Hi DNS 

During the beta stage/forums you had raised an issue with regards to this, i am not sure if you managed to get it fixed or not, we still having same issues.

Old thread https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/97037/possible-bug---iphone-ipsec-vpn-connection-install-download

Thanks

Hey waghelak 

You may be experiencing a different issue, as that thread you referenced and it's bug ID (NC-22793) has already been resolved.

Which firmware version is your XG firewall appliance running? Have you inquired with support of your third-party MDM solution, to verify if there are any other potential workarounds or steps for this one certificate restriction?

Also, have you already tried our Sophos Mobile Control solution?

Regards,

FloSupport | Community Support Engineer

Hi FloSupport 

We are currently running the latest version SFOS 17.0.6 MR-6.  We are in process of testing various MDM solutions and until now we have not been able to achieve what is required.  We are looking to enable per-app VPN which requires certificate authentication for it to be able to work.

Thanks

Hey waghelak 

I'd suggest to take a look at our Sophos Mobile Control and this related KB article. I would also advise to contact your Sophos Partner/Reseller, if you had questions regarding product trialing and how to best utilize this product in your network environment.

Regards,

FloSupport | Community Support Engineer

Hi FloSupport 

I fully understand you pushing for the sophos version to be tried as well but it still does not solve the issue with certificate authentication with IOS.  I am surprised rather than getting to the bottom of this issue i am being asked to trial another Sophos product.

Currently with all the issues we are having after suggesting the company to go with Sophos XG, i am in no position to suggest another Sophos product.

Thanks

Which VPN solution are you currently trying to push out to your iOS clients? Have you also attempted to use Preshared Key authentication for troubleshooting purposes? Also note our KB article for the Cisco VPN client.

Regards,

FloSupport | Community Support Engineer

Hi FloSupport

We are trying to use the IPSEC with certificate authentication.  We don't have any issues using preshared key which works as we expect.  

There are number various post by different users from past year having had similar issue with certificates and IPSEC VPN with IOS. 

Preshared key has always worked although VPN on demand, per-app VPN requires certificates on IOS and preshared key is not something our CAB (change request board) will approve.

Thanks

Hi FloSupport

We are trying to use the IPSEC with certificate authentication.  We don't have any issues using preshared key which works as we expect.  

There are number various post by different users from past year having had similar issue with certificates and IPSEC VPN with IOS. 

Preshared key has always worked although VPN on demand, per-app VPN requires certificates on IOS and preshared key is not something our CAB (change request board) will approve.

Thanks

In regards to the certificates you are utilizing for authentication, are you usingthe XG's Appliance Certificate for the local certificate? How did you have this configured?

Thanks,

FloSupport | Community Support Engineer

Hi

The local certificate is the XG Appliance certificate and for the remote certificate we have created a self signed certificate through the XG appliance.

Thanks

Maybe still not works.

Same situation. PSK connection is good, but cert connection does not work at iOS. (SC Client is working)

Certificate identity is incorrect

(images deleted)

Hi FoW 

Would it be possible to please enable the support access tunnel on your appliance and PM me with the ID for a closer look?

Thanks!

I guess, this is an open Bug in Authentication via Certificate right now. 

Saw a bug ID attached to V17.5 MR4. 

Thanks. I will contacts.

SFOS 17.5 MR4 Released

• NC-42099 [IPsec] Sophos Connect Client cannot connect to Sophos Connect Client policy using digital certificate