14 19:49:12 NIP: adding (included) IPv4 route 8.8.8.8/32
    2021-09-14 19:49:12 NIP: adding (included) IPv4 route 168.95.1.1/32
    2021-09-14 19:49:12 Connected via NetworkExtensionTUN
    2021-09-14 19:49:12 LZO-ASYM init swap=0 asym=1
    2021-09-14 19:49:12 Comp-stub init swap=0
    2021-09-14 19:49:12 EVENT: CONNECTED alex@*.*.*.*:8443 (*.*.*.*) via /TCPv4 on NetworkExtensionTUN/10.81.234.6/ gw=[/]

  • Hi, you should not use 8.8.8.8 as an dns server on the vpn with a split tunnel, unless you allow, vpn->wan with snat. This is because 8.8.8.8 is on the outside but you're routing it through the tunnel, so it you can't access it. Only put internal dns in the vpn config.

    2021-09-14 19:49:12 NIP: adding (included) IPv4 route 8.8.8.8/32
    2021-09-14 19:49:12 NIP: adding (included) IPv4 route 168.95.1.1/32

    Bart van der Horst


    Sophos XG v18 Certified Architect
    https://www.bpaz.nl

  • Hi,

    This is the Route table on the PC.
    DNS Routing is not added to the Route table.
    The route of Sophos ssl vpn on PC and iPhone is different.

Reply Children
No Data