Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 22 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 13311 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect Client Authentication failes with certificate

ChristianD

Hi all!

I would like to setup a Client-VPN connection using Sophos Connect Client. Authentication should be digital certificate.

After username & PW Sophos Connect Client says Failed to establish CHILD_SA. Here's the Log:

Fullscreen 7870.sophos-log1.txt Download 
2019-03-27 09:54:41AM 16[CFG] added vici connection: VPNClientTEST
2019-03-27 09:54:41AM 11[CFG] loaded certificate 'C=DE, ST=Bayern, L=XXX, O=XXX, OU=XXX, CN=vpn.XXX.de'
2019-03-27 09:54:41AM 07[CFG] loaded RSA private key
2019-03-27 09:54:41AM 13[CFG] loaded EAP shared key with id 'VPNClientTEST-xauth-id' for: 'testp'
2019-03-27 09:54:42AM 15[CFG] vici initiate 'VPNClientTEST-1'
2019-03-27 09:54:42AM 14[IKE] <VPNClientTEST|9> initiating Main Mode IKE_SA VPNClientTEST[9] to 194.39.183.50
2019-03-27 09:54:42AM 14[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ SA V V V V V ]
2019-03-27 09:54:42AM 14[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69[57468] to 194.39.183.50[500] (204 bytes)
2019-03-27 09:54:42AM 12[NET] <VPNClientTEST|9> received packet: from 194.39.183.50[500] to 192.168.43.69[57468] (180 bytes)
2019-03-27 09:54:42AM 12[ENC] <VPNClientTEST|9> parsed ID_PROT response 0 [ SA V V V V V ]
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received XAuth vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received DPD vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received Cisco Unity vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received FRAGMENTATION vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received NAT-T (RFC 3947) vendor ID
2019-03-27 09:54:42AM 12[CFG] <VPNClientTEST|9> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2019-03-27 09:54:42AM 12[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-03-27 09:54:42AM 12[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69[57468] to XXX[500] (204 bytes)
2019-03-27 09:54:42AM 08[NET] <VPNClientTEST|9> received packet: from XXX[500] to 192.168.43.69[57468] (204 bytes)
2019-03-27 09:54:42AM 08[ENC] <VPNClientTEST|9> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> local host is behind NAT, sending keep alives
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> sending cert request for "C=DE, O=XXX"
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> sending cert request for "C=DE, XXX, OU=OU, CN=Sophos_CA_XXX, E=XXX"
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> authentication of 'vpn.XXX.de' (myself) successful
2019-03-27 09:54:42AM 08[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ ID SIG CERTREQ CERTREQ N(INITIAL_CONTACT) ]
2019-03-27 09:54:42AM 08[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69[57469] to XXX[4500] (700 bytes)
2019-03-27 09:54:42AM 11[NET] <VPNClientTEST|9> received packet: from XXX[4500] to 192.168.43.69[57469] (108 bytes)
2019-03-27 09:54:42AM 11[ENC] <VPNClientTEST|9> parsed INFORMATIONAL_V1 request 2569106983 [ HASH N(AUTH_FAILED) ]
2019-03-27 09:54:42AM 11[IKE] <VPNClientTEST|9> received AUTHENTICATION_FAILED error notify
2019-03-27 09:54:43AM 07[CFG] unloaded private key with id 076355e74d5920bd7d8e44759fe1299860180500
2019-03-27 09:54:43AM 13[CFG] unloaded shared key with id 'VPNClientTEST-xauth-id'



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Aditya Patel

    Hi Aditya,

     

    Hope you find this mail in good health , i have a similar issue , but related to IKE Port has been blocked and No response from gateway

     

    Please find attached log7823.Sophos Connect Log.docx

     

    This is the setup i have in my home lab

     

    I’m testing Sophos XG ( installed on Mini PC ) for my home lab. I have SSL VPN ( remote access ) working fine for my environment

    I use Sophos's Dynamic DNS , https://bethelsophosxg.myfirewall.co

    I’m able to access this link from outside network and download vpn client and access resources

    Port 1 and Port 3 have 172.16.16.0/24 and 10.0.0.0/24 Networks configured on Sophos XG

    Port 2 is connected to WAN 192.168.1.150

    Have NBN ( FTTN ) , no public IP from ISP

    I’m trying to test Sophos Connect similarly.

