Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 2554 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site SSL VPN Authentication Issues

Nick Page

Hi,

We have set up an SSL VPN connection for our staff to use that authenticates them against Active Directory and this is working fine. We then needed to set up and Site to Site link for an externally hosted server to be able to connect to an internal server. The we set this up as a Site to Site SSL VPN as we already had the certificates and config in place from the staff SSL VPN. The external server is able to partially connect, the certs are passing validation, but the firewall generated username and password (AAAREF_User . . . .) is failing authentication. When I check the user auth log it seems the firewall is trying to authenticate it's own self generated account against Active Directory which obviously fails.

I've tried creating the account in Active Directory but that didn't work, I also tried prefetching the account from AD on the firewall, but it skips the account saying it's a locally authenticated account, if it knows it's a local account why is it checking against Active Directory?

 

Can someone tell me which tick box I've missed ticking to stop the Site to Site VPN trying to authenticate against AD.

 

BTW we are running an SG430 patch version 9.408-4.

 

Regards,

 

Nick



This thread was automatically locked due to age.
Parents
  • 0

    Nick, this isn't a problem that's been seen here before.  You definitely should not have a duplicate user in AD or in the list of Local Users.  How many users do you have that are allowed to use the Remote Access SSL VPN? If it's less than 60, delete the Site-to-Site SSL VPN configuration and create one anew.  If that doesn't solve your problem,

    1. Disable the SSL VPN Site-to-Site Connection.
    2. Start the SSL VPN Live Log.
    3. After the Live Log has begun to populate, enable the SSL VPN Connection.

    Show us the log lines for a single connection attempt.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thanks for coming back to me, unfortunately since I posted the query the deadline for this has been brought forward, so due to time constraints I've switch to an RSA based IPsec VPN for the Site to Site. I'm just waiting on the hosting company to complete the changes their end. I can provide the log files from our initial attempts if you're interested, but the Site to Site SSL VPN has been abandoned due to this issue.

    I was going to close the posting but you beat me to it, let me know if you're still interested if not I understand and thanks for taking the time to respond.

     

    Regards,

     

    Nick

Reply
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thanks for coming back to me, unfortunately since I posted the query the deadline for this has been brought forward, so due to time constraints I've switch to an RSA based IPsec VPN for the Site to Site. I'm just waiting on the hosting company to complete the changes their end. I can provide the log files from our initial attempts if you're interested, but the Site to Site SSL VPN has been abandoned due to this issue.

    I was going to close the posting but you beat me to it, let me know if you're still interested if not I understand and thanks for taking the time to respond.

     

    Regards,

     

    Nick

Children
  • 0 in reply to Nick Page

    I prefer IPsec with RSA keys or X509 certs anyway, Nick, so I'm happy for us to abandon this thread. [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML