Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Can't Connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    Загружено:

    Andima Jeff Hardy
    233 просмотров10 страниц

    Оригинальное название

    Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    233 просмотров10 страниц

    Can't Connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    Загружено:

    Andima Jeff Hardy

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 10

    10/29/2018 Can't connect SSL VPN Remote Access.

    - Network and Routing - XG Firewall - Sophos Community

    Can't connect SSL VPN Remote Access.

    Hi all,

    I'm trying to set up a VPN SSL for remote access, after regenerate certificate I get this error while trying to connect.

    Mon Mar 27 14:21:49 2017 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Dec 9 2016
    Mon Mar 27 14:21:49 2017 library versions: OpenSSL 1.0.1u 22 Sep 2016, LZO 2.09
    Enter Management Password:
    Mon Mar 27 14:21:49 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Mon Mar 27 14:21:49 2017 Need hold release from management interface, waiting...
    Mon Mar 27 14:21:50 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Mon Mar 27 14:21:50 2017 MANAGEMENT: CMD 'state on'
    Mon Mar 27 14:21:50 2017 MANAGEMENT: CMD 'log all on'
    Mon Mar 27 14:21:50 2017 MANAGEMENT: CMD 'hold off'
    Mon Mar 27 14:21:50 2017 MANAGEMENT: CMD 'hold release'
    Mon Mar 27 14:21:59 2017 MANAGEMENT: CMD 'username "Auth" "administrador"'
    Mon Mar 27 14:21:59 2017 MANAGEMENT: CMD 'password [...]'
    Mon Mar 27 14:21:59 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Mon Mar 27 14:21:59 2017 Attempting to establish TCP connection with [AF_INET]186.64.174.54:8443 [nonblock]
    Mon Mar 27 14:21:59 2017 MANAGEMENT: >STATE:1490646119,TCP_CONNECT,,,,,,
    Mon Mar 27 14:22:00 2017 TCP connection established with [AF_INET]186.64.174.54:8443
    Mon Mar 27 14:22:00 2017 TCPv4_CLIENT link local: [undef]
    Mon Mar 27 14:22:00 2017 TCPv4_CLIENT link remote: [AF_INET]186.64.174.54:8443
    Mon Mar 27 14:22:00 2017 MANAGEMENT: >STATE:1490646120,WAIT,,,,,,
    Mon Mar 27 14:22:00 2017 MANAGEMENT: >STATE:1490646120,AUTH,,,,,,
    Mon Mar 27 14:22:00 2017 TLS: Initial packet from [AF_INET]186.64.174.54:8443, sid=de463156 c6977f16
    Mon Mar 27 14:22:00 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Mon Mar 27 14:22:00 2017 VERIFY OK: depth=1, C=CR, ST=San José, L=San José, O=Würth, OU=Würth, CN=Würth Costa Rica,
    emailAddress=carlo.rosales@wurth.cr
    Mon Mar 27 14:22:00 2017 VERIFY X509NAME ERROR: C=CR, ST=NA, L=San José, O=Wurth Costa Rica, OU=OU,

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 1/10
    10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    CN=SophosApplianceCertificate_S1403B221848B3D, emailAddress=carlo.rosales@wurth.cr, must be C=CR, ST=NA, L=San Josà ©,


    O=Wurth Costa Rica, OU=OU, CN=SophosApplianceCertificate_S1403B221848B3D, emailAddress=carlo.rosales@wurth.cr
    Mon Mar 27 14:22:00 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL
    routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Mon Mar 27 14:22:00 2017 TLS Error: TLS object -> incoming plaintext read error
    Mon Mar 27 14:22:00 2017 TLS Error: TLS handshake failed
    Mon Mar 27 14:22:00 2017 Fatal TLS error (check_tls_errors_co), restarting
    Mon Mar 27 14:22:00 2017 SIGUSR1[soft,tls-error] received, process restarting
    Mon Mar 27 14:22:00 2017 MANAGEMENT: >STATE:1490646120,RECONNECTING,tls-error,,,,,
    Mon Mar 27 14:22:00 2017 Restart pause, 5 second(s)
    Mon Mar 27 14:22:05 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Mon Mar 27 14:22:05 2017 Attempting to establish TCP connection with [AF_INET]172.16.16.16:8443 [nonblock]
    Mon Mar 27 14:22:05 2017 MANAGEMENT: >STATE:1490646125,TCP_CONNECT,,,,,,
    Mon Mar 27 14:22:06 2017 TCP connection established with [AF_INET]172.16.16.16:8443
    Mon Mar 27 14:22:06 2017 TCPv4_CLIENT link local: [undef]
    Mon Mar 27 14:22:06 2017 TCPv4_CLIENT link remote: [AF_INET]172.16.16.16:8443
    Mon Mar 27 14:22:06 2017 MANAGEMENT: >STATE:1490646126,WAIT,,,,,,
    Mon Mar 27 14:22:06 2017 MANAGEMENT: >STATE:1490646126,AUTH,,,,,,
    Mon Mar 27 14:22:06 2017 TLS: Initial packet from [AF_INET]172.16.16.16:8443, sid=298bc3b2 5cb0532f
    Mon Mar 27 14:22:06 2017 VERIFY OK: depth=1, C=CR, ST=San José, L=San José, O=Würth, OU=Würth, CN=Würth Costa Rica,
    emailAddress=carlo.rosales@wurth.cr
    Mon Mar 27 14:22:06 2017 VERIFY X509NAME ERROR: C=CR, ST=NA, L=San José, O=Wurth Costa Rica, OU=OU,
    CN=SophosApplianceCertificate_S1403B221848B3D, emailAddress=carlo.rosales@wurth.cr, must be C=CR, ST=NA, L=San Josà ©,
    O=Wurth Costa Rica, OU=OU, CN=SophosApplianceCertificate_S1403B221848B3D, emailAddress=carlo.rosales@wurth.cr
    Mon Mar 27 14:22:06 2017 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL
    routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Mon Mar 27 14:22:06 2017 TLS Error: TLS object -> incoming plaintext read error
    Mon Mar 27 14:22:06 2017 TLS Error: TLS handshake failed
    Mon Mar 27 14:22:06 2017 Fatal TLS error (check_tls_errors_co), restarting
    Mon Mar 27 14:22:06 2017 SIGUSR1[soft,tls-error] received, process restarting
    Mon Mar 27 14:22:06 2017 MANAGEMENT: >STATE:1490646126,RECONNECTING,tls-error,,,,,
    Mon Mar 27 14:22:06 2017 Restart pause, 5 second(s)

