Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 15135 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SSL VPN Client "verify-x509-name" empty value, no connection possible

GuyZuercher

Hi Sophos Community

  • Sophos Firmware: SFOS 16.05.2 MR-2
  • Pattern Version SSLVPN Clients: 1.0.006
  • Installed Version of SSL VPN Client: v2.1

 

Our clients download the SSL VPN Client over the Sophos User Portal. The problem is, that the downloaded configuration is missing a specific parameter.

The client does not connect and there is no specific logfile generated.

Error message in the Windows Event-Log:

openvpnserv error:
0x20000000
Options error: Unrecognized option or missing parameter(s) in user@domain.tld_ssl_vpn_config.ovpn:6: verify-x509-name (2.3.8)
Use --help for more information.

Problematic line in the *.ovpn-file:

verify-x509-name ""

 

Obviously the problem is, that the value of "verify-x509-name" is empty in the downloaded config. How can I fix this?

if I comment this line out, the connection is working proberly. Of course I can't except our clients to do this. So this must work out of the box.

 

 

thanks a lot,

lauro



This thread was automatically locked due to age.
  • 0

    Lauro,

    It seems that the certificate is not included inside your ssl vpn config and without it , XG will not accept the connection.

    You can try to rollback, regenerate CA or open a ticket with support.

    Regards

  • 0 in reply to lferrara

    i'm having the exact same issue, on a never-configured SSL VPN, on 16.05.3 MR-3.

     

    Rollback is not possible, i'm not clear on what you mean by "regenerate CA" i'm using the self signed cert, i made a new one and still same issue.

     

    edit1: i've discovered that the issue is with the custom certificates(i only have self signed to test), if i switch to the builtin "appliance certificate" then it works perfectly.

    just opened a support case

  • 0 in reply to Mast_01

    Hey!

     

    Did you get any response?

    Currently it is working fine with commenting the line out but a general fix would be nice.


    Thank you!

     

    Best regards

    Daniel

  • 0 in reply to dpk

    Daniel,

    it's a "design flaw" per se and i wouldn't hope for a fix.

    the issue in my case is that self-signed certificates are not supported for SSL VPN with dynamic hostname (and you can't get an issued certificate for adynamic hostname so it's catch-22), once i used the "ApplianceCertificate" issued by default it staretd working perfectly.

     

    here's the KB community.sophos.com/.../125604