This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF - WebServer behind IPSec-VPN not working

Hej,

i have an problem with the WAF in combination with an IPsec-VPN-tunnel. Following error occours:

Forbidden

You don't have permission to access / on this server.

Additionally, a 503 Service Unavailable error was encountered while trying to use an ErrorDocument to handle the request.

About my network:

Local LAN: 192.168.15.0/24
Local IP of XG: 192.168.15.1
Remote LAN: 192.168.17.0/24
Remote IP of WebServer for WAF: 192.168.17.33
Firmware of XG: v17.5.3

Result of tcpdump:

16:46:16.797513 ipsec0, OUT: IP 169.254.234.5.47125 > 192.168.17.33.80: Flags [S], seq 3415650181, win 32440, options [mss 16220,nop,nop,sackOK,nop,wscale 7], length 0

I tried following:

sys-traffic-nat add destination 192.168.17.0 netmask 255.255.255.0 snatip 192.168.15.1
system ipsec_route add net 192.168.17.0/255.255.255.0 tunnelname HeadOffice
activated NAT via IPSec connection

Any ideas? Did i forget something or is this a bug?

This thread was automatically locked due to age.

Parents

0 MasterRoshi over 5 years ago

What does the WAF log show when you go to the page?
Cancel
Vote Up 0 Vote Down

Cancel
0 Steppenwolf over 5 years ago in reply to MasterRoshi

[Sat Feb 16 17:27:13.345689 2019] [proxy:error] [pid 18145:tid 140281707050752] (110)Connection timed out: AH00957: HTTP: attempt to connect to 192.168.17.33:80 (192.168.17.33) failed
[Sat Feb 16 17:27:13.345744 2019] [proxy:error] [pid 18145:tid 140281707050752] AH00959: ap_proxy_connect_backend disabling worker for (192.168.17.33) for 60s
[Sat Feb 16 17:27:13.345756 2019] [proxy_http:error] [pid 18145:tid 140281707050752] [client 192.168.10.50:58679] AH01114: HTTP: failed to make connection to backend: 192.168.17.33
[Sat Feb 16 17:27:13.345972 2019] [security2:error] [pid 18145:tid 140281707050752] [client 192.168.10.50:58679] [client 192.168.10.50] ModSecurity: Warning. Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/content/waf/2.7.3/modsecurity_crs_outbound.conf"] [line "53"] [id "970901"] [rev "2"] [msg "The application is not available"] [data "Matched Data: 503 found within RESPONSE_STATUS: 503"] [severity "ERROR"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "www.company.com"] [uri "/"] [unique_id "XGg50n8AAAEAAEbhzKsAAAAF"]
[Sat Feb 16 17:27:13.346167 2019] [security2:error] [pid 18145:tid 140281707050752] [client 192.168.10.50:58679] [client 192.168.10.50] ModSecurity: Access denied with code 403 (phase 4). Pattern match "(.*)" at TX:0. [file "/content/waf/2.7.3/modsecurity_crs_outbound_blocking.conf"] [line "24"] [id "981200"] [msg "Outbound Anomaly Score Exceeded (score 4): Last Matched Message: The application is not available"] [data "Last Matched Data: 503"] [hostname "www.company.com"] [uri "/"] [unique_id "XGg50n8AAAEAAEbhzKsAAAAF"]
[Sat Feb 16 17:27:13.346438 2019] [security2:error] [pid 18145:tid 140281707050752] [client 192.168.10.50:58679] [client 192.168.10.50] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/content/waf/2.7.3/modsecurity_crs_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "www.company.com"] [uri "/"] [unique_id "XGg50n8AAAEAAEbhzKsAAAAF"]

With best regards,

Steppenwolf
Cancel
Vote Up 0 Vote Down

Cancel
0 Steppenwolf over 5 years ago in reply to Steppenwolf

The same scenario works successfully with SSL VPN, so there is a bug with IPSec VPNs and the WAF.

Unfortunately the NAT rule does not work in this constellation and therefore the routing does not work.

Who else has an idea to solve the problem?

With best regards,

Steppenwolf
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Steppenwolf over 5 years ago in reply to Steppenwolf

The same scenario works successfully with SSL VPN, so there is a bug with IPSec VPNs and the WAF.

Unfortunately the NAT rule does not work in this constellation and therefore the routing does not work.

Who else has an idea to solve the problem?

With best regards,

Steppenwolf
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 5 years ago in reply to Steppenwolf

I run into this issue weeks ago.

You should get in touch with Sophos Support to get a bug ID.

Resolved it with a RED Site to Site tunnel and forgot to work on it any further.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Steppenwolf over 5 years ago in reply to LuCar Toni

Hej,

then at least it's a mistake that doesn't just affect me. I will try to contact Sophos support. Apparently this installation is not the most common... :-)

With best regards,

Steppenwolf
Cancel
Vote Up 0 Vote Down

Cancel