Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 6817 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S VPN with Sonicwall using certification and IP

AnthonyMichael

I set up a S2S vpn from a Sophos UTM to a sonicwall. initially I had it as a PSK, then I went and switched it to a certificate. when  did that it changed the vpnID to the hostname of the UTM. It is supposed to pull the vpnID from the Cert which would be an IP. Why is it using the hostname then? how do I get it to use that IP?



This thread was automatically locked due to age.
Parents
  • 0

    Hi, and welcome to the UTM Community!

    Please insert a  picture of the "Local X509 Certificate" used in the Remote Gateway definition.  Be sure to obfuscate enough to maintain security.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    on the remote gateway it says getting vpnid from the cert. 

    on the cert it showed the vpnid as the ip address

    on the vpn status it put in the hostname of the utm.

    I'll get a copy of the cert posted shortly.

    thank you for the help.

                  

  • 0 in reply to AnthonyMichael

    here is the cert.

    Fullscreen Test VPN Cert.txt Download 
    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            97:01:d9:38:31:da:f7:17
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=us, L=City, O=City of City, CN=City of City VPN CA/emailAddress=email@domain.org
        Validity
            Not Before: May 18 15:26:46 2016 GMT
            Not After : Jan  1 00:00:01 2038 GMT
        Subject: C=us, ST=State, L=City, O=City of City, OU=IT/emailAddress=email@domain.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:38:85:75:48:5f:20:7f:7b:93:17:ac:dc:87:
                    17:72:41:f5:e8:5c:27:03:12:ae:ce:88:8a:97:25:
                    43:a6:5d:6a:3f:22:18:c8:be:85:a3:8d:13:ef:e3:
                    b2:49:ed:9e:bf:a5:40:45:3c:3d:79:c5:7d:a0:16:
                    0a:51:97:ac:1c:09:18:91:55:07:1f:7c:21:68:58:
                    14:71:86:55:b5:49:a4:58:1e:c2:c9:e0:f7:6f:3f:
                    95:d7:e9:47:e1:60:65:fb:1f:f5:04:ee:49:75:99:
                    7d:9e:2a:d7:fb:b5:0a:3f:e6:7b:21:f4:ac:64:dd:
                    41:99:cd:7f:08:7e:87:df:7d:4a:15:4d:5d:0c:de:
                    ac:c2:e0:bc:4e:61:19:41:4f:fa:d4:d1:13:90:4f:
                    c7:1f:34:b5:d1:d4:de:0e:e3:ee:ad:f4:d6:00:37:
                    ef:2f:ad:37:a0:1e:79:9b:11:de:c6:67:56:83:2d:
                    42:f5:df:29:92:41:93:ab:12:63:d9:ba:37:e7:f4:
                    d1:15:3f:1c:71:b0:da:40:0a:3f:ce:fe:f6:7a:a1:
                    2b:64:ca:96:28:dc:e2:f3:76:eb:b4:87:81:ab:bc:
                    65:0a:e3:83:4d:c7:36:87:e9:50:c5:24:25:81:85:
                    ea:dd:0a:3e:f5:18:64:5f:5f:e7:90:a9:f2:10:39:
                    a4:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E9:FF:7C:16:64:2A:16:29:DF:6D:79:27:9D:29:6E:E8:3E:28:4B:59
            X509v3 Authority Key Identifier: 
                keyid:5D:48:D0:7C:A3:B5:C8:4F:E7:C7:28:1D:1E:54:EE:ED:5E:CA:E9:7D
                DirName:/C=us/L=City/O=City of City/CN=City of City VPN CA/emailAddress=email@domain.org
                serial:97:01:D9:38:31:DA:F7:0F

