Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 3791 views
  • Users 0 members are here
Options
Suggested

Unidentified Network - Kerberus Auth Problem only with SSL and without NETBIOS

Steve Reschke

Hello

we are disbled NETBIOS / WINS for our Domain Network on client side. Since we did this we have problems to authentificate on our domaincontroller through VPN SSL. With VPN IPSsec all is fine. Also in LAN all is fine. Both, SSL and IPSec using the same firewall rules. With NETBIOS enable authentification with SSL works fine. Domaincontroller gets Kerberos ticket also with SSL. We tried with several machines with same result.

Sophos TAP adapter has lowest interface metrik from all adapters (2) .

Any ideas why this happens?

Please see also attached pictures.

Thanks a lot for helping

IPSec:

SSL:





This thread was automatically locked due to age.
[entsperrt von: LuCar Toni um 9:00 AM (GMT -7) am 25 Sep 2024]
  • 0

    Could be related to the DNS implications in SSLVPN? You have DNS request routes in SFOS, thats not part of IPsec. Which means, if the Windows cannot figure out the domain after disable netbios, it could be the cause of your issue. Check the dns captures here. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar, thank you for fast answer. I don't see any DNS request routes. Could it have something to do I did because of the issue in this thread?

    iptables -t mangle -I POSTROUTING -s 172.20.10.0/24 -d 10.10.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300;

    iptables -t mangle -I POSTROUTING -s 10.10.0.0/16 -d 172.20.10.0/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300;



  • 0 in reply to Steve Reschke

    Essentially this looks to be a windows issue to be honest. I dont have much insights into this problem - You should check what kind of mechanism windows uses to check for discovery. 

    https://serverfault.com/questions/814557/changing-windows-network-profile-from-domainauthenticated-to-public

    Looking into this, it looks to be related to DNS. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    If it would be a windows problem why we have no problems with IPSec or in LAN with the same clients?

  • 0 in reply to Steve Reschke

    So basically windows is doing something like a discovery. Not sure what Windows does there and needs to be "reverse engineered" to get to the bottom of this. 
    SSLVPN does something different than IPsec in terms of IPsec. So that could be the cause. 

    Check the openvpn community as well, if you find some kind of hint there. 

    __________________________________________________________________________________________________________________

  • 0

    After research my problem related with OpenVPN I added a route on my test machine.

    • route -p add 0.0.0.0 mask 0.0.0.0 192.168.0.1 metric 50 if 25

    More than 10 test connections I have a domain authenticatied connection every time. Is there any possibility to depict this in our firewall? To touch every VPN Client in out network is not a good option.

    Link of (maybe) solution

  • 0 in reply to Steve Reschke

    We are now spending some time to recreate this issue, but no success from our end. 

    One thing, which i found a little bit odd in this setup is: You are using the same networks in your office and at home.

    Most of the times, this is something, an Admin wants to avoid. 
    Using the classic "192.168.0.0/24, 192.168.1.0/24" could be tricky, as it confused VPN Clients. (One of the reasons AVM moved to 192.168.178.0/24). 

    Any reason, you choose to do this? Could you, to double check, change the network of either one and see, if it still happening? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Sorry, the system auto blocks Threads after some months of inactivity - Sophos Mods can still reply to those. Did not notice, it was blocked. 
    Unblocked it. 

    One more thought here: 
    Looking into this, do we have a tcpdump from the client with SSL based on DNS? From both interfaces (TAP and ethernet) at the same time? 
    Do you see any kind of DNS requests for your domain, on the ethernet, and not the TAP Adapter? 

    __________________________________________________________________________________________________________________

  • 0 in reply to Steve Reschke

    Newest Information fron Sophos Global Support. Further informations coming.

    We successfully replicated the issue in our lab environment. Here are the details:

    1. Client Machine in Same Network as Private Resources:
      • Network Configuration:
        • Office and home networks belong to the same range.
      • With SSL VPN and NetBIOS Enabled:
        • The Sophos TAP adapter is recognized as part of the Domain Network.
      • With SSL VPN and NetBIOS Disabled:
        • The Sophos TAP adapter is labeled as “Unidentified Network.”
    2. Client Machine in Different Network from Private Resources:
      • Network Configuration:
        • Office and home networks belong to different ranges.
      • With SSL VPN and NetBIOS Enabled:
        • The Sophos TAP adapter is recognized as part of the Domain Network.
      • With SSL VPN and NetBIOS Disabled:
        • The Sophos TAP adapter is labeled as “Unidentified Network.”

    Conclusion: This appears to be an issue related to the OpenVPN TAP adapter utilized by Sophos Connect.




Unfiltered HTML