Tap Adapter collision between eCatcher and SOFOS VPN
@anongfoksrhb
Customer called in regarding possible causes for a tap adapter collisions between Sofos VPN and eCatcher. I am creating a ticket to track this issues, as the customer is waiting a response for Sofos VPN regarding the tap adapter that they are using.
-
Kevin,
I am following up on the conflicting operation between the eCatcher software and our Sophos VPN client. Please see the message below for details from Sophos.
This looks like a case where you and your colleagues will need to work directly with Sophos on the fix.I have also attached the e-mail chain between myself and Sophos. Please reply to that message to speak with Sophos support team.
Thank you.
"Matt
Hi Matt,
My name is Kent from Sophos Escalation team. I've reviewed the ticket and I would like to make sure we both understand the situation here.
Sophos SSL VPN and eCatcher are both using the open-source OpenVPN based which will have the same public key infrastructure. That is easy to understand they are both using the same VPN adapter and conflict to each other.
If OpenVPN has the feature that you would like to achieve (having both adapters installed) then we can submit a feature request to get Sophos SSL VPN client updated.
For now, this is normal behavior of Sophos SSL VPN (OpenVPN client based). I believe eCatcher will say the exact same what we're trying to deliver to you.
Regards,
Kent Do
Sophos Technical Support
https://www.sophos.com/en-us/support/contact-support.aspxGet Product Notifications via SMS - Sophos Mobile Notification Service:
https://sms.sophos.com
Support Knowledge Base: https://community.sophos.com/kb
Follow us on Twitter @SophosSupport
Sophos Community (discussion forums): https://community.sophos.comSOPHOS - CyberSecurity made simple
0 -
Hello Matt,
I will escalate this issue and have our development team review this request.
I will follow up with any updates that i recieve.
0 -
Kevin,
Thank you. Keep me posted.
"Matt
0 -
Kevin,
Do you have any updates?
"Matt
0 -
Kevin,
Checking in to see if you have any updates from your end
This is still an issue that is affecting our business.
"Matt
0 -
Hi Matt,
Can you send me the file:
Program Files x86\Sophos\Sophos SSL VPN Client\config\xxxxxxxxxxxx.ovpn
and a screenshot of your Network Adapters, like this:
Sounds like Sophos isn't properly identifying the adapter in their config file,so we should be able to fix that for you.
Thanks,
Kyle
0 -
Kyle,
Sophos and eCatcher are using a stock configuration for OpenVPN. Unique TAP adapter names are not being assigned and each installer is overwriting the other's
adapter. OpenVPN's configuration file even warns of this, yet defaults are still used. Sophos has been made aware of this also and it has been escalated to their development group. The proper fix will be assign a unique adapter name, not a one off fix for
me.Please let me know how you wish to proceed.
"Matt
0 -
This is incorrect. We use a unique TAP adapter name and configuration. I think you're going to need to work with Sophos on this one. Wish we could help you!
0 -
Kyle,
What is the name that eWon uses to ID it's TAP adapter?
"Matt
0 -
"Talk2m-eCatcher"
0 -
When in the install process are you renaming the TAP adapter from its default value?
Why aren't you setting the unique name in the Open VPN config ahead of time?
"Matt
0 -
It's being renamed during install and it's in the .ovpn file:
0 -
Kyle,
Please see the video in the link provided:
This shows a recording where the installation and use of both Sophos and eCatcher cause the VPN to stop working and become useless when both pieces of software
are installed.This is still an issue. I have also sent this video to Sophos for review.
"Matt
0 -
eCatcher does not use the default OpenVPN settings. I've never used Sophos VPN, but have been told by customers that if you identify the correct TAP adapter in the Sophos .ovpn config you won't have this problem, for example, by adding:
dev tun
dev-node "Ethernet 3"and you can avoid installation problems by disabling your TAP adapter during install.
0 -
Kyle,
eCatcher does use the default OpenVPN settings during the install, that's why the Sophos TAP adapter gets over written. The eCatcher TAP instance is renamed
after is it is first installed with the default settings. I have looked through the installation files, I can see what's going on.Why do I need to perform additional steps before or after installation? That should all be handled in the eCatcher setup.
"Matt
0 -
I have forwarded this info to the developers to review. I am just trying to give you a solution to the problem so that your employees can use both VPNs. Disable the Sophos adapter before installing eCatcher and append the Sophos .ovpn file to specify the adapter to use.
