Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 6289 views
  • Users 0 members are here
Options
Suggested

[9.100][FIXED] SSL VPN broken after upgrade 9.0 > 9.100-12

ipzipzap
Hello,

after I've upgraded my ASG220 from 9.0 to 9.100-12, I noticed today that my SSL VPN doesn't work anymore.

In the SSL VPN Log I can see this: 

2013:05:07-15:34:07 remote openvpn[11713]: TCP connection established with [AF_INET]80.152.165.2:64690 (via [AF_INET]91.52.128.96:1194)

2013:05:07-15:34:07 remote openvpn[11713]: 80.152.165.2:64690 TLS: Initial packet from [AF_INET]80.152.165.2:64690 (via [AF_INET]91.52.128.96:1194), sid=b29a4d52 1b52be9e

2013:05:07-15:34:09 remote openvpn[11713]: 80.152.165.2:64690 VERIFY OK: depth=0, C=de, L=City, O=N/A, CN=User Name, emailAddress=user.name@domain.tld

2013:05:07-15:34:09 remote openvpn[11713]: 80.152.165.2:64690 VERIFY OK: depth=1, C=de, L=City, O=N/A, CN=N/A VPN CA, emailAddress=user.name@domain.tld

2013:05:07-15:34:09 remote openvpn[11713]: 80.152.165.2:64690 VERIFY OK: depth=1, C=de, L=City, O=N/A, CN=N/A VPN CA, emailAddress=user.name@domain.tld

2013:05:07-15:34:09 remote openvpn[11713]: 80.152.165.2:64690 VERIFY OK: depth=0, C=de, L=City, O=N/A, CN=User Name, emailAddress=user.name@domain.tld

2013:05:07-15:34:10 remote openvpn[11713]: 80.152.165.2:64690 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2

2013:05:07-15:34:10 remote openvpn[11713]: 80.152.165.2:64690 TLS: Username/Password authentication deferred for username 'user name' [CN SET]

2013:05:07-15:34:10 remote openvpn[11713]: 80.152.165.2:64690 TLS Auth Error: --client-config-dir authentication failed for common name 'user name' file='/etc/openvpn/conf.d/user name'

2013:05:07-15:34:10 remote openvpn[11713]: 80.152.165.2:64690 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

2013:05:07-15:34:10 remote openvpn[11713]: 80.152.165.2:64690 [user name] Peer Connection Initiated with [AF_INET]80.152.165.2:64690 (via [AF_INET]91.52.128.96:1194)

2013:05:07-15:34:12 remote openvpn[11713]: 80.152.165.2:64690 PUSH: Received control message: 'PUSH_REQUEST'

2013:05:07-15:34:12 remote openvpn[11713]: 80.152.165.2:64690 Delayed exit in 5 seconds

2013:05:07-15:34:12 remote openvpn[11713]: 80.152.165.2:64690 SENT CONTROL [user name]: 'AUTH_FAILED' (status=1)

2013:05:07-15:34:13 remote openvpn[11713]: 80.152.165.2:64690 Connection reset, restarting [0]

2013:05:07-15:34:13 remote openvpn[11713]: 80.152.165.2:64690 SIGUSR1[soft,connection-reset] received, client-instance restarting 


The user is authenticated against my ActiveDirectory and in the authentication log it is successful: 

2013:05:07-15:34:09 remote aua[9285]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.12.41 (adirectory)"

2013:05:07-15:34:10 remote aua[9285]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="80.152.165.2" user="User Name" caller="openvpn" engine="adirectory"





Any help would be greatly appreciated.

Dino
Parents
  • 0 in reply to ipzipzap
    Can you please install the latest package  9.100-14 and try again?!

    Regards
    Dominic
  • 0 in reply to dschmidl
    Can you please install the latest package  9.100-14 and try again?!

