Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2394 views
  • Users 0 members are here
Options
Suggested

SSL VPN no Internet access

NismoC32

I have set up a SSL VPN connection in SOHPOS Firewall v20 Build 222.
I can access local services and machines no problems there, but I cant get internet access.

When I ping external sources no packages comes through, however domain names are resolved:

ping www.kde.org:
PING tyran.kde.org (85.10.198.55) 56(84) bytes of data.
^C
--- tyran.kde.org ping statistics ---
42 packets transmitted, 0 received, 100% packet loss, time 41959ms

This is my settings:

The SSL VPN Global settings

Mostly kept as is but added Override hostname (Same as DDNS) witch resolves to my IP
The IPv4 DNS Servers are both in my network one of them is the DNS on the Firewall

My user login settings:

Using tunnel as default gateway on or off makes no difference.
The LAN Network contains local ip range 192.168.10.0/24
I tried adding #Port2 just to have tried every possibilities I could think off. It is now removed since it had no effect.

Automatic generated Firewall rule:

Only change her is I tried adding ##ALL_SSLVPN_RW to source network.
No VPN firewall Security features is enabled.

SSL VPN Authentication method:

Default kept here.

Clients:

I’m using OpenVPN Client 3.4.2 on my mobile devices and NetworkManager (KDE5) on my Laptop

Some changes had to be maid to the .ovpn file downloaded to get it to import in NetworkManager
The following line needed to be commented out:

route remote_host 255.255.255.255 net_gateway

The default LAN to WAN Firewall rule is left at default except
Block QUIC protocol ha been activated and all Malware and Conetnt scanning is activated.
So Source, Destination and Services is set to Any

I have tried different setting all over without any changes. I’m out of ideas on how to get this to work.
The traffic has to be blocked somewhere, I just cant see what.



Added TAGs
[edited by: Raphael Alganes at 12:14 PM (GMT -7) on 17 May 2024]
  • 0

    Please check via tcpdump on the XGS if the internet traffic packets are reaching the XGS. If they are not, then please check on the client which route they are taking. Also, for any dropped packets on the XGS, you can use drppkt command (by doing ssh to the XGS device and logging in to the shell) on the XGS shell to see if packets are being dropped.

  • 0

    Hello,

    Thank you for reaching to Sophos Community!

    1. Review the output of route print command on Windows client PC and check for the default route via SSL VPN IP.
    2. If there is no default route via SSL VPN IP, run the client with the admin rights.
    3. If the default route added on end PC via SSL VPN IP. Start the ping to 8.8.4.4 and at the same time, review tcpdump on the firewall for the 8.8.4.4 to validate whether the traffic reaches to the firewall and what action has been taken by Sophos Firewall.

    If this still does not works, DM me with the access ID and client PC from where you have started ping to 8.8.4.4

    Thank you for choosing Sophos!

    Mayur Makvana
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Nikhil Bhandari

    This is the result using "tcpdump -ni any host 10.81.128.2 and port 443" the host ip is given by my Phone OpenVPN client.

