Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 12014 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iPhone Cisco VPN /Couldn't validate Server certificate

keamas
Hi,
I configured the Cisco VPN option on my Sophos UTM Firewall.
When I connect with my Windows Cisco VPN Client from remote, everything works great.

But when I try it with my iPhone 5 Firmware 6.1.3 I get the message:
VPN Connection: Could not validate the server certificate.

Here are the settings:
Global:
Interface: External WAN
Server certificate: Local X509 Cert
Pool Network: VPN Pool (Cisco)
Local Networks: Any
User and Groups: Users

IOS Settings:
Connection name: VPN (IPsec)
Override hostname: vpn.test.dyndns.org


This thread was automatically locked due to age.
  • 0
    Version? 8.309? 9.006?

    If 9, was this a fresh install or did you import the V8 backup or is this an appliance that went through a one-touch upgrade?  I'm thinking of replace VPN Signing CA Certificate with one that uses SHA1 instead of MD5, but I wouldn't do that until we confirm that you're on one of the two versions I mentioned.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    It was a fresh installation of Sopho UTM 9.
  • 0 in reply to keamas
    It was a fresh installation of Sopho UTM 9.


    Is the Astaro the dial-in device?
    Are you using services like dyndns?

    Ralf
  • 0
    It was a fresh installation of Sopho UTM 9.

    Up2Date to 9.006 and re-install the Profile on your iPhone.  Any luck?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    irmware version: 9.006-5
    I am using dyndns Services.
    The FW is behind a router. On the router I put the FW IP as a DMZ IP.

    I created a new certificate like the on the screenshot with hostname = dyndns name.

    Cisco VPN is working no !!!

    But after this change the SSL VPN is not working on port 443 anymore.
    Before this change it worked. Has anyone a idea why?

    I changed the SSL VPN port now to 1194 and this works.

    But I can't use port 443 anymore. Note on the Portal or for the SSL VPN. It seems this port is dead :-P

    At the moment I am using the following ports:
    User Portal 4443 TCP
    SSL VPN (OpenVPN) 1194 UDP
    Cisco VPN 4500 UDP

    I would like to use port 443 for SSL VPN again. Can anyone help me ? Why is this port not working anymore? Is there anything to debug this issue?
  • 0
    It was a fresh installation of Sopho UTM 9. 

    So, you confirm that you did not import a configuration backup - that you configured this from scratch?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    So, you confirm that you did not import a configuration backup - that you configured this from scratch?

    Cheers - Bob


    exactly !!!
    But port 443 is not working anymore...
    why ???
  • 0
    My first guess would be that you have a DNAT that's capturing port 443 traffic. 

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I have a normal s-nat for my internet connection 

    And something wired which allowes the cisco vpn to route all traffic trough the gateway.

    I will post the exact rule when i an at home
  • 0
    So here are my Rules:

    I have no NAT Rule defined. But I have two Masquerading Rules:

    Internal (Network) --> External (WAN)
    VPN Pool (Cisco) --> External (WAN)

    Has the cisco VPN thing influence to the port 443?
    Or any other idea?
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?