You'll need to be more specific by what you mean by "default settings." You are not talking about the .ovpn file settings?
0 -
Kyle,
This is a development issue, the default setting that I am speaking about are pasted at the end of this message. The renaming of the TAP adapter (renametap.vbs)
takes place after these defaults have been applied and the damage to the other TAP adapter done.A unique TAP id needs to be set during the install, not after. Both the eWon and Sophos are guilty of this development blunder by keeping the OpenVPN TAP default
id. The "Note to Developers" spells this out simply."Matt
Note to Developers:
;
; If you are bundling the TAP-Windows driver with your app,
; you should try to rename it in such a way that it will
; not collide with other instances of TAP-Windows defined
; by other apps. Multiple versions of the TAP-Windows
; driver, each installed by different apps, can coexist
; on the same machine if you follow these guidelines.
; NOTE: these instructions assume you are editing the
; generated OemWin2k.inf file, not the source
; OemWin2k.inf.in file which is preprocessed by winconfig
; and uses macro definitions from settings.in.
;
; (1) Rename all tapXXXX instances in this file to
; something different (use at least 5 characters
; for this name!)
; (2) Change the "!define TAP" definition in openvpn.nsi
; to match what you changed tapXXXX to.
; (3) Change TARGETNAME in SOURCES to match what you
; changed tapXXXX to.
; (4) Change TAP_COMPONENT_ID in common.h to match what
; you changed tapXXXX to.
; (5) Change SZDEPENDENCIES in service.h to match what
; you changed tapXXXX to.
; (6) Change DeviceDescription and Provider strings.
; (7) Change PRODUCT_TAP_WIN_DEVICE_DESCRIPTION in constants.h to what you
; set DeviceDescription to.
0 -
Thanks! I'll make sure they receive this.
0 -
Kyle,
Thank you. You see now where the issue is, right?
"Matt
0 -
Yes, I didn't realize you were talking about the install: I thought you were referring to the .ovpn file. II see now that it's not renamed until after the first connection is made. I appreciate your patience with this and hopefully they will be able to address it soon!
0 -
Kyle,
Understand. This has been a long process and very confusing due to so many moving parts. Glad we are on the same page now.
More frustrating due to it not being something you folks in support can fix as this should have been caught in development or testing.
I will be standing by, let me know what you find out.
Thank you.
"Matt
0 -
Good afternoon,
Any news on this issue? We have the same problem on Windows 10 now. We worked with Sofos and eWon on Windows 7 in the past without problems.
Kind regards,
John
0 -
The development team for Ewon is in Belgium, so I would recommend creating a case by going to https://mysupport.hms.se so that it will reach them directly. We've already passed along all the information in this forum thread.
0 -
John,
We have always had the issue with Windows 10 as the VPN was never used with W7.
As I have pointed out before, the fix is simple, and is detailed in both my conversation and the OpenVPN config files.
"Matt
0 -
Hello Matt,
I thought that something in the setup files needs changes by the developers, but that's not correct? What are in short the steps that need to be taken by me to use both Sophos and eWon? Sorry, but the conversation between you and Kyle is not very clear about this.
Kind regards,
John
0 -
If you install eCatcher and then install Sophos, you should then go to:
C:\Program Files (x86)\eCatcher-Talk2M\Talk2mVpnService\drivers
And run "addtap.bat' and rename the new TAP adapter to "Talk2m-eCatcher".
0 -
John,
If you have access to the full ticket history, you should see where I detail the steps required by the OpenVPN developers to make changes to the application when bundling the VPN client with another system. Basically, by using the defaults you will overwrite other default instances:
Let me know if you can't find that info.
"Matt
0 -
FYI, Kyle's instructions are a band-aid, not a proper fix.
Neither Sophos nor eCatcher should require any post-install config changes to work.
Both applications are installing OpenVPN in an unmodified state, ensuring a TAP adapter name over-write.
"Matt
0 -
Matt,
Neither myself nor John can do anything with that info. It needs to be implemented by the application developers and I've already passed it along to Ewon and you passed it along to Sophos. I believe that John was asking about a workaround that can be used in the meantime.
Kyle
0
Por favor, entrar para comentar.
Comentários
41 comentários