133 lines
3.2 KiB
Markdown
133 lines
3.2 KiB
Markdown
|
# 【E21现场】E现场业主希望实现对HotSpot Shield 的deny有效果
|
|||
|
|
|
|||
|
|
| ID | Creation Date | Assignee | Status |
|
|||
|
|
|----|----------------|----------|--------|
|
|||
|
|
| OMPUB-929 | 2023-05-18T21:11:22.000+0800 | 牛翔 | 已关闭 |
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
业主在2023-05-17表示继psiphon3继续测试其他VPN。
|
|||
|
|
|
|||
|
|
2023-05-17 业主在TSG系统配置了对办公网环境(clien ip=196.188.136.150 )了HotSpot Shield Deny policy策略,希望该策略对HotSpot Shield有FD效果。**liuyang** commented on *2023-05-21T11:17:51.817+0800*:
|
|||
|
|
|
|||
|
|
工程部提取特征后麻烦测试组[~zhaokun]验证
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**niuxiang** commented on *2023-06-05T13:39:53.509+0800*:
|
|||
|
|
|
|||
|
|
[~liuyang] [~zhaokun] 已经提取完成hotspot shield VPN特征,麻烦测试效果
|
|||
|
|
|
|||
|
|
特征文件:HotspotShield_202306050535055.json
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**zhaokun** commented on *2023-06-07T20:10:26.476+0800*:
|
|||
|
|
|
|||
|
|
* Windows:
|
|||
|
|
** Hydra测试结果:
|
|||
|
|
*** 所有节点阻断成功
|
|||
|
|
** IKEv2测试结果:
|
|||
|
|
*** Auto节点和Steaming节点未阻断
|
|||
|
|
** WireGuard测试结果:
|
|||
|
|
*** 所有节点阻断成功
|
|||
|
|
* Android:
|
|||
|
|
** 三个协议全部节点均阻断成功
|
|||
|
|
* IOS:
|
|||
|
|
** Hydra测试结果:
|
|||
|
|
*** Houston节点首次连接未阻断,断开后又重新连接5次全部阻断成功
|
|||
|
|
*** Algeria节点首次连接未阻断,断开后又重新连接5次全部阻断成功
|
|||
|
|
** IKEv2测试结果:
|
|||
|
|
*** Auto节点和Steaming节点未阻断
|
|||
|
|
** WireGuard测试结果:
|
|||
|
|
*** 所有节点阻断成功
|
|||
|
|
|
|||
|
|
未阻断的报文已微信发给牛翔。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**daikaiqiang** commented on *2023-06-08T10:29:41.183+0800*:
|
|||
|
|
|
|||
|
|
针对ikev2协议阻断失败排查:
|
|||
|
|
使用测试环境192.168.56.43(戴凯强) 192.168.56.50(焦得钰)
|
|||
|
|
1.测试auto节点,下策略 Deny application hotspot_shield_vpn_20230602,通过wireshark抓包,发现其dns.qname 特征journalissue.us及middle-island.us均有获取到对应IP ,且安全日志中没有dns 相关阻断日志,全部为ssl.sni 阻断(为hotspot shield 官网等sni阻断),节点可以正常连接
|
|||
|
|
2.单独下策略 阻断dns 其filter使用的qname 为hotspot_shield_vpn_20230602中使用的dns qname,通过wireshark 抓包发现journalissue.us及middle-island.us 一直在尝试获取IP 但均为获取到IP。安全日志有dns 阻断日志,此时节点无法连接。
|
|||
|
|
3.单独使用dns.qname 作为signature 创建application 做阻断策略,此时抓包发现journalissue.us及middle-island.us 又可以正常获取到IP 且无安全日志产生。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**daikaiqiang** commented on *2023-06-08T10:30:50.796+0800*:
|
|||
|
|
|
|||
|
|
!image-2023-06-08-10-31-56-755.png|thumbnail! !image-2023-06-08-10-31-12-417.png|thumbnail! !image-2023-06-08-10-31-23-835.png|thumbnail!
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**niuxiang** commented on *2023-06-15T09:32:31.883+0800*:
|
|||
|
|
|
|||
|
|
对应bug处理记录
|
|||
|
|
|
|||
|
|
https://jira.geedge.net/browse/TSG-15436
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**zhengchao** commented on *2024-11-19T16:22:59.209+0800*:
|
|||
|
|
|
|||
|
|
issue closed due to no activity
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Attachments
|
|||
|
|
|
|||
|
|
**38919/HotspotShield_202306050535055.json**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**39118/image-2023-06-08-10-31-02-190.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**39119/image-2023-06-08-10-31-12-417.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**39120/image-2023-06-08-10-31-23-835.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**39121/image-2023-06-08-10-31-56-755.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**39117/对应第一点.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**38451/微信图片_20230511131735.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**38450/微信图片_20230518161226.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|