Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 42 replies
  • Answers 3 answers
  • Subscribers 15 subscribers
  • Views 62164 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN issue after UTM upgrade to 9.404-5

SimonOrlando

Hello,

after the UTM upgrade from 9.403-4 to 9.404-5 the SSL VPN connection is no longer working. I changed nothing on the configuration.

Now I get following error message:

...

2016:06:28-12:24:27 firewall openvpn[9229]: SENT CONTROL [firewall]: 'PUSH_REQUEST' (status=1)

2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT WRITE [56] to [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=5 DATA len=42
2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [22] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_ACK_V1 kid=0 [ 5 ]
2016:06:28-12:24:27 firewall openvpn[9229]: TCPv4_CLIENT READ [466] from [AF_INET]213.136.68.103:44344 (via [AF_INET]10.10.10.254:35371): P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=452
2016:06:28-12:24:27 firewall openvpn[9229]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 192.168.55.1,route 192.168.54.0 255.255.255.0,route 192.168.55.0 255.255.255.0,setenv-safe remote_network_1 192.168.54.0/24,setenv-safe remote_network_2 192.168.55.0/24,setenv-safe local_network_1 192.168.5.0/24,setenv-safe local_network_2 192.168.111.0/24,setenv-safe local_network_3 192.168.250.0/24,setenv-safe local_network_4 192.168.110.0/24,ifconfig 192.168.54.6 192.168.54.5'
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: --ifconfig/up options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: route-related options modified
2016:06:28-12:24:27 firewall openvpn[9229]: OPTIONS IMPORT: environment modified
2016:06:28-12:24:27 firewall openvpn[9229]: ROUTE_GATEWAY 10.10.10.1/255.255.255.0 IFACE=eth0.10 HWADDR=00:15:5d:6f:14:09
2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP device tun1 opened
2016:06:28-12:24:27 firewall openvpn[9229]: TUN/TAP TX queue length set to 100
2016:06:28-12:24:27 firewall openvpn[9229]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip link set dev tun1 up mtu 1500
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip addr add dev tun1 192.168.54.6/11 broadcast 255.255.255.254
2016:06:28-12:24:27 firewall openvpn[9229]: /bin/ip route change dev tun1 192.168.54.4/11 proto 41 src 192.168.54.6
2016:06:28-12:24:27 firewall openvpn[9229]: MANAGEMENT: Client disconnected
2016:06:28-12:24:27 firewall openvpn[9229]: Linux ip route change failed: external program exited with error status: 2
2016:06:28-12:24:27 firewall openvpn[9229]: Exiting due to fatal error
2016:06:28-12:24:35 firewall openvpn[6482]: MANAGEMENT: Client disconnected

Because tun1 is not available I tryed to execute this command for a test on another interface and then I got following error message:

firewall:/var/sec/chroot-openvpn/etc/openvpn/conf.d # /bin/ip route change dev tun0 192.168.54.4/11 proto 41 src 192.168.54.6
RTNETLINK answers: Invalid argument

I hope you can help me!

Many Thanks!

Regards

Simon



This thread was automatically locked due to age.
Parents
  • 0

    Congratulation Sophos.

    Critical Bug without any solution for more than one week!! We need a hotfix or workaround asap.

  • 0 in reply to gehtniemandetwasan

    Hi, Simon, Christian and Marcelo, and welcome to the UTM Community!

    We need to look at both sides of one conversation.  Disable the Client side of the SSL VPN, start the SSL VPN Live Log on the Server side, start the SSL VPN Live Log on the Client side and, after the Client Live Log shows a few lines, enable the Client.  Show us log lines for both sides for a single connection attempt.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to zaphod

    fresh install is not an option in our enviorement.

    We have a ha system with more than 30 vpn connections and mission critical systems behind our firewalls which have to be reached from outside. So we can not accept downtimes longer than 2 minutes.

    We need a solution from sophos ASAP. Nobody from sophos in this forum??

  • 0 in reply to gehtniemandetwasan

    have you opened a ticket? have you contacted your reseller? have you called sophos support by phone?


    ..würde versuchen sophos per telefon support zu kontaktieren... wenn du den passenden Support-Vertrag hast.

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to BAlfson

    Hi Bob,

    unfortunatly I'm no longer able to provide the details because I've restored some days ago the old version (9.403-4). This VPN connection is mandatory for us.

    Regards

    Simon

  • 0 in reply to zaphod

    Yes we have. But no solution till now ....

