Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 742 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can not connect via IPSec anymore (Remote Access)

medavis IT

Hello,

some time ago we have regenerated the UTM VPN CA certificates and let all our SSL VPN users re-download there configuration which worked fine. Now we are facing the issue that we also have couple of users with IPSec Remote Access via Sophos Connect with x509 certificates, but they can not connect anymore, even after re-downloading the configuration and the certificate and re-importing the connection. The client says: Child SA could not be established.

Sophos Connect Version is: 1.4.45.1015

UTM Version is: 9.705-3

Here is a copy of the VPN log of one client:

2020-12-07 08:33:15AM 00[DMN] Starting IKE service charon-svc (strongSwan 5.8.0, Windows Client 6.2.9200 (SP 0.0)
2020-12-07 08:33:15AM 00[LIB] TAP-Windows driver version 1.0 available.
2020-12-07 08:33:17AM 00[LIB] opened TUN device: {64728404-68ED-4A6D-8167-8A4D2CE1B809}
2020-12-07 08:33:17AM 00[LIB] loaded plugins: charon-svc nonce x509 pubkey pkcs1 pkcs7 pkcs8 pkcs12 pem openssl kernel-libipsec kernel-iph socket-win vici eap-identity eap-gtc eap-mschapv2 xauth-generic windows-dns
2020-12-07 08:33:17AM 00[JOB] spawning 16 worker threads
2020-12-07 08:33:20AM 17[KNL] interface 19 'Microsoft Wi-Fi Direct Virtual Adapter' appeared
2020-12-07 08:33:21AM 17[KNL] interface 2 'Intel(R) Dual Band Wireless-AC 8265' changed state from Down to Up
2020-12-07 08:33:21AM 17[KNL] 169.254.234.24 disappeared from interface 2 'Intel(R) Dual Band Wireless-AC 8265'
2020-12-07 08:33:45AM 17[KNL] interface 8 'Hyper-V Virtual Ethernet Adapter' changed state from Up to Down
2020-12-07 08:33:48AM 18[KNL] interface 8 'Hyper-V Virtual Ethernet Adapter' disappeared
2020-12-07 08:33:56AM 18[KNL] interface 64 'Hyper-V Virtual Ethernet Adapter' appeared
2020-12-07 08:33:57AM 18[KNL] interface 64 'Hyper-V Virtual Ethernet Adapter' changed state from Down to Up
2020-12-07 08:35:06AM 18[KNL] interface 21 'Microsoft Wi-Fi Direct Virtual Adapter #2' appeared
2020-12-07 08:39:13AM 18[KNL] interface 24 'Sophos SSL VPN Adapter' changed state from Down to Up
2020-12-07 08:39:14AM 18[KNL] 169.254.163.19 disappeared from interface 24 'Sophos SSL VPN Adapter'
2020-12-07 12:33:18PM 16[CFG] loaded certificate 'C=de, L=XXX, O=XXX, CN=xxx.yyy'
2020-12-07 12:33:19PM 04[CFG] loaded RSA private key
2020-12-07 12:33:19PM 03[CFG] added vici connection: REF_IpsRoaUnityvpn
2020-12-07 12:33:19PM 14[CFG] vici initiate CHILD_SA 'REF_IpsRoaUnityvpn-tunnel-1'
2020-12-07 12:33:19PM 08[IKE] <REF_IpsRoaUnityvpn|1> initiating Main Mode IKE_SA REF_IpsRoaUnityvpn[1] to 37.xxx.xxx.xxx
2020-12-07 12:33:19PM 08[ENC] <REF_IpsRoaUnityvpn|1> generating ID_PROT request 0 [ SA V V V V V ]
2020-12-07 12:33:19PM 08[NET] <REF_IpsRoaUnityvpn|1> sending packet: from 192.168.0.65[57819] to 37.xxx.xxx.xxx[500] (180 bytes)
2020-12-07 12:33:19PM 13[NET] <REF_IpsRoaUnityvpn|1> received packet: from 37.xxx.xxx.xxx[500] to 192.168.0.65[57819] (176 bytes)
2020-12-07 12:33:19PM 13[ENC] <REF_IpsRoaUnityvpn|1> parsed ID_PROT response 0 [ SA V V V V V ]
2020-12-07 12:33:19PM 13[IKE] <REF_IpsRoaUnityvpn|1> received strongSwan vendor ID
2020-12-07 12:33:19PM 13[IKE] <REF_IpsRoaUnityvpn|1> received Cisco Unity vendor ID
2020-12-07 12:33:19PM 13[IKE] <REF_IpsRoaUnityvpn|1> received XAuth vendor ID
2020-12-07 12:33:19PM 13[IKE] <REF_IpsRoaUnityvpn|1> received DPD vendor ID
2020-12-07 12:33:19PM 13[IKE] <REF_IpsRoaUnityvpn|1> received NAT-T (RFC 3947) vendor ID
2020-12-07 12:33:19PM 13[CFG] <REF_IpsRoaUnityvpn|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
2020-12-07 12:33:20PM 13[ENC] <REF_IpsRoaUnityvpn|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
2020-12-07 12:33:20PM 13[NET] <REF_IpsRoaUnityvpn|1> sending packet: from 192.168.0.65[57819] to 37.xxx.xxx.xxx[500] (332 bytes)
2020-12-07 12:33:20PM 16[NET] <REF_IpsRoaUnityvpn|1> received packet: from 37.xxx.xxx.xxx[500] to 192.168.0.65[57819] (316 bytes)
2020-12-07 12:33:20PM 16[ENC] <REF_IpsRoaUnityvpn|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
2020-12-07 12:33:20PM 16[IKE] <REF_IpsRoaUnityvpn|1> local host is behind NAT, sending keep alives
2020-12-07 12:33:20PM 16[IKE] <REF_IpsRoaUnityvpn|1> sending cert request for "C=de, L=XXX, O=XXX, CN=XXX VPN CA, E=xxx.yyy@xxx.yy"
2020-12-07 12:33:20PM 16[IKE] <REF_IpsRoaUnityvpn|1> no RSA private key found for '192.168.0.65'
2020-12-07 12:33:20PM 16[ENC] <REF_IpsRoaUnityvpn|1> generating INFORMATIONAL_V1 request 284418982 [ HASH N(AUTH_FAILED) ]
2020-12-07 12:33:20PM 16[NET] <REF_IpsRoaUnityvpn|1> sending packet: from 192.168.0.65[57820] to 37.xxx.xxx.xxx[4500] (108 bytes)
2020-12-07 12:33:20PM 08[CFG] vici terminate IKE_SA 'REF_IpsRoaUnityvpn'
2020-12-07 12:33:21PM 07[CFG] unloaded private key with id xxxxxx9b899ff7e823c341afe16a685a0e1a877

Does anybody know what we are doing wrong or where to look to solve this?

Best regards

 Jens


This thread was automatically locked due to age.
  • 0

    Hallo Jens and welcome to the UTM Community!

    Please show us the corresponding lines from the UTM's IPsec log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML