Hi,
anybody got a site to site openvpn connection working with the UTM. I copied the certificates from the APC file using notepad++ but this didn't seem to work.
Louis
This thread was automatically locked due to age.
Hi Louis-M
Have you followed these articles: Sophos UTM: How to configure a Site to Site SSL VPN tunnel & UTM: SSL Site to Site VPN Troubleshooting? You don't need to import a certificate additionally apart from importing the config file.
Regards
Jaydeep
I've got it working now. It wasn't as simple as a UTM to UTM. This is a UTM to OpenVPN site to site (not remote access)
I had to basically:
1. Use UTM as server
2. Download apc file and extract the certs (CA, Cert & Key)
3. Extract the username/password from above file (this is the bit I was stuck at)
4. Use remote server as SSL client and enter above details/certs
I connected a Teltonika RUTX11 using the UTM as the server side (Fixed IP) and the RUTX11 as the client side (dynamic IP)
This is configured as a site to site SSL VPN on the UTM (not Remote Access)
Certs (CA & Cert + Key) were extracted using notepad++ from the downloaded apc file on the UTM.
Username/Password was also extracted from this file.
RUTX11 client side used TLS+Username/Password
Works very well so far.
The system above is a linux based system (as with most) so I imagine anything that has OpenVPN client on it will work. The trick was to extract the correct details from the apc file and also use TLS+password authentication on the client side. I'm not sure why Sophos make the site to site a little bit harder to configure if it's not another UTM?
Louis, This is the first time I remember anyone doing this successfully. Can you a little more precise about extracting and naming the certs, username and password? Also, what you did in the OpenVPN client to enter the details.
TIA!
Cheers - Bob
Hi Bob,
in the apc file, the certs are extracted using notepad++ (from top downwards in apc file)
Client Cert is the first one:
copy from
-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----
and save in a file called some_cert.txt OR you can rename to some_cert.crt
CA cert is the next one:
copy from
-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----
and save in in a file called some_CA.txt OR you can rename to some_CA.crt
Private key is the next one:
copy from
-----BEGIN PRIVATE KEY-----
to
-----END PRIVATE KEY-----
and save in some file called some_key.txt OR you can rename to some_key.key
That completes the certs.
Now you need the username & password which they cleverly hide in the file.
Search for "username" and you will find the username before that phrase eg REF_SomeText eg REF_AaaUse1. Sits just after the CA cert
Search for "password" and you will find the password before that prhrase eg REF_Sometext eg REF_SSLSERXXXXAPN0000ref_sslserxxxxapn. Sits after the private key
On the client side, ensure settings are matched eg compression, encapsulation etc and the client side is set as client.
Use TLS + Password, entering the above details for username/password and the above certs in the appropriate places.
Works a treat. I've not tried it with an openvpn client yet but it should work. I'm using a router that uses an openvpn client so it's the same but I've just got a GUI. I'll try with an openvpn client on one of my servers and let you know the details.
****************************************************************************************************
Using with OpenVPN Client
Store the username/password credentials (obtained above from apc file) in a file called user.creds like so:
REF_AaaUse1
REF_SSLSERXXXXAPN0000ref_sslserxxxxapn
place that file in the same directory as you put the certs into.
openvpn server.conf example (but you can get the idea of it from here no matter what client you are using)
client
dev tun
proto udp
hand-window 30
port 1194
remote myopenvpnserver.com <<< your remote IP
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/certs/some_CA.crt <<< your CA Cert
cert /etc/openvpn/certs/some_cert.crt <<< your cert
key /etc/openvpn/certs/some_key.key <<< your private key
route 10.1.1.0 255.255.255.0 <<< your route
route 10.1.2.0 255.255.255.0 <<< your route yada yada as many as you want
cipher AES-256-CBC
auth SHA1
comp-lzo
route-delay 4
verb 3
reneg-sec 0
auth-user-pass /etc/openvpn/certs/user.creds <<< your username/password file
Hi Bob,
in the apc file, the certs are extracted using notepad++ (from top downwards in apc file)
Client Cert is the first one:
copy from
-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----
and save in a file called some_cert.txt OR you can rename to some_cert.crt
CA cert is the next one:
copy from
-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----
and save in in a file called some_CA.txt OR you can rename to some_CA.crt
Private key is the next one:
copy from
-----BEGIN PRIVATE KEY-----
to
-----END PRIVATE KEY-----
and save in some file called some_key.txt OR you can rename to some_key.key
That completes the certs.
Now you need the username & password which they cleverly hide in the file.
Search for "username" and you will find the username before that phrase eg REF_SomeText eg REF_AaaUse1. Sits just after the CA cert
Search for "password" and you will find the password before that prhrase eg REF_Sometext eg REF_SSLSERXXXXAPN0000ref_sslserxxxxapn. Sits after the private key
On the client side, ensure settings are matched eg compression, encapsulation etc and the client side is set as client.
Use TLS + Password, entering the above details for username/password and the above certs in the appropriate places.
Works a treat. I've not tried it with an openvpn client yet but it should work. I'm using a router that uses an openvpn client so it's the same but I've just got a GUI. I'll try with an openvpn client on one of my servers and let you know the details.
****************************************************************************************************
Using with OpenVPN Client
Store the username/password credentials (obtained above from apc file) in a file called user.creds like so:
REF_AaaUse1
REF_SSLSERXXXXAPN0000ref_sslserxxxxapn
place that file in the same directory as you put the certs into.
openvpn server.conf example (but you can get the idea of it from here no matter what client you are using)
client
dev tun
proto udp
hand-window 30
port 1194
remote myopenvpnserver.com <<< your remote IP
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/certs/some_CA.crt <<< your CA Cert
cert /etc/openvpn/certs/some_cert.crt <<< your cert
key /etc/openvpn/certs/some_key.key <<< your private key
route 10.1.1.0 255.255.255.0 <<< your route
route 10.1.2.0 255.255.255.0 <<< your route yada yada as many as you want
cipher AES-256-CBC
auth SHA1
comp-lzo
route-delay 4
verb 3
reneg-sec 0
auth-user-pass /etc/openvpn/certs/user.creds <<< your username/password file