  • 0 in reply to gehtniemandetwasan

    ok then i see two options for you at the moment:


    1: 30 Minutes service-window to fresh install your sophos with an iso and import the backup file (good preparation and have the right iso...)

    2: wait for the fix from sophos.. hope you get a hotfix file from support... i have waited 3 weeks until they fixed the pppoe-reconnect-ipsec-vpn-bug...

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • 0 in reply to gehtniemandetwasan

    You had a UTM running a non-UTM SSL VPN client successfully?  I don't know of anyone else that has done this.  Can you generate the log I requested and get the customer to send you the concurrent log from their pfSense?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Our Sophos UTM is the client side of the ssl-vpn tunnel. We got the config-file from our customer. So we do not need a setup on our side. Our UTM act as a client with a single ip address and do snat to the customer.

    Here the tool to create an apc file from ovpn github.com/.../ovpn-to-apc

  • 0 in reply to BAlfson

    Log SIDE Client.

    2016:06:29-07:57:00 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32971 PUSH: Received control message: 'PUSH_REQUEST'
    2016:06:29-07:57:00 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32971 send_push_reply(): safe_cap=940
    2016:06:29-07:57:00 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32971 SENT CONTROL [REF_LtGyVxezOr]: 'PUSH_REPLY,topology subnet,route-gateway 192.168.10.1,route 192.168.55.0 255.255.255.0,setenv-safe remote_network_1 192.168.55.0/24,setenv-safe local_network_1 192.168.155.0/24,ifconfig 192.168.50.1 192.168.10.1' (status=1)
    2016:06:29-07:57:00 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32971 Connection reset, restarting [0]
    2016:06:29-07:57:00 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32971 SIGUSR1[soft,connection-reset] received, client-instance restarting
    2016:06:29-07:57:00 zeus openvpn[7700]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ssl" connection="REF_oPBGKYYZIw" address="200.97.128.10"
    2016:06:29-07:57:00 zeus openvpn[7700]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_DISCONNECT status=0
    2016:06:29-07:57:07 zeus openvpn[7700]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
    2016:06:29-07:57:07 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-07:57:07 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-07:57:17 zeus openvpn[7700]: MANAGEMENT: Client disconnected
    2016:06:29-07:58:10 zeus openvpn[7700]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
    2016:06:29-07:58:10 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-07:58:20 zeus openvpn[7700]: MANAGEMENT: Client disconnected
    2016:06:29-07:58:45 zeus openvpn[7700]: TCP connection established with [AF_INET]174.27.83.106:60685 (via [AF_INET]200.97.128.10:443)
    2016:06:29-07:58:45 zeus openvpn[7700]: 174.27.83.106:60685 Non-OpenVPN client protocol detected
    2016:06:29-07:58:45 zeus openvpn[7700]: 174.27.83.106:60685 SIGTERM[soft,port-share-redirect] received, client-instance exiting
    2016:06:29-07:59:04 zeus openvpn[7700]: TCP connection established with [AF_INET]223.16.36.250:58588 (via [AF_INET]200.97.128.10:443)
    2016:06:29-07:59:04 zeus openvpn[7700]: 223.16.36.250:58588 Non-OpenVPN client protocol detected
    2016:06:29-07:59:04 zeus openvpn[7700]: 223.16.36.250:58588 SIGTERM[soft,port-share-redirect] received, client-instance exiting
    2016:06:29-07:59:10 zeus openvpn[7700]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
    2016:06:29-07:59:10 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-07:59:20 zeus openvpn[7700]: MANAGEMENT: Client disconnected
    2016:06:29-08:00:12 zeus openvpn[7700]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
    2016:06:29-08:00:12 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:00:22 zeus openvpn[7700]: MANAGEMENT: Client disconnected
    2016:06:29-08:01:04 zeus openvpn[7700]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
    2016:06:29-08:01:04 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:01:05 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:01:13 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:01:23 zeus openvpn[7700]: MANAGEMENT: Client disconnected
    2016:06:29-08:02:14 zeus openvpn[7700]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
    2016:06:29-08:02:14 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:02:18 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:02:22 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:02:32 zeus openvpn[7700]: MANAGEMENT: Client disconnected
    2016:06:29-08:03:20 zeus openvpn[7700]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
