SSL VPN iPhone funktioniert nicht

Hallo,

plötzlich funktioniert mein SSL VPN Zugriff per iPhone nicht mehr Weary.

* iPhone (OPenVPN Connect App) kann sich verbinden (siehe Log-File)

* In Sophos XG kann ich unter "Aktuelle Aktivitäten" die Verbindung sehen.

* Von der Sophos kann ich auf das eigene VPN-Device (192.168.10.20) und auch auf die VPN-IP des iphones (192.168.10.21) pingen.

* Vom iPhone kann ich weder auf die eigene VPN-IP (192.168.10.21) noch auf die VPN-IP der Sophos pingen.

Mein Verdacht: Irgendetwas stimmt mit dem Routing nicht. Ich habe aber keine Idee.

Wie oder wo suche ich denn am Besten weiter?

Vielen Dank!

Tony

Hier das Log vom iPhone:

021-09-08 22:02:54 1

2021-09-08 22:02:54 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-09-08 22:02:54 OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-09-08 22:02:54 Frame=512/2048/512 mssfix-ctrl=1250

2021-09-08 22:02:54 UNUSED OPTIONS
3 [explicit-exit-notify] 
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
15 [route-delay] [4] 
16 [verb] [3] 

2021-09-08 22:02:54 EVENT: RESOLVE

2021-09-08 22:02:54 Contacting [181.192.130.13]:8443/UDP via UDP

2021-09-08 22:02:54 EVENT: WAIT

2021-09-08 22:02:54 Connecting to [meine-externe-IP]:8443 (181.192.130.13) via UDPv4

2021-09-08 22:02:54 EVENT: CONNECTING

2021-09-08 22:02:54 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client

2021-09-08 22:02:54 Creds: Username/Password

2021-09-08 22:02:54 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-09-08 22:02:55 VERIFY OK: depth=1, /C=DE/ST=NA/L=NA/O=privat/OU=OU/CN=Sophos_CA_C01001X2WHJP2D1/emailAddress=meine.email@adresse.de

2021-09-08 22:02:55 VERIFY OK: depth=0, /C=DE/ST=NA/L=NA/O=privat/OU=OU/CN=SophosApplianceCertificate_C01001X2WHJP2D1/emailAddress=meine.email@adresse.de

2021-09-08 22:02:55 SSL Handshake: CN=SophosApplianceCertificate_C01001X2WHJP2D1, TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

2021-09-08 22:02:55 Session is ACTIVE

2021-09-08 22:02:55 EVENT: GET_CONFIG

2021-09-08 22:02:55 Sending PUSH_REQUEST to server...

2021-09-08 22:02:56 Sending PUSH_REQUEST to server...

2021-09-08 22:02:57 OPTIONS:
0 [route-gateway] [192.168.10.20] 
1 [sndbuf] [0] 
2 [rcvbuf] [0] 
3 [sndbuf] [0] 
4 [rcvbuf] [0] 
5 [ping] [45] 
6 [ping-restart] [180] 
7 [redirect-gateway] [def1] 
8 [topology] [subnet] 
9 [route] [remote_host] [255.255.255.255] [net_gateway] 
10 [inactive] [900] [7680] 
11 [ifconfig] [192.168.10.21] [255.255.255.0] 


2021-09-08 22:02:57 PROTOCOL OPTIONS:
  cipher: AES-128-CBC
  digest: SHA256
  compress: LZO_STUB
  peer ID: -1

2021-09-08 22:02:57 EVENT: ASSIGN_IP

2021-09-08 22:02:57 NIP: preparing TUN network settings

2021-09-08 22:02:57 NIP: init TUN network settings with endpoint: 181.192.130.13

2021-09-08 22:02:57 NIP: adding IPv4 address to network settings 192.168.10.21/255.255.255.0

2021-09-08 22:02:57 NIP: adding (included) IPv4 route 192.168.10.0/24

2021-09-08 22:02:57 NIP: redirecting all IPv4 traffic to TUN interface

2021-09-08 22:02:57 Connected via NetworkExtensionTUN

2021-09-08 22:02:57 LZO-ASYM init swap=0 asym=1

2021-09-08 22:02:57 Comp-stub init swap=0

2021-09-08 22:02:57 EVENT: CONNECTED mein_iphoneneu@meine-externe-IP:8443 (181.192.130.13) via /UDPv4 on NetworkExtensionTUN/192.168.10.21/ gw=[/]

iphone__ssl_vpn_config.ovpn

client
dev tun
proto udp
explicit-exit-notify
;verify-x509-name "C=DE, ST=NA, L=NA, O=privat, OU=OU, CN=SophosApplianceCertificate_C01001X2WHJP2D1, emailAddress=meine.email@adresse.de"
;route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
snip
-----END RSA PRIVATE KEY-----
</key>
auth-user-pass
cipher AES-128-CBC
auth SHA256
comp-lzo no
;can_save no
;otp no
;run_logon_script no
;auto_connect 
route-delay 4
verb 3
reneg-sec 86400
remote meine-externe-IP 8443

  • Hi ,

    Thank you for reaching out to Sophos Community.

    It seems 192.168.10.xx/24 is your SSL VPN IPv4 lease network.

    As per OpenVPN events, 192.168.10.21 IP got assigned to TUN interface and route for same has also added.

    =============================================

    2021-09-08 22:02:57 OPTIONS:
    0 [route-gateway] [192.168.10.20]
    1 [sndbuf] [0]
    2 [rcvbuf] [0]
    3 [sndbuf] [0]
    4 [rcvbuf] [0]
    5 [ping] [45]
    6 [ping-restart] [180]
    7 [redirect-gateway] [def1]
    8 [topology] [subnet]
    9 [route] [remote_host] [255.255.255.255] [net_gateway]
    10 [inactive] [900] [7680]
    11 [ifconfig] [192.168.10.21] [255.255.255.0]


    2021-09-08 22:02:57 PROTOCOL OPTIONS:
    cipher: AES-128-CBC
    digest: SHA256
    compress: LZO_STUB
    peer ID: -1

    2021-09-08 22:02:57 EVENT: ASSIGN_IP

    2021-09-08 22:02:57 NIP: preparing TUN network settings

    2021-09-08 22:02:57 NIP: init TUN network settings with endpoint: 181.192.130.13

    2021-09-08 22:02:57 NIP: adding IPv4 address to network settings 192.168.10.21/255.255.255.0

    2021-09-08 22:02:57 NIP: adding (included) IPv4 route 192.168.10.0/24

    2021-09-08 22:02:57 NIP: redirecting all IPv4 traffic to TUN interface

    2021-09-08 22:02:57 Connected via NetworkExtensionTUN

    =============================================

    But there’s no other route added for 'Permitted network resources (IPv4)' of SSL VPN remote access policy.

    Is this issue observed with all iPhone devices?

    Please check sslvpn.log events on the XG firewall while connecting SSL VPN from iPhone.

    Login to SSH > 5. Device Management > 3. Advanced Shell

    # tail -f /log/sslvpn.log

    Thanks,
    Yash Kothari
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.