            X509v3 Subject Alternative Name: 
                IP Address:XXX.XXX.XXX.XXX
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         51:25:6f:5e:0a:f1:74:07:f7:37:a6:18:87:2c:35:ba:83:e3:
         93:7d:a8:04:bb:c8:5a:fe:a6:dc:8f:47:8b:5c:e9:45:26:7f:
         5b:da:1a:9e:e0:4d:9a:0d:0f:da:67:8f:1f:fc:8f:e2:5f:5f:
         c5:56:76:25:4d:cf:9b:9b:15:62:5c:57:84:0a:bd:a2:c1:37:
         bf:0a:de:c2:0d:7c:56:7b:08:04:11:a8:cf:82:68:f2:2e:ce:
         7b:92:da:d3:49:41:0e:41:30:dc:3c:49:48:f6:e8:47:fa:19:
         2b:3d:e9:78:e5:33:ad:44:2e:4e:af:b2:a7:04:f8:4e:41:20:
         44:c9:68:46:14:67:f4:7d:85:48:3d:46:9b:b7:b1:2b:64:e4:
         aa:dc:56:c9:bd:df:e6:86:08:71:1a:ea:d2:75:ce:47:31:96:
         69:1c:66:94:f1:8d:89:63:77:ce:b1:eb:93:ca:62:2b:e4:89:
         a2:fe:4d:74:93:a3:c4:38:b8:51:43:ae:f6:4b:97:6d:c0:ff:
         d6:26:d0:9c:38:f7:06:ea:dd:da:70:35:e8:ab:f7:a7:4c:83:
         79:7e:32:16:81:6d:00:a1:ca:1d:27:34:51:4d:28:7a:24:42:
         22:db:5b:89:6e:5c:42:8b:13:9f:15:b2:8f:ff:96:ae:56:fd:
         40:e6:bd:83
-----BEGIN CERTIFICATE-----
MIIEizCCA3OgAwIBAgIJAJcB2Tgx2vcXMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
VQQGEwJ1czEQMA4GA1UEBwwHQXNobGFuZDEYMBYGA1UECgwPQ2l0eSBvZiBBc2hs
YW5kMR8wHQYDVQQDDBZDaXR5IG9mIEFzaGxhbmQgVlBOIENBMSYwJAYJKoZIhvcN
AQkBFhdhZG1pbmlzdHJhdG9yQGNvYXdpLm9yZzAeFw0xNjA1MTgxNTI2NDZaFw0z
ODAxMDEwMDAwMDFaMH0xCzAJBgNVBAYTAnVzMRIwEAYDVQQIDAlXaXNjb25zaW4x
EDAOBgNVBAcMB0FzaGxhbmQxGDAWBgNVBAoMD0NpdHkgb2YgQXNobGFuZDELMAkG
A1UECwwCSVQxITAfBgkqhkiG9w0BCQEWEnRtaWNoYWVsQGNvYXdpLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMI4hXVIXyB/e5MXrNyHF3JB9ehc
JwMSrs6IipclQ6Zdaj8iGMi+haONE+/jskntnr+lQEU8PXnFfaAWClGXrBwJGJFV
Bx98IWhYFHGGVbVJpFgewsng928/ldfpR+FgZfsf9QTuSXWZfZ4q1/u1Cj/meyH0
rGTdQZnNfwh+h999ShVNXQzerMLgvE5hGUFP+tTRE5BPxx80tdHU3g7j7q301gA3
7y+tN6AeeZsR3sZnVoMtQvXfKZJBk6sSY9m6N+f00RU/HHGw2kAKP87+9nqhK2TK
lijc4vN267SHgau8ZQrjg03HNofpUMUkJYGF6t0KPvUYZF9f55Cp8hA5pGUCAwEA
AaOCAQYwggECMB0GA1UdDgQWBBTp/3wWZCoWKd9teSedKW7oPihLWTCBtwYDVR0j
BIGvMIGsgBRdSNB8o7XIT+fHKB0eVO7tXsrpfaGBiKSBhTCBgjELMAkGA1UEBhMC
dXMxEDAOBgNVBAcMB0FzaGxhbmQxGDAWBgNVBAoMD0NpdHkgb2YgQXNobGFuZDEf
MB0GA1UEAwwWQ2l0eSBvZiBBc2hsYW5kIFZQTiBDQTEmMCQGCSqGSIb3DQEJARYX
YWRtaW5pc3RyYXRvckBjb2F3aS5vcmeCCQCXAdk4Mdr3DzAPBgNVHREECDAGhwTA
qPAEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBCwUAA4IBAQBR
JW9eCvF0B/c3phiHLDW6g+OTfagEu8ha/qbcj0eLXOlFJn9b2hqe4E2aDQ/aZ48f
/I/iX1/FVnYlTc+bmxViXFeECr2iwTe/Ct7CDXxWewgEEajPgmjyLs57ktrTSUEO
QTDcPElI9uhH+hkrPel45TOtRC5Or7KnBPhOQSBEyWhGFGf0fYVIPUabt7ErZOSq
3FbJvd/mhghxGurSdc5HMZZpHGaU8Y2JY3fOseuTymIr5Imi/k10k6PEOLhRQ672
S5dtwP/WJtCcOPcG6t3acDXoq/enTIN5fjIWgW0AocodJzRRTSh6JEIi21uJblxC
ixOfFbKP/5auVv1A5r2D
-----END CERTIFICATE-----

  • 0 in reply to AnthonyMichael

    In line 11 of that cert, there should be a CN=, but there isn't.  You might want to review https://sophserv.sophos.com/repo_kb/115139/file/Site-to-site-vpn_x509_en.pdf

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    thank you.

    with this doc I figured out where I was going wrong in setting up the tunnel.

    again, thank you for the help.

Reply Children
No Data
Unfiltered HTML