Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 33422 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN not connecting

gcraenen
Hello,

I've setup a user and a SSL VPN server. Through the user portal I downloaded the ovpn file and loaded that in Tunnelblick (working on OS X). When I try ti connect it keeps on trying, but no connection is made.

In tunnelblick I can see the following error: 


9 VERIFY ERROR: could not extract CN from X509 subject string ('C=XX, L=yy, O=zz') -- note that the username length is limited to 64 characters

2015-11-02 20:20:39 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

2015-11-02 20:20:39 TLS Error: TLS object -> incoming plaintext read error

2015-11-02 20:20:39 TLS Error: TLS handshake failed

2015-11-02 20:20:39 Fatal TLS error (check_tls_errors_co), restarting

2015-11-02 20:20:39 SIGUSR1[soft,tls-error] received, process restarting


And in the log files of the UTM I can see: 


2015:11:02-20:20:38 utm openvpn[9066]: TCP connection established with [AF_INET]192.168.88.198:53020 (via [AF_INET]192.168.88.1:443)

2015:11:02-20:20:39 utm openvpn[9066]: 192.168.88.198:53020 TLS: Initial packet from [AF_INET]192.168.88.198:53020 (via [AF_INET]192.168.88.1:443), sid=794b7437 fad4f1d7

2015:11:02-20:20:39 utm openvpn[9066]: 192.168.88.198:53020 Connection reset, restarting [0]

2015:11:02-20:20:39 utm openvpn[9066]: 192.168.88.198:53020 SIGUSR1[soft,connection-reset] received, client-instance restarting

2015:11:02-20:20:39 utm openvpn[9066]: TCP connection established with [AF_INET]192.168.88.198:53022 (via [AF_INET]192.168.88.1:443)

2015:11:02-20:20:40 utm openvpn[9066]: 192.168.88.198:53022 TLS: Initial packet from [AF_INET]192.168.88.198:53022 (via [AF_INET]192.168.88.1:443), sid=2f1c0009 48c48bd2

2015:11:02-20:20:40 utm openvpn[9066]: 192.168.88.198:53022 Connection reset, restarting [0]

2015:11:02-20:20:40 utm openvpn[9066]: 192.168.88.198:53022 SIGUSR1[soft,connection-reset] received, client-instance restarting

2015:11:02-20:20:40 utm openvpn[9066]: TCP connection established with [AF_INET]192.168.88.198:53024 (via [AF_INET]192.168.88.1:443)

2015:11:02-20:20:41 utm openvpn[9066]: 192.168.88.198:53024 Connection reset, restarting [0]

2015:11:02-20:20:41 utm openvpn[9066]: 192.168.88.198:53024 SIGUSR1[soft,connection-reset] received, client-instance restarting


Any idea what is going wrong? It looks like errors in the certificate of the UTM. Do I have to delete all certificates and create new ones?


This thread was automatically locked due to age.
Parents
  • 0
    Try a google on site:astaro.org tunnelblick "connection-reset".  Any luck?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Yes, I got a few references with the same problem. Tried their solutions, but unfortunately no luck.

    I think this is more a Tunnelblick then UTM related issue. I tried to connect with iPads and iPhone and that is going fine.

    Not sure how to proceed further though. Is there another app for OS X available for OVPN connections? I really don't want to go back to PPTP, since that's broken and insecure.
  • 0 in reply to gcraenen
    I have tried the product Viscosity, to test if the problems or due to Tunnelblick. But they are exactly the same. Could it be that it's not possible somehow to connect from OS X to the Sophos UTM vya SSL VPN. Other devices seem to work with the seem setup of the UTM, so it looks like this is a Apple OS X problem?

    Anyone experiencing this with regards to OS X (OS X versions Yosemite and El Capitan).
  • 0 in reply to gcraenen
    I have been using Viscosity for over a year now and successfully connecting to my UTM. I can't remember where I found the reference for this, but I had to add the following to the advanced section of the configuration file:

    route-delay 4
    reneg-sec 86400
    cipher AES-256-CBC
    auth SHA1
    resolv-retry infinite

    Andy
Reply
  • 0 in reply to gcraenen
    I have been using Viscosity for over a year now and successfully connecting to my UTM. I can't remember where I found the reference for this, but I had to add the following to the advanced section of the configuration file:

    route-delay 4
    reneg-sec 86400
    cipher AES-256-CBC
    auth SHA1
    resolv-retry infinite

    Andy
Children
No Data
Unfiltered HTML