    2016:06:29-08:03:20 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:03:30 zeus openvpn[7700]: MANAGEMENT: Client disconnected
    2016:06:29-08:04:15 zeus openvpn[7700]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
    2016:06:29-08:04:15 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:04:15 zeus openvpn[7700]: MANAGEMENT: CMD 'status -1'
    2016:06:29-08:04:25 zeus openvpn[7700]: MANAGEMENT: Client disconnected
    2016:06:29-08:05:36 zeus openvpn[7700]: TCP connection established with [AF_INET]189.114.142.152:32992 (via [AF_INET]200.97.128.10:443)
    2016:06:29-08:05:37 zeus openvpn[7700]: 189.114.142.152:32992 TLS: Initial packet from [AF_INET]189.114.142.152:32992 (via [AF_INET]200.97.128.10:443), sid=cbc59c4c 17890da8
    2016:06:29-08:05:37 zeus openvpn[7700]: 189.114.142.152:32992 VERIFY OK: depth=0, C=br, L=Petropolis, O=Binzel do Brasil indrustrial Ltda, CN=REF_oPBGKYYZIw
    2016:06:29-08:05:37 zeus openvpn[7700]: 189.114.142.152:32992 VERIFY OK: depth=1, C=br, L=Petropolis, O=Binzel do Brasil indrustrial Ltda, CN=Binzel do Brasil indrustrial Ltda VPN CA, emailAddress=amoglia@binzel-abicor.com.br
    2016:06:29-08:05:37 zeus openvpn[7700]: 189.114.142.152:32992 VERIFY OK: depth=1, C=br, L=Petropolis, O=Binzel do Brasil indrustrial Ltda, CN=Binzel do Brasil indrustrial Ltda VPN CA, emailAddress=amoglia@binzel-abicor.com.br
    2016:06:29-08:05:37 zeus openvpn[7700]: 189.114.142.152:32992 VERIFY OK: depth=0, C=br, L=Petropolis, O=Binzel do Brasil indrustrial Ltda, CN=REF_oPBGKYYZIw
    2016:06:29-08:05:38 zeus openvpn[7700]: 189.114.142.152:32992 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    2016:06:29-08:05:38 zeus openvpn[7700]: 189.114.142.152:32992 TLS: Username/Password authentication deferred for username 'REF_LtGyVxezOr' [CN SET]
    2016:06:29-08:05:38 zeus openvpn[7700]: 189.114.142.152:32992 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2016:06:29-08:05:38 zeus openvpn[7700]: 189.114.142.152:32992 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    2016:06:29-08:05:38 zeus openvpn[7700]: 189.114.142.152:32992 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2016:06:29-08:05:38 zeus openvpn[7700]: 189.114.142.152:32992 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    2016:06:29-08:05:38 zeus openvpn[7700]: 189.114.142.152:32992 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
    2016:06:29-08:05:38 zeus openvpn[7700]: 189.114.142.152:32992 [REF_LtGyVxezOr] Peer Connection Initiated with [AF_INET]189.114.142.152:32992 (via [AF_INET]200.97.128.10:443)
    2016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/conf.d/REF_LtGyVxezOr
    2016:06:29-08:05:39 zeus openvpn[7700]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ssl" connection="REF_oPBGKYYZIw" address="200.97.128.10"
    2016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0
    2016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_1660385a517d60d189d479634a69b7fd.tmp
    2016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 MULTI ERROR: primary virtual IP for REF_LtGyVxezOr/189.114.142.152:32992 (192.168.50.1) violates tunnel network/netmask constraint (192.168.10.0/255.255.255.0)
    2016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 MULTI: Learn: 192.168.50.1 -> REF_LtGyVxezOr/189.114.142.152:32992
    2016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 MULTI: primary virtual IP for REF_LtGyVxezOr/189.114.142.152:32992: 192.168.50.1
    2016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 MULTI: internal route 192.168.155.0/24 -> REF_LtGyVxezOr/189.114.142.152:32992
    2016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 MULTI: Learn: 192.168.155.0/24 -> REF_LtGyVxezOr/189.114.142.152:32992
    2016:06:29-08:05:40 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 PUSH: Received control message: 'PUSH_REQUEST'
    2016:06:29-08:05:40 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 send_push_reply(): safe_cap=940
    2016:06:29-08:05:40 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 SENT CONTROL [REF_LtGyVxezOr]: 'PUSH_REPLY,topology subnet,route-gateway 192.168.10.1,route 192.168.55.0 255.255.255.0,setenv-safe remote_network_1 192.168.55.0/24,setenv-safe local_network_1 192.168.155.0/24,ifconfig 192.168.50.1 192.168.10.1' (status=1)
    2016:06:29-08:05:40 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 Connection reset, restarting [0]
    2016:06:29-08:05:40 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 SIGUSR1[soft,connection-reset] received, client-instance restarting
    2016:06:29-08:05:40 zeus openvpn[7700]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ssl" connection="REF_oPBGKYYZIw" address="200.97.128.10"
    2016:06:29-08:05:40 zeus openvpn[7700]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_DISCONNECT status=0

