Академический Документы
Профессиональный Документы
Культура Документы
Hi all,
I'm trying to set up a VPN SSL for remote access, after regenerate certificate I get this error while trying to connect.
Mon Mar 27 14:21:49 2017 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Dec 9 2016
Mon Mar 27 14:21:49 2017 library versions: OpenSSL 1.0.1u 22 Sep 2016, LZO 2.09
Enter Management Password:
Mon Mar 27 14:21:49 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Mar 27 14:21:49 2017 Need hold release from management interface, waiting...
Mon Mar 27 14:21:50 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Mar 27 14:21:50 2017 MANAGEMENT: CMD 'state on'
Mon Mar 27 14:21:50 2017 MANAGEMENT: CMD 'log all on'
Mon Mar 27 14:21:50 2017 MANAGEMENT: CMD 'hold off'
Mon Mar 27 14:21:50 2017 MANAGEMENT: CMD 'hold release'
Mon Mar 27 14:21:59 2017 MANAGEMENT: CMD 'username "Auth" "administrador"'
Mon Mar 27 14:21:59 2017 MANAGEMENT: CMD 'password [...]'
Mon Mar 27 14:21:59 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Mon Mar 27 14:21:59 2017 Attempting to establish TCP connection with [AF_INET]186.64.174.54:8443 [nonblock]
Mon Mar 27 14:21:59 2017 MANAGEMENT: >STATE:1490646119,TCP_CONNECT,,,,,,
Mon Mar 27 14:22:00 2017 TCP connection established with [AF_INET]186.64.174.54:8443
Mon Mar 27 14:22:00 2017 TCPv4_CLIENT link local: [undef]
Mon Mar 27 14:22:00 2017 TCPv4_CLIENT link remote: [AF_INET]186.64.174.54:8443
Mon Mar 27 14:22:00 2017 MANAGEMENT: >STATE:1490646120,WAIT,,,,,,
Mon Mar 27 14:22:00 2017 MANAGEMENT: >STATE:1490646120,AUTH,,,,,,
Mon Mar 27 14:22:00 2017 TLS: Initial packet from [AF_INET]186.64.174.54:8443, sid=de463156 c6977f16
Mon Mar 27 14:22:00 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 27 14:22:00 2017 VERIFY OK: depth=1, C=CR, ST=San José, L=San José, O=Würth, OU=Würth, CN=Würth Costa Rica,
emailAddress=carlo.rosales@wurth.cr
Mon Mar 27 14:22:00 2017 VERIFY X509NAME ERROR: C=CR, ST=NA, L=San José, O=Wurth Costa Rica, OU=OU,
https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 1/10
10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community
https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 2/10
10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community
Here is my configuration.
https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 3/10
10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community
Am I missing something?
Thanks in advance.
lferrara
John,
https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 4/10
10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community
Make sure to fill the "override host name" with a public dns that points to XG public ip or put there the XG public ip directly. Once
saved, download the ssl configuration again and try to reconnect.
Regards
In reply to lferrara:
Hi lferrara,
I forgot to mention that I have the public IP on the "override hostname" field. i know it doesn't show up in the screenshot but it's
there.
Thanks.
Billybob
Mon Mar 27 14:22:06 2017 VERIFY X509NAME ERROR: C=CR, ST=NA, L=San José, O=Wurth Costa Rica, OU=OU,
CN=SophosApplianceCertificate_S1403B221848B3D, emailAddress=carlo.rosales@wurth.cr, must be C=CR, ST=NA, L=San Josà ©,
O=Wurth Costa Rica, OU=OU, CN=SophosApplianceCertificate_S1403B221848B3D, emailAddress=carlo.rosales@wurth.cr
You changed the certs and now they don't match what your client has. As Luk said, login to user portal and download the configuration again.
In reply to Billybob:
Hi Billybob,
That's correct.
1. How do I change the certificate on the XG device to match the VPN? Or I should change it on the VPN to match the device? I'm
really confused with this.
Thank you.
Billybob
Unless you have the old certificate, you can't change it on the firewall.
Download the new ssl configuration on the client by using the user portal. It will be easier that way.
https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 6/10
10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community
In reply to Billybob:
I had a problem with the old certificate, it won't let me download the client and configuration from the user portal so I had to
regenerate.
Thank you.
Billybob
Factory reset may not help if you are going to import your configuration backup but I am not 100% sure.
In reply to Billybob:
https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 7/10
10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community
I hope factory reset fix the problem, I think I'm going to start over the configuration.
Billybob
Yes, this seems like system corruption, you will have to reset. Importing your backup will probably be fine and you don't have to start
over the configuration. Let us know how it works out.
In reply to Billybob:
https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 8/10
10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community
Problem with the VPN SSL has been fixed, I just had to generate a new self-signed certificate and change it on the VPN Settings >
SSL Server Certificate.
HariKrishnan
hello,
Authentication>user.
Aditya Patel
HI John ,
https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 9/10
10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community
We are glad you were able to resolve this issue , We would recommend you to regenerate the Appliance Certificate as its used
and also remove all the user certificate as they may not match with the Appliance Certificate .
https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 10/10