    Have downloaded Sophos Connect from the firewall, installed it on the test laptop (which is connected to mobile hotspot , so that its on different network )

    When I login to Sophos Connect , I will the following errors :

    “ IKE UDP port seems to be blocked “ , Connection Failed “ No response from gateway bethelsophosxg.myfirewall.co “ , these messages keep rotating

    Please find attached logs as requested

    Appreciate your assistance

Children
  • 0 in reply to Ruka

    Hello Ruka,

     

    I think I know why you are having the problem. Are you using .tgb file or .scx file to import the connection? You need to modify the gateway IP to a the DDNS name. YOu have to do this manually.

    1) If you are using tgb file then this is the line you need to update that IP to your DDNS.

    [Phase 1]
    192.168.1.150 = <YourPolicyName>-P1

     

    2) If you are using scadmin to modify the tgb file, you need to Modify Target Host and set it your DDNS.

     

    After you make the modification, you MUST import the connection again and then it will work.

     

    Please let us know.

     

    Regards,

    Ramesh

  • 0 in reply to rmk_2018

    Hi Ramesh,

    Thanks for your reply , i use tgb file.

    Opened the file using Notepad++  bethelsophosxg.myfirewall.co = Sophos_Connect_Tunnel-P1

    Please advise to update tgb , can i do it using Notepad

    update it to :

    [Phase 1]
    192.168.1.150 = Sophos_Connect_Tunnel-P1

    Appreciate your help

    Thanks

    Raju

  • 0 in reply to Ruka

    Hello Raju, 

    According to the logs, it does seem there is no packet received from the firewall, either the packet is not set to XG or not received. Could you take a packet capture from your local system and on XG firewall and compare the two.

  • 0 in reply to Aditya Patel

    Thanks Aditya for your reply

    Im pretty new to Sophos , please advise how to capture traffic from Sophos , also when you say local system , should i run packet tracer on the laptop thats running Sophos Connect and capture packet info through there

    Appreciate your help

    Regards

  • 0 in reply to Ruka

    Hello  

    You may check the traffic on your local system from your ethernet or WIFI port from where the connection is ongoing using Wireshark. 

    As for the XG firewall, you would need to follow the steps in this KB article. Follow the steps to download from a web browser.

    Things to note down: 

    The public address of your remote location and Public address of your XG firewall location.

    Compare the two PCAP and you may use timestamp on the packets as a reference point.

    You should see if there is any ISAKMP packet from the remote end or if received on the XG firewall.

  • 0 in reply to Aditya Patel

    Thanks Aditya,

    Will try that and let know how it goes

    Appreciate your help

    Have a good day 

    Cheers


    Raju

  • 0 in reply to rmk_2018

    G'Day Ramesh,

    I think changing the tgb file as per your advise did the trick. It has connected now

    Appreciate your help on this , it has been haunting me for few days now , also apologies for delayed response

    It does not seem to work when i use my mobile phone as a hot spot , but i believe its something to do with mobile network

    Once again appreciate your time for sorting this

    Have a good day 

    God bless

    Regards 

    Raju

  • 0 in reply to Aditya Patel

    G'Day Aditya,

    One of the community members ( Ramesh ) had advised to do the below :

    I think I know why you are having the problem. Are you using .tgb file or .scx file to import the connection? You need to modify the gateway IP to a the DDNS name. YOu have to do this manually.

    1) If you are using tgb file then this is the line you need to update that IP to your DDNS.

    [Phase 1]
    192.168.1.150 = <YourPolicyName>-P1

     

    2) If you are using scadmin to modify the tgb file, you need to Modify Target Host and set it your DDNS.

     

    After you make the modification, you MUST import the connection again and then it will work.

     

    After performing the above , Sophos Connect seems to work now. 

    Appreciate your guys help on the Community

    Have a good day 

    Regards

    Raju

  • 0 in reply to rmk_2018

    Hi Ramesh,

    Thanks for your help with this, please advise why bethelsophosxg.myfirewall.co ( which is 192.168.1.150 ) did not work with tgb file

    Why did we have to change it to 192.168.1.150 , is it because Sophos DynDNS is a free service 

    Also im unable to ping bethelsophosxg.myfirewall.co or access https://bethelsophosxg.myfirewall.co:4444 from a browser for admin portal , able to access https://bethelsophosxg.myfirewall.co:443 for user portal thou

    Appreciate any guidance

    Cheers

    Raju 

  • 0 in reply to Ruka

    Hello Raju,

     

    You need to go to System->Administration->Devices access and enable PING/PING6 checkbox for XG to reply to PING.

     

    Regards,
    Ramesh