    Log Server Side

    2016:06:29-07:57:00 astaro openvpn[4580]: ROUTE_GATEWAY 187.115.211.232
    2016:06:29-07:57:00 astaro openvpn[4580]: TUN/TAP device tun0 opened
    2016:06:29-07:57:00 astaro openvpn[4580]: TUN/TAP TX queue length set to 100
    2016:06:29-07:57:00 astaro openvpn[4580]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    2016:06:29-07:57:00 astaro openvpn[4580]: /bin/ip link set dev tun0 up mtu 1500
    2016:06:29-07:57:00 astaro openvpn[4580]: /bin/ip addr add dev tun0 192.168.50.1/8 broadcast 255.255.247.255
    2016:06:29-07:57:00 astaro openvpn[4580]: /bin/ip route change dev tun0 192.168.2.1/8 proto 41 src 192.168.50.1
    2016:06:29-07:57:00 astaro openvpn[4580]: MANAGEMENT: Client disconnected
    2016:06:29-07:57:00 astaro openvpn[4580]: Linux ip route change failed: external program exited with error status: 2
    2016:06:29-07:57:00 astaro openvpn[4580]: Exiting due to fatal error
    2016:06:29-08:05:36 astaro openvpn[6783]: DEPRECATED OPTION: --tls-remote, please update your configuration
    2016:06:29-08:05:36 astaro openvpn[6783]: OpenVPN 2.3.10 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 8 2016
    2016:06:29-08:05:36 astaro openvpn[6783]: library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.09
    2016:06:29-08:05:36 astaro openvpn[6784]: MANAGEMENT: client_uid=0
    2016:06:29-08:05:36 astaro openvpn[6784]: MANAGEMENT: client_gid=0
    2016:06:29-08:05:36 astaro openvpn[6784]: MANAGEMENT: unix domain socket listening on /var/run/openvpn_mgmt_REF_uotJtKdIzZ
    2016:06:29-08:05:36 astaro openvpn[6784]: PLUGIN_INIT: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so '[/usr/lib/openvpn/plugins/openvpn-plugin-utm.so] [REF_uotJtKdIzZ]' intercepted=PLUGIN_UP|PLUGIN_DOWN|PLUGIN_ROUTE_UP|PLUGIN_ROUTE_PREDOWN
    2016:06:29-08:05:36 astaro openvpn[6784]: Socket Buffers: R=[87380->87380] S=[16384->16384]
    2016:06:29-08:05:36 astaro openvpn[6784]: Attempting to establish TCP connection with [AF_INET]200.97.128.10:443 [nonblock]
    2016:06:29-08:05:36 astaro openvpn[6784]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt_REF_uotJtKdIzZ
    2016:06:29-08:05:36 astaro openvpn[6784]: MANAGEMENT: CMD 'state'
    2016:06:29-08:05:37 astaro openvpn[6784]: TCP connection established with [AF_INET]200.97.128.10:443 (via [AF_INET]189.114.142.152:32992)
    2016:06:29-08:05:37 astaro openvpn[6784]: TCPv4_CLIENT link local: [undef]
    2016:06:29-08:05:37 astaro openvpn[6784]: TCPv4_CLIENT link remote: [AF_INET]200.97.128.10:443
    2016:06:29-08:05:37 astaro openvpn[6784]: TLS: Initial packet from [AF_INET]200.97.128.10:443 (via [AF_INET]189.114.142.152:32992), sid=d6f44092 892bebba
    2016:06:29-08:05:37 astaro openvpn[6784]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    2016:06:29-08:05:37 astaro openvpn[6784]: VERIFY OK: depth=1, /C=br/L=Petropolis/O=Binzel_do_Brasil_indrustrial_Ltda/CN=Binzel_do_Brasil_indrustrial_Ltda_VPN_CA/emailAddress=amoglia@binzel-abicor.com.br
    2016:06:29-08:05:37 astaro openvpn[6784]: VERIFY X509NAME OK: /C=br/L=Petropolis/O=Binzel_do_Brasil_indrustrial_Ltda/CN=zeus/emailAddress=amoglia@binzel-abicor.com.br
    2016:06:29-08:05:37 astaro openvpn[6784]: VERIFY OK: depth=0, /C=br/L=Petropolis/O=Binzel_do_Brasil_indrustrial_Ltda/CN=zeus/emailAddress=amoglia@binzel-abicor.com.br
