Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 8533 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN 1.07 - no connection possible anymore

SimonHartmann

Hello,

I try to use VPN on iOS devices, but I´m facing serious problems since OpenVPN was updated to 1.07 for iOS devices.

I cannot establish a connection anymore with the previous versions of OpenVPN and/or Sophos UTM I was able to connect.

Log from OpenVPN

2016-09-07 21:15:49 Client exception in transport_recv_excode: PolarSSL: SSL read error : X509 - The date tag or value is invalid

2016-09-07 21:15:49 Client terminated, restarting in 2...

2016-09-07 21:15:51 EVENT: RECONNECTING

2016-09-07 21:15:51 EVENT: RESOLVE

2016-09-07 21:15:51 Contacting xxx.xxx.xxx.xxx:444 via TCP

2016-09-07 21:15:51 EVENT: WAIT

2016-09-07 21:15:51 SetTunnelSocket returned 1

2016-09-07 21:15:52 Connecting to [xxx.xxx.xxx.xxx:]:444 (xxx.xxx.xxx.xxx:) via TCPv4

2016-09-07 21:15:52 EVENT: CONNECTING

2016-09-07 21:15:52 Tunnel Options:V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client

2016-09-07 21:15:52 Creds: Username/Password

2016-09-07 21:15:52 Peer Info:

IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199

IV_VER=3.0.11

IV_PLAT=ios

IV_NCP=2

IV_TCPNL=1

IV_PROTO=2

IV_LZO=1

 

I´m using Sophos UTM 9.405-5 and OpenVPN 1.07 on the iOS devices. With Android and Windows devices I´m able to connect without any error.

Is this a known error for iOS devices? I searched in the Sophos Community but I got no solution.

 

What can I do to solve it?

Thanks in advance.



This thread was automatically locked due to age.
  • 0

    Hi Simon,

    2016-09-07 21:15:52 Tunnel Options:V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client

    I read that AES-CBC ciphersuite is off by default which may cause problem, can you turn it on from the OpenVPN settings and verify if that works.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for response. Unfortunately it doesn´t work.

    Does this also apply to Sophos UTM or only to XG firewalls?

    https://community.sophos.com/products/xg-firewall/f/127/t/77547

  • 0 in reply to SimonHartmann

    Hi,

    Did you try using UDP protocol in the VPN settings? Also, reimort a fresh client configuration and test it again.

    I am not sure if it is similar with XG.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    The use of UDP leads to the same error. Yes I tried it also with a fresh installation on the iPad. I think with OpenVPN 1.05 the it works and with the new version 1.07 it doesn´t work anymore.


    In the app store i cann see the following on the OpenVPN Connect App site:

    Changes in 1.0.7 (from 1.0.5):

    * Updated mbedTLS (formerly PolarSSL).

    https://forums.openvpn.net/viewtopic.php?t=21873

  • 0 in reply to SimonHartmann

    Hi Simon,

    I tested this on my personal iPhone and there seems no issue on my end. I was successfully able to connect through OpenVPN.

    UTM firmware version : 9.405-5

    OpenVPN: 1.0.7 build 199 (iOS 64- bit)

    SSL policy:

    Logs:

    2016-09-13 15:06:13 EVENT: RESOLVE

    2016-09-13 15:06:13 Contacting 10.x.x.1:443 via TCP

    2016-09-13 15:06:13 EVENT: WAIT

    2016-09-13 15:06:13 SetTunnelSocket returned 1

    2016-09-13 15:06:13 Connecting to [10.x.x.1]:443 (10.x.x.1) via TCPv4

    2016-09-13 15:06:13 EVENT: CONNECTING

    2016-09-13 15:06:13 Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client

    2016-09-13 15:06:13 Creds: Username/Password

    2016-09-13 15:06:13 Peer Info:

    IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199

    IV_VER=3.0.11

    IV_PLAT=ios

    IV_NCP=2

    IV_TCPNL=1

    IV_PROTO=2

    IV_LZO=1

     

    2016-09-13 15:06:13 VERIFY OK: depth=1

    cert. version    : 3

    serial number    : A7:A1:E5:93:89:A4:FA:5F

    issuer name      : C=in, L=Ahmedabad, O=Sophos, CN=Sophos VPN CA, emailAddress=xyz

    subject name      : C=in, L=Ahmedabad, O=Sophos, CN=Sophos VPN CA, emailAddress=xyz

    issued  on        : 2016-06-04 08:17:31

    expires on        : 2038-01-01 00:00:00

    signed using      : RSA with SHA1

    RSA key size      : 2048 bits

    basic constraints : CA=true

    subject alt name  :

     

    2016-09-13 15:06:13 VERIFY OK: depth=0

    cert. version    : 3

    serial number    : A7:A1:E5:93:89:A4:FA:60

    issuer name      : C=in, L=Ahmedabad, O=Sophos, CN=Sophos VPN CA, emailAddress=xyz

    subject name      : C=in, L=Ahmedabad, O=Sophos, CN=sophos_community, emailAddress=xyz

    issued  on        : 2016-06-04 08:17:35

    expires on        : 2038-01-01 00:00:01

    signed using      : RSA with SHA1

    RSA key size      : 2048 bits

    basic constraints : CA=false

    subject alt name  : sophos_community

    key usage        : Digital Signature, Non Repudiation, Key Encipherment

     

    2016-09-13 15:06:14 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

    2016-09-13 15:06:14 Session is ACTIVE

    2016-09-13 15:06:14 EVENT: GET_CONFIG

    2016-09-13 15:06:14 Sending PUSH_REQUEST to server...

    2016-09-13 15:06:15 OPTIONS:

    0 [route-gateway] [10.x.x.1]

    1 [route-gateway] [10.x.x.1]

    2 [topology] [subnet]

    3 [ping] [10]

    4 [ping-restart] [120]

    5 [route] [192.168.0.0] [255.255.255.0]

    6 [dhcp-option] [DNS] [192.168.0.1]

    7 [dhcp-option] [DNS] [8.8.8.8]

    8 [ifconfig] [10.242.2.2] [255.255.255.0]

     

    2016-09-13 15:06:15 PROTOCOL OPTIONS:

      cipher: AES-128-CBC

      digest: SHA1

      compress: LZO

      peer ID: -1

    2016-09-13 15:06:15 EVENT: ASSIGN_IP

    2016-09-13 15:06:15 Connected via tun

    2016-09-13 15:06:15 EVENT: CONNECTED sachin@10.x.x.x:443 (10.201.102.60) via /TCPv4 on tun/10.x.x.x/

    2016-09-13 15:06:15 LZO-ASYM init swap=0 asym=0

    2016-09-13 15:06:15 SetStatus Connected

    One thing that troubled me was, when I imported the client configuration file it had an incorrect Server IP address. I manually edited the Server IP address and the connection was successful. You can check that if that is the glitch.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I confirm that I have no problems with the same versions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML