I wanted to ask if anyone else is using their Root CA-Sub CA chain with the Sophos XG. We use our own CA for all sorts of authentication such as Site to Site VPN, L2TP, WIFI access (not through Sophos), etc...
I found looking at the logs that one of our problems with our Sub CA is that our Root CA is never getting loaded into strongswan, and a complete chain is never established. For Site to Site connections, you can load the remote certificate onto the XG to bypass this problem, but for clients doing L2TP authentication w/certs issued by the SubCA - everything will break as the Root CA isn't loaded into Strongswan.
Sophos has been able to verify the problem with our Root CA, and while being transferred from support agent to support agent to manager to support agent as Sophos attempted to find someone who even knew how Sub/Root CAs work (5 hour phone call) - I was able to find that the following script is run when uploading our Root CA cert:
/scripts/vpn/ipsec/ipsec_link_ca.sh
The script tries to verify the Root CA, but since it is our own CA issued by us, it will fail the verification, and not instruct the XG to create a symlink from /conf/certificates/cacerts/my_root_ca.pem -> /_conf/ipsec/ipsec.d/cacerts/my_root_ca.pem.
As a workaround, I have been creating the symlink manually, re-running ipsec rereadcacerts, and our Root CA is added (which makes our SubCA work, as we now have a complete chain). If you reload/reboot/upgrade the firmware on the XG, you'll have to recreate the symlink.
This may or may not get entered by Sophos as a bug. Requests for updates from Sophos result in not getting replies.
I have verified our Root CA->Sub CA chain works with other solutions (Cisco, PFsense).
Ticket #8403470
This thread was automatically locked due to age.