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 2/10
    10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    Here is my configuration.

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 3/10
    10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    Am I missing something?

    This could be due to the certificate regeneration?

    Thanks in advance.

    lferrara

    John,

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 4/10
    10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    Make sure to fill the "override host name" with a public dns that points to XG public ip or put there the XG public ip directly. Once
    saved, download the ssl configuration again and try to reconnect.

    Regards

    John Henry Vindas Carballo

    In reply to lferrara:

    Hi lferrara,

    I forgot to mention that I have the public IP on the "override hostname" field. i know it doesn't show up in the screenshot but it's
    there.

    Thanks.

    Billybob

    John Henry Vindas Carballo

    Mon Mar 27 14:22:06 2017 VERIFY X509NAME ERROR: C=CR, ST=NA, L=San José, O=Wurth Costa Rica, OU=OU,
    CN=SophosApplianceCertificate_S1403B221848B3D, emailAddress=carlo.rosales@wurth.cr, must be C=CR, ST=NA, L=San Josà ©,
    O=Wurth Costa Rica, OU=OU, CN=SophosApplianceCertificate_S1403B221848B3D, emailAddress=carlo.rosales@wurth.cr

    This could be due to the certificate regeneration? 


    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 5/10
    10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    You changed the certs and now they don't match what your client has. As Luk said, login to user portal and download the configuration again.

    John Henry Vindas Carballo

    In reply to Billybob:

    Hi Billybob,

    That's correct.

    1. How do I change the certificate on the XG device to match the VPN? Or I should change it on the VPN to match the device? I'm
    really confused with this.

    2. Should I delete all VPN configurations and start over?

    Thank you.

    Billybob

    In reply to John Henry Vindas Carballo:

    Unless you have the old certificate, you can't change it on the firewall.

    Download the new ssl configuration on the client by using the user portal. It will be easier that way.

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 6/10
    10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    John Henry Vindas Carballo

    In reply to Billybob:

    I had a problem with the old certificate, it won't let me download the client and configuration from the user portal so I had to
    regenerate.

    Do you think a factory reset would fix the problem?

    Thank you.

    Billybob

    In reply to John Henry Vindas Carballo:

    Please post screenshots/ error messages with user portal.

    Factory reset may not help if you are going to import your configuration backup but I am not 100% sure.

    John Henry Vindas Carballo

    In reply to Billybob:

    This was the error I was getting in the user portal.

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 7/10
    10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    I hope factory reset fix the problem, I think I'm going to start over the configuration.

    Billybob

    In reply to John Henry Vindas Carballo:

    Yes, this seems like system corruption, you will have to reset. Importing your backup will probably be fine and you don't have to start
    over the configuration. Let us know how it works out.

    John Henry Vindas Carballo

    In reply to Billybob:

    Factory reset didn't help at all.

    Having the same issue with certificate.

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 8/10
    10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    John Henry Vindas Carballo

    Problem with the VPN SSL has been fixed, I just had to generate a new self-signed certificate and change it on the VPN Settings >
    SSL Server Certificate.

    HariKrishnan

    hello,

    Please share the screenshot of created user.

    Authentication>user.

    Make sure VPN policy applied or not in user/groups.

    Aditya Patel

    In reply to John Henry Vindas Carballo:

    HI John ,

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 9/10
    10/29/2018 Can't connect SSL VPN Remote Access. - Network and Routing - XG Firewall - Sophos Community

    We are glad you were able to resolve this issue , We would recommend you to regenerate the Appliance Certificate as its used
    and also remove all the user certificate as they may not match with the Appliance Certificate .

    https://community.sophos.com/products/xg-firewall/f/network-and-routing/90315/can-t-connect-ssl-vpn-remote-access 10/10

    Вам также может понравиться