    Regards
    Dominic


    Sorry, but it isn't fixed. I've updated to 9.100-14 but it still doesn't work. I am still getting this:


    2013:05:11-16:21:06 remote openvpn[4814]: TCP connection established with [AF_INET]80.187.102.83:14127 (via [AF_INET]91.52.137.246:1194)
    2013:05:11-16:21:06 remote openvpn[4814]: 80.187.102.83:14127 TLS: Initial packet from [AF_INET]80.187.102.83:14127 (via [AF_INET]91.52.137.246:1194), sid=9a5fd22b 2b1169c7
    2013:05:11-16:21:10 remote openvpn[4814]: 80.187.102.83:14127 VERIFY OK: depth=0, C=de, L=Ratingen, O=N/A, CN=Max Müller, emailAddress=max.mueller@domain.tld
    2013:05:11-16:21:10 remote openvpn[4814]: 80.187.102.83:14127 VERIFY OK: depth=1, C=de, L=Ratingen, O=N/A, CN=N/A VPN CA, emailAddress=max.mueller@domain.tld
    2013:05:11-16:21:10 remote openvpn[4814]: 80.187.102.83:14127 VERIFY OK: depth=1, C=de, L=Ratingen, O=N/A, CN=N/A VPN CA, emailAddress=max.mueller@domain.tld
    2013:05:11-16:21:10 remote openvpn[4814]: 80.187.102.83:14127 VERIFY OK: depth=0, C=de, L=Ratingen, O=N/A, CN=Max Müller, emailAddress=max.mueller@domain.tld
    2013:05:11-16:21:12 remote openvpn[4814]: 80.187.102.83:14127 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    2013:05:11-16:21:12 remote openvpn[4814]: 80.187.102.83:14127 TLS: Username/Password authentication deferred for username 'max mueller' [CN SET]
    2013:05:11-16:21:12 remote openvpn[4814]: 80.187.102.83:14127 TLS Auth Error: --client-config-dir authentication failed for common name 'max mueller' file='/etc/openvpn/conf.d/max mueller'
    2013:05:11-16:21:13 remote openvpn[4814]: 80.187.102.83:14127 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    2013:05:11-16:21:13 remote openvpn[4814]: 80.187.102.83:14127 [max mueller] Peer Connection Initiated with [AF_INET]80.187.102.83:14127 (via [AF_INET]91.52.137.246:1194)
    2013:05:11-16:21:15 remote openvpn[4814]: 80.187.102.83:14127 PUSH: Received control message: 'PUSH_REQUEST'
    2013:05:11-16:21:15 remote openvpn[4814]: 80.187.102.83:14127 Delayed exit in 5 seconds
    2013:05:11-16:21:15 remote openvpn[4814]: 80.187.102.83:14127 SENT CONTROL [max mueller]: 'AUTH_FAILED' (status=1)
    2013:05:11-16:21:16 remote openvpn[4814]: 80.187.102.83:14127 Connection reset, restarting [0]
    2013:05:11-16:21:16 remote openvpn[4814]: 80.187.102.83:14127 SIGUSR1[soft,connection-reset] received, client-instance restarting


    Here's the User Authentication Daemon Log:


    2013:05:11-16:30:13 remote aua[10015]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.12.41 (adirectory)"
    2013:05:11-16:30:13 remote aua[10015]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="80.187.102.83" user="max mueller" caller="openvpn" reason="DENIED"
    2013:05:11-16:30:30 remote aua[10347]: id="3006" severity="info" sys="System" sub="auth" name="Trying 192.168.12.41 (adirectory)"
    2013:05:11-16:30:30 remote aua[10347]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="80.187.102.83" user="Max Mueller" caller="openvpn" engine="adirectory"


    The first failed entry is because I tried with a wrong password to make sure authentication works. The second try is with the correct password and is authenticated correctly.

    So there must be another problem than the fixed one in 9.100-14


    Dino
  • 0 in reply to ipzipzap
    Opps, I just stumbled accross this line:

    2013:05:11-16:21:12 remote openvpn[4814]: 80.187.102.83:14127 TLS Auth Error: --client-config-dir authentication failed for common name 'max mueller' file='/etc/openvpn/conf.d/max mueller'


    and wanted to look whats inside this file.
    But I didn't even have a /etc/openvpn/ folder on my system.

    Maybe this could help you, Dominic
  • 0 in reply to ipzipzap
    It is in the chroot from openvpn see:

    /var/sec/chroot-openvpn/etc/openvpn/conf.d/$USERNAME

    Seems that it is the same bug I found:

    https://community.sophos.com/products/unified-threat-management/astaroorg/f/80/t/65184
Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?