This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Verbindung

Hallo Zusammen,

ich habe mal wieder ein Problem. Ich Benutze die Sophos Connect Software für den aufbau von IPSec Verbindungen (Site to Client).

Mir ist aufgefallen, das die Verbundung sich mit alten Zertifikaten aufbauen lässt. Erstelle ich einen neuen lokalen Benutzer auf der 

UTM und verwenden dessen Zertifikat funktioniert die Einwahl nicht.

Mir ist aufgefallen das das

alte Zertifikat(x509 user) :

Signaturalgorythmus: sha1RSA 

Hash: sha1

neues Zertifikat (x509 user):

Signaturalgorythmus: sha256RSA 

Hash: sha256

ausgestellt wurde. 

 

Mein VPN Signing CA(X509) Zertifikat :

Signaturalgorythmus: sha1RSA 

Hash: sha1

 

Was muss ich den machen das neue Benutzer sich auch per IPSec verbinden können.Welche Probleme kann ich bekommen. Ich hoffe ich habe mich halbwegs verständlich ausgedrückt.

 

Vielen Dank im Voraus



This thread was automatically locked due to age.
  • Hallo Alexander,

    Herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment.  )

    At some point, you must have had to 'Regenerate Signing CA' on the 'Advanced' tab of 'Certificate Management'.  This would have caused your existing users to complain, so you would have gone to the 'Advanced' tab of 'IPsec' and selected the old "Local X509 Cert" instead of the new "Local X509 Cert (regenerated)" you found listed in 'Local X509 Certificate'.

    To get everyone using IPsec, you will need to have the old users download their new (regenerated) certificates and change 'Local X509 Certificate' back to "Local X509 Cert (regenerated)."

    An easier alternative would be to configure SSL VPN Remote Access for the new users.  I prefer to use UDP 1443 for that instead of TCP 443.  If you notice the CPU getting overloaded, disable compression.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi, 

    und vielen Dank. Leider wird das "Local X509 Cert" nicht angezeigt. Ich sehe nur das "regenerated"

     

     

    MfG Alexander

  • Gibt es dann ein "Local X509 Cert (regenerated) (regenerated)" ?

    MfG - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Balfson which security settings do you prefer for openvpn? This is my favorite too. I found out something strange that was not known to sophos. We have a sg550. Expanasion slot 1 8x1 Copper slot 2 4x10g sfp+ 3 Slot 8x1 copper. Then i installed another 4x10 SFP+ in slot 4. But after the reboot the nics were not recognized by the system. Sophos had no answer and they wanted to take it back. So i changed slot 3 with 4 and after the reboot the nics were recognized. Did you hear anything about this strange behavior?

     

     

    Greetings Peter

  • Hallo Peter,

    I don't ever remember seeing anything about the 4x10 SFP+ being slot-sensitive.

    My preference for the SSL VPN is:

        

    UDP 443 isn't blocked anywhere now because everyone wants to allow Google QUIC and UDP is faster than TCP.  The Crypto Settings aren't as stringent as some prefer, but I think that they are more than adequate unless the tunnel is with a military entity, defense contractor or other high-profile organization.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks a lot. Sophos didnt hear such a thing perhaps there is something wrong with the modul itself. Another thing we built up an IPSEC between two locations. IPSEC worked and didnt work. The tunnels on both sides green. So i tried different ciphers and the conclusion pfs is the problem. Without it anything works fine. On one side is a 550 on the other side a 430 both SG. Im fan of SG but i think its time is running out. I dont like the idea thats behind this system. SG is much more variable than XG.

     

    Greetings Peter