    13:26:31.488771 tun1, IN: IP 10.81.128.2.39360 > 2.18.173.122.443: Flags [S], seq 370937932, win 65535, options [mss 1358,sackOK,TS val 298788200 ecr 0,nop,wscale 9], length 0
13:26:31.488814 Port2, OUT: IP 10.81.128.2.39366 > 2.18.173.122.443: Flags [S], seq 3836457531, win 65535, options [mss 1358,sackOK,TS val 298788200 ecr 0,nop,wscale 9], length 0
13:26:31.488836 Port2, OUT: IP 10.81.128.2.39360 > 2.18.173.122.443: Flags [S], seq 370937932, win 65535, options [mss 1358,sackOK,TS val 298788200 ecr 0,nop,wscale 9], length 0
13:26:31.488870 Port2, OUT: IP 10.81.128.2.39362 > 2.18.173.122.443: Flags [S], seq 878262122, win 65535, options [mss 1358,sackOK,TS val 298788200 ecr 0,nop,wscale 9], length 0
13:26:31.488872 Port2, OUT: IP 10.81.128.2.39364 > 2.18.173.122.443: Flags [S], seq 85460282, win 65535, options [mss 1358,sackOK,TS val 298788200 ecr 0,nop,wscale 9], length 0
13:26:31.839669 tun1, IN: IP 10.81.128.2.39374 > 2.18.173.122.443: Flags [S], seq 2999097084, win 65535, options [mss 1358,sackOK,TS val 298788552 ecr 0,nop,wscale 9], length 0
13:26:31.839744 Port2, OUT: IP 10.81.128.2.39374 > 2.18.173.122.443: Flags [S], seq 2999097084, win 65535, options [mss 1358,sackOK,TS val 298788552 ecr 0,nop,wscale 9], length 0
13:26:31.951726 tun1, IN: IP 10.81.128.2.37248 > 143.204.42.139.443: Flags [S], seq 582205117, win 65535, options [mss 1358,sackOK,TS val 3475936391 ecr 0,nop,wscale 9], length 0
13:26:31.951811 Port2, OUT: IP 10.81.128.2.37248 > 143.204.42.139.443: Flags [S], seq 582205117, win 65535, options [mss 1358,sackOK,TS val 3475936391 ecr 0,nop,wscale 9], length 0
13:26:32.230503 tun1, IN: IP 10.81.128.2.37250 > 143.204.42.139.443: Flags [S], seq 2887704772, win 65535, options [mss 1358,sackOK,TS val 3475936647 ecr 0,nop,wscale 9], length 0
13:26:32.230599 Port2, OUT: IP 10.81.128.2.37250 > 143.204.42.139.443: Flags [S], seq 2887704772, win 65535, options [mss 1358,sackOK,TS val 3475936647 ecr 0,nop,wscale 9], length 0

    and it looks like the packages reaches the firewall.

    drppkt does not report anything dropped.

  • 0 in reply to Mayur Makvana

    This is the output from route (Linux not Windows):

    Before Connected to VPN SSL:

    Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         Firewall        0.0.0.0         UG    600    0        0 wlp1s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 wlp1s0
192.168.0.0     0.0.0.0         255.255.0.0     U     600    0        0 wlp1s0

    After Connected to VPN SSL:

    Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    50     0        0 tun0
default         Firewall        0.0.0.0         UG    600    0        0 wlp1s0
10.81.0.0       0.0.0.0         255.255.0.0     U     50     0        0 tun0
***.**-***-***. Firewall        255.255.255.255 UGH   50     0        0 wlp1s0 #IP sensored
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 wlp1s0
192.168.0.0     0.0.0.0         255.255.0.0     U     600    0        0 wlp1s0
Firewall        0.0.0.0         255.255.255.255 UH    50     0        0 wlp1s0

    And this is the tcpdump:

    14:07:17.031785 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64
14:07:17.031807 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64
14:07:18.060638 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 7, length 64
14:07:18.060660 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 7, length 64
14:07:19.084163 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 8, length 64
14:07:19.084187 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 8, length 64

    It looks like the packages reaches the firewall and is sent to Port2 witch is the WAN port.
    But nothing is coming back.

  • +1 in reply to NismoC32

    Hi   Here it seems your VPN to WAN rule does not have any linked NAT rule OR for this VPN to WAN traffic Firewall rule, no other matching NAT rule exists in the existing NAT rule to apply the NAT action and due to this reason while traffic is going out via WAN Port 2, source IP is remaining the original one (the SSL VPN machine leased IP) and that should not be the case ideally when traffic is going out to WAN Interface over WAN Zone.

    14:07:17.031785 tun0, IN: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64
    14:07:17.031807 Port2, OUT: IP 10.81.0.2 > 8.8.4.4: ICMP echo request, id 34008, seq 6, length 64

    I would suggest to fix the issue please create a link NAT rule ( with NAT action MASQ)  in the existing VPN to WAN rule through which this traffic is getting allowed and confirm the status.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Thanks that was the missing piece.

    Wonder why this is not mentioned in the Howto guides  or Videos ? I did get the impression setting "Use as default Gateway" was enough.

    But It was a great learning experience anyway, and I thank you all for helping me.

  • 0 in reply to NismoC32

    Hi   Thanks for sharing the status and I am glad that the issue is fixed with suggested action, regarding these steps in how to guide or videos, let me go through the same, and in any of the appropriate guides, RR or video I will try to add it by working with our team internally.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML