Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 33419 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN not connecting

gcraenen
Hello,

I've setup a user and a SSL VPN server. Through the user portal I downloaded the ovpn file and loaded that in Tunnelblick (working on OS X). When I try ti connect it keeps on trying, but no connection is made.

In tunnelblick I can see the following error: 


9 VERIFY ERROR: could not extract CN from X509 subject string ('C=XX, L=yy, O=zz') -- note that the username length is limited to 64 characters

2015-11-02 20:20:39 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2015-11-02 20:20:39 TLS Error: TLS object -> incoming plaintext read error

2015-11-02 20:20:39 TLS Error: TLS handshake failed

2015-11-02 20:20:39 Fatal TLS error (check_tls_errors_co), restarting

2015-11-02 20:20:39 SIGUSR1[soft,tls-error] received, process restarting


And in the log files of the UTM I can see: 


2015:11:02-20:20:38 utm openvpn[9066]: TCP connection established with [AF_INET]192.168.88.198:53020 (via [AF_INET]192.168.88.1:443)

2015:11:02-20:20:39 utm openvpn[9066]: 192.168.88.198:53020 TLS: Initial packet from [AF_INET]192.168.88.198:53020 (via [AF_INET]192.168.88.1:443), sid=794b7437 fad4f1d7

2015:11:02-20:20:39 utm openvpn[9066]: 192.168.88.198:53020 Connection reset, restarting [0]

2015:11:02-20:20:39 utm openvpn[9066]: 192.168.88.198:53020 SIGUSR1[soft,connection-reset] received, client-instance restarting

2015:11:02-20:20:39 utm openvpn[9066]: TCP connection established with [AF_INET]192.168.88.198:53022 (via [AF_INET]192.168.88.1:443)

2015:11:02-20:20:40 utm openvpn[9066]: 192.168.88.198:53022 TLS: Initial packet from [AF_INET]192.168.88.198:53022 (via [AF_INET]192.168.88.1:443), sid=2f1c0009 48c48bd2

2015:11:02-20:20:40 utm openvpn[9066]: 192.168.88.198:53022 Connection reset, restarting [0]

2015:11:02-20:20:40 utm openvpn[9066]: 192.168.88.198:53022 SIGUSR1[soft,connection-reset] received, client-instance restarting

2015:11:02-20:20:40 utm openvpn[9066]: TCP connection established with [AF_INET]192.168.88.198:53024 (via [AF_INET]192.168.88.1:443)

2015:11:02-20:20:41 utm openvpn[9066]: 192.168.88.198:53024 Connection reset, restarting [0]

2015:11:02-20:20:41 utm openvpn[9066]: 192.168.88.198:53024 SIGUSR1[soft,connection-reset] received, client-instance restarting


Any idea what is going wrong? It looks like errors in the certificate of the UTM. Do I have to delete all certificates and create new ones?


This thread was automatically locked due to age.
  • 0
    Try a google on site:astaro.org tunnelblick "connection-reset".  Any luck?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Yes, I got a few references with the same problem. Tried their solutions, but unfortunately no luck.

    I think this is more a Tunnelblick then UTM related issue. I tried to connect with iPads and iPhone and that is going fine.

    Not sure how to proceed further though. Is there another app for OS X available for OVPN connections? I really don't want to go back to PPTP, since that's broken and insecure.
  • 0 in reply to gcraenen
    I have tried the product Viscosity, to test if the problems or due to Tunnelblick. But they are exactly the same. Could it be that it's not possible somehow to connect from OS X to the Sophos UTM vya SSL VPN. Other devices seem to work with the seem setup of the UTM, so it looks like this is a Apple OS X problem?

    Anyone experiencing this with regards to OS X (OS X versions Yosemite and El Capitan).
  • 0 in reply to gcraenen
    I have been using Viscosity for over a year now and successfully connecting to my UTM. I can't remember where I found the reference for this, but I had to add the following to the advanced section of the configuration file:

    route-delay 4
    reneg-sec 86400
    cipher AES-256-CBC
    auth SHA1
    resolv-retry infinite

    Andy
  • 0
    Hi,

    Thanks. I checked the config file and the options you mentioned are in there. I can see the following in the log:


    Nov 04 16:44:57: OpenVPN 2.3.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Sep 23 2015
    Nov 04 16:44:57: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
    Nov 04 16:45:00: WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html
    Nov 04 16:45:00: Attempting to establish TCP connection with [AF_INET]A.B.C.242:443 [nonblock]
    Nov 04 16:45:01: TCP connection established with [AF_INET]A.B.C.242:443
    Nov 04 16:45:01: TCPv4_CLIENT link local: [undef]
    Nov 04 16:45:01: TCPv4_CLIENT link remote: [AF_INET]A.B.C.242:443
    Nov 04 16:45:01: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Nov 04 16:45:01: VERIFY ERROR: could not extract CN from X509 subject string ('C=nl, L=Wassenaar, O=Calmus BV') -- note that the username length is limited to 64 characters
    Nov 04 16:45:01: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Nov 04 16:45:01: TLS Error: TLS object -> incoming plaintext read error
    Nov 04 16:45:01: TLS Error: TLS handshake failed
    Nov 04 16:45:01: Fatal TLS error (check_tls_errors_co), restarting
    Nov 04 16:45:01: SIGUSR1[soft,tls-error] received, process restarting


    It looks like the connection is made, but something goes wrong with the certificate and TLS handshake after that.
  • 0
    I've created VPN connections withe OSX versions prior to Yosemite and El Capitan.  Try contacting Viscosity support.  In the past they've been very good at providing assistance/patches for their client with UTM.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Ok, I'll try that. Hope they can help, because our business needs this. I'm on the verge of installing a separate VPN server and just forward all traffic to that.


    I've created VPN connections withe OSX versions prior to Yosemite and El Capitan.  Try contacting Viscosity support.  In the past they've been very good at providing assistance/patches for their client with UTM.
  • 0

    To bring back an old thread. I tried many different things to get this to work and nothing worked. I gave up, loaded the config on my iPhone and connected through OpenVPN app. So I knew everything was working, but the mac would refuse to connect with tunnelblick. I decided to try different OpenVPN versions and one of them worked!

    I used 2.4.4 - OpenSSL v1.0.2l

    Hopefully this can help someone that is searching for this issue!

Unfiltered HTML