Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 11168 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't get SSL VPN working on an iPad or iPhone

SteveGross

I'm using OpenVPN to connect to my UTM via SSL.  It works fine on a Windows PC, a Macbook and Android devices, but I'm having difficulties with the iPhone and iPad.  I can connect, but I cannot reach my internal servers.  It looks like the problem is that the iPad/iPhone "loses" the DNS settings, even though they are being pushed correctly to the devices.

Any ideas would be welcome.



This thread was automatically locked due to age.
  • 0

    Hi Steve,

    Please show us aua.log and openvpn.log when attempting a connection through the iPad or iPhone. Which version of OpenVPN do you use on these devices?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Oops, Sachin - that's only on the XG!

    Steve, I have a client that was having troubles with his iPad.  If you have the beta OS on those devices, install the latest beta.  If that doesn't do it, show us the relevant lines from the SSL VPN log for a single connection attempt.

    Was this working correctly before applying a recent Up2Date?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob - This has never worked with iOS, but it works well with Android/Windows.

    Here's the log:

    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: TCP connection established with [AF_INET]70.192.72.91:5867 (via [AF_INET]64.19.153.33:443)
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 TLS: Initial packet from [AF_INET]70.192.72.91:5867 (via [AF_INET]64.19.153.33:443), sid=b79c1575 49bae397
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 VERIFY OK: depth=0, C=us, L=Morristown, O=The Seeing Eye, CN=John Doe, emailAddress=jdoe@seeingeye.org
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 VERIFY OK: depth=1, C=us, L=Morristown, O=The Seeing Eye, CN=The Seeing Eye VPN CA, emailAddress=admin@seeingeye.org
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 VERIFY OK: depth=1, C=us, L=Morristown, O=The Seeing Eye, CN=The Seeing Eye VPN CA, emailAddress=admin@seeingeye.org
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 VERIFY OK: depth=0, C=us, L=Morristown, O=The Seeing Eye, CN=Chris Mattoon, emailAddress=jdoe@seeingeye.org
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 TLS: Username/Password authentication deferred for username 'jdoe' [CN SET]
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 [jdoe] Peer Connection Initiated with [AF_INET]70.192.72.91:5867 (via [AF_INET]64.19.153.33:443)
    2017:04:19-13:58:00 tsefw-1 openvpn[8361]: 70.192.72.91:5867 PUSH: Received control message: 'PUSH_REQUEST'
    2017:04:19-13:58:01 tsefw-1 openvpn[8361]: 70.192.72.91:5867 PUSH: Received control message: 'PUSH_REQUEST'
    2017:04:19-13:58:01 tsefw-1 openvpn[8361]: jdoe/70.192.72.91:5867 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/conf.d/jdoe
    2017:04:19-13:58:01 tsefw-1 openvpn[8361]: jdoe/70.192.72.91:5867 MULTI_sva: pool returned IPv4=10.242.2.2, IPv6=(Not enabled)
    2017:04:19-13:58:01 tsefw-1 openvpn[8361]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="jdoe" variant="ssl" srcip="70.192.72.91" virtual_ip="10.242.2.2"
    2017:04:19-13:58:01 tsefw-1 openvpn[8361]: jdoe/70.192.72.91:5867 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0
    2017:04:19-13:58:01 tsefw-1 openvpn[8361]: jdoe/70.192.72.91:5867 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_a919cdf065fb29cfb07a113f1dbd25e8.tmp
    2017:04:19-13:58:01 tsefw-1 openvpn[8361]: jdoe/70.192.72.91:5867 MULTI: Learn: 10.242.2.2 -> jdoe/70.192.72.91:5867
    2017:04:19-13:58:01 tsefw-1 openvpn[8361]: jdoe/70.192.72.91:5867 MULTI: primary virtual IP for jdoe/70.192.72.91:5867: 10.242.2.2
    2017:04:19-13:58:03 tsefw-1 openvpn[8361]: jdoe/70.192.72.91:5867 PUSH: Received control message: 'PUSH_REQUEST'
    2017:04:19-13:58:03 tsefw-1 openvpn[8361]: jdoe/70.192.72.91:5867 send_push_reply(): safe_cap=940
    2017:04:19-13:58:03 tsefw-1 openvpn[8361]: jdoe/70.192.72.91:5867 SENT CONTROL [jdoe]: 'PUSH_REPLY,route-gateway 10.242.2.1,route-gateway 10.242.2.1,topology subnet,ping 10,ping-restart 120,route 172.24.0.0 255.255.0.0,dhcp-option DNS 172.24.32.111,dhcp-option DNS 172.24.34.201,dhcp-option WINS 172.24.32.111,dhcp-option WINS 172.24.34.201,dhcp-option DOMAIN tse.local,ifconfig 10.242.2.2 255.255.255.0' (status=1)

Unfiltered HTML