    2016:06:29-08:05:38 astaro openvpn[6784]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2016:06:29-08:05:38 astaro openvpn[6784]: Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    2016:06:29-08:05:38 astaro openvpn[6784]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    2016:06:29-08:05:38 astaro openvpn[6784]: Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
    2016:06:29-08:05:38 astaro openvpn[6784]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
    2016:06:29-08:05:38 astaro openvpn[6784]: [zeus] Peer Connection Initiated with [AF_INET]200.97.128.10:443 (via [AF_INET]189.114.142.152:32992)
    2016:06:29-08:05:40 astaro openvpn[6784]: SENT CONTROL [zeus]: 'PUSH_REQUEST' (status=1)
    2016:06:29-08:05:40 astaro openvpn[6784]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 192.168.10.1,route 192.168.55.0 255.255.255.0,setenv-safe remote_network_1 192.168.55.0/24,setenv-safe local_network_1 192.168.155.0/24,ifconfig 192.168.50.1 192.168.10.1'
    2016:06:29-08:05:40 astaro openvpn[6784]: OPTIONS IMPORT: --ifconfig/up options modified
    2016:06:29-08:05:40 astaro openvpn[6784]: OPTIONS IMPORT: route options modified
    2016:06:29-08:05:40 astaro openvpn[6784]: OPTIONS IMPORT: route-related options modified
    2016:06:29-08:05:40 astaro openvpn[6784]: OPTIONS IMPORT: environment modified
    2016:06:29-08:05:40 astaro openvpn[6784]: ROUTE_GATEWAY 187.115.211.232
    2016:06:29-08:05:40 astaro openvpn[6784]: TUN/TAP device tun0 opened
    2016:06:29-08:05:40 astaro openvpn[6784]: TUN/TAP TX queue length set to 100
    2016:06:29-08:05:40 astaro openvpn[6784]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    2016:06:29-08:05:40 astaro openvpn[6784]: /bin/ip link set dev tun0 up mtu 1500
    2016:06:29-08:05:40 astaro openvpn[6784]: /bin/ip addr add dev tun0 192.168.50.1/8 broadcast 255.255.247.255
    2016:06:29-08:05:40 astaro openvpn[6784]: /bin/ip route change dev tun0 192.168.2.1/8 proto 41 src 192.168.50.1
    2016:06:29-08:05:40 astaro openvpn[6784]: MANAGEMENT: Client disconnected
    2016:06:29-08:05:40 astaro openvpn[6784]: Linux ip route change failed: external program exited with error status: 2
    2016:06:29-08:05:40 astaro openvpn[6784]: Exiting due to fatal error

  • 0 in reply to BAlfson

    I'm also having this exact issue. Hoping for a hotfix soon!

  • 0 in reply to MarceloAmoglia

    016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 MULTI ERROR: primary virtual IP for REF_LtGyVxezOr/189.114.142.152:32992 (192.168.50.1) violates tunnel network/netmask constraint (192.168.10.0/255.255.255.0)

    2016:06:29-08:05:40 astaro openvpn[6784]: MANAGEMENT: Client disconnected

    So, the UTM is the server?  That's the closest I've seen here to a successful connection.  Can you show us a log where this worked before?  Preferably from both sides, but just the UTM side  would be interesting.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to MarceloAmoglia

    016:06:29-08:05:39 zeus openvpn[7700]: REF_LtGyVxezOr/189.114.142.152:32992 MULTI ERROR: primary virtual IP for REF_LtGyVxezOr/189.114.142.152:32992 (192.168.50.1) violates tunnel network/netmask constraint (192.168.10.0/255.255.255.0)

    2016:06:29-08:05:40 astaro openvpn[6784]: MANAGEMENT: Client disconnected

    So, the UTM is the server?  That's the closest I've seen here to a successful connection.  Can you show us a log where this worked before?  Preferably from both sides, but just the UTM side  would be interesting.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML