Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN iPhone funktioniert nicht

Anton Blau

Hallo,

plötzlich funktioniert mein SSL VPN Zugriff per iPhone nicht mehr Weary.

* iPhone (OPenVPN Connect App) kann sich verbinden (siehe Log-File)

* In Sophos XG kann ich unter "Aktuelle Aktivitäten" die Verbindung sehen.

* Von der Sophos kann ich auf das eigene VPN-Device (192.168.10.20) und auch auf die VPN-IP des iphones (192.168.10.21) pingen.

* Vom iPhone kann ich weder auf die eigene VPN-IP (192.168.10.21) noch auf die VPN-IP der Sophos pingen.

Mein Verdacht: Irgendetwas stimmt mit dem Routing nicht. Ich habe aber keine Idee.

Wie oder wo suche ich denn am Besten weiter?

Vielen Dank!

Tony

Hier das Log vom iPhone:

Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
021-09-08 22:02:54 1
2021-09-08 22:02:54 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-09-08 22:02:54 OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-09-08 22:02:54 Frame=512/2048/512 mssfix-ctrl=1250
2021-09-08 22:02:54 UNUSED OPTIONS
3 [explicit-exit-notify]
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
15 [route-delay] [4]
16 [verb] [3]
2021-09-08 22:02:54 EVENT: RESOLVE
2021-09-08 22:02:54 Contacting [181.192.130.13]:8443/UDP via UDP
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

iphone__ssl_vpn_config.ovpn

Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
client
dev tun
proto udp
explicit-exit-notify
;verify-x509-name "C=DE, ST=NA, L=NA, O=privat, OU=OU, CN=SophosApplianceCertificate_C01001X2WHJP2D1, emailAddress=meine.email@adresse.de"
;route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
</cert>
<key>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX



Added TAGs
[edited by: Erick Jan at 7:54 AM (GMT -7) on 29 May 2023]
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    It seems 192.168.10.xx/24 is your SSL VPN IPv4 lease network.

    As per OpenVPN events, 192.168.10.21 IP got assigned to TUN interface and route for same has also added.

    =============================================

    2021-09-08 22:02:57 OPTIONS:
    0 [route-gateway] [192.168.10.20]
    1 [sndbuf] [0]
    2 [rcvbuf] [0]
    3 [sndbuf] [0]
    4 [rcvbuf] [0]
    5 [ping] [45]
    6 [ping-restart] [180]
    7 [redirect-gateway] [def1]
    8 [topology] [subnet]
    9 [route] [remote_host] [255.255.255.255] [net_gateway]
    10 [inactive] [900] [7680]
    11 [ifconfig] [192.168.10.21] [255.255.255.0]


    2021-09-08 22:02:57 PROTOCOL OPTIONS:
    cipher: AES-128-CBC
    digest: SHA256
    compress: LZO_STUB
    peer ID: -1

    2021-09-08 22:02:57 EVENT: ASSIGN_IP

    2021-09-08 22:02:57 NIP: preparing TUN network settings

    2021-09-08 22:02:57 NIP: init TUN network settings with endpoint: 181.192.130.13

    2021-09-08 22:02:57 NIP: adding IPv4 address to network settings 192.168.10.21/255.255.255.0

    2021-09-08 22:02:57 NIP: adding (included) IPv4 route 192.168.10.0/24

    2021-09-08 22:02:57 NIP: redirecting all IPv4 traffic to TUN interface

    2021-09-08 22:02:57 Connected via NetworkExtensionTUN

    =============================================

    But there’s no other route added for 'Permitted network resources (IPv4)' of SSL VPN remote access policy.

    Is this issue observed with all iPhone devices?

    Please check sslvpn.log events on the XG firewall while connecting SSL VPN from iPhone.

    Login to SSH > 5. Device Management > 3. Advanced Shell

    # tail -f /log/sslvpn.log

    Unfiltered HTML