SSL VPN REMOTE ISSUE

HI ALL,

 

i configure Policy for ssl vpn remote into sophos xg with firmware SFOS 17.5.9 MR-9,

but i could not connect,

>i regenerate default certificate 5 times with ssl certificate but the problem still.

>i do reset factory for the firewall but still have same problem 

bellow there is all log from my vpn client 

 

2020-02-20 02:11:43.040211 *Tunnelblick: macOS 10.15.3 (19D76); Tunnelblick 3.8.1 (build 5400); prior version 3.8.0 (build 5370)

2020-02-20 02:11:43.203074 *Tunnelblick: Attempting connection with thewarehouse__ssl_vpn_config (8); Set nameserver = 769; monitoring connection

2020-02-20 02:11:43.203865 *Tunnelblick: openvpnstart start thewarehouse__ssl_vpn_config\ (8).tblk 63348 769 0 3 0 1098032 -ptADGNWradsgnw 2.4.7-openssl-1.0.2t

2020-02-20 02:11:43.231277 *Tunnelblick: openvpnstart starting OpenVPN

2020-02-20 02:11:43.552606 OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 11 2019

2020-02-20 02:11:43.552707 library versions: OpenSSL 1.0.2t  10 Sep 2019, LZO 2.10

2020-02-20 02:11:43.554245 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:63348

2020-02-20 02:11:43.554297 Need hold release from management interface, waiting...

2020-02-20 02:11:43.830475 *Tunnelblick: openvpnstart log:

     OpenVPN started successfully.

     Command used to start OpenVPN (one argument per displayed line):

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.7-openssl-1.0.2t/openvpn

          --daemon

          --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sthewarehouse__ssl_vpn_config (8).tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1098032.63348.openvpn.log

          --cd /Library/Application Support/Tunnelblick/Shared/thewarehouse__ssl_vpn_config (8).tblk/Contents/Resources

          --machine-readable-output

          --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5400 3.8.1 (build 5400)"

          --verb 3

          --config /Library/Application Support/Tunnelblick/Shared/thewarehouse__ssl_vpn_config (8).tblk/Contents/Resources/config.ovpn

          --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/thewarehouse__ssl_vpn_config (8).tblk/Contents/Resources

          --verb 3

          --cd /Library/Application Support/Tunnelblick/Shared/thewarehouse__ssl_vpn_config (8).tblk/Contents/Resources

          --management 127.0.0.1 63348 /Library/Application Support/Tunnelblick/gbgogjoabaiioonejjcpchbeidfcghanljohmfoe.mip

          --management-query-passwords

          --management-hold

          --script-security 2

          --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

          --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2020-02-20 02:11:43.842471 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63348

2020-02-20 02:11:43.883308 MANAGEMENT: CMD 'pid'

2020-02-20 02:11:43.883380 MANAGEMENT: CMD 'auth-retry interact'

2020-02-20 02:11:43.883422 MANAGEMENT: CMD 'state on'

2020-02-20 02:11:43.883476 MANAGEMENT: CMD 'state'

2020-02-20 02:11:43.883552 MANAGEMENT: CMD 'bytecount 1'

2020-02-20 02:11:43.887755 *Tunnelblick: Established communication with OpenVPN

2020-02-20 02:11:43.889663 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info

2020-02-20 02:11:43.898280 MANAGEMENT: CMD 'hold release'

2020-02-20 02:11:57.141672 MANAGEMENT: CMD 'username "Auth" "thewarehouse"'

2020-02-20 02:11:57.141742 MANAGEMENT: CMD 'password [...]'

2020-02-20 02:11:57.143351 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:11:57.143390 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:11:57.168827 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:11:57.169013 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:11:57.169052 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:11:57.169126 MANAGEMENT: >STATE:1582157517,TCP_CONNECT,,,,,,

2020-02-20 02:11:58.232595 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:11:58.232701 TCP_CLIENT link local: (not bound)

2020-02-20 02:11:58.232753 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:11:58.233043 MANAGEMENT: >STATE:1582157518,WAIT,,,,,,

2020-02-20 02:11:58.295885 MANAGEMENT: >STATE:1582157518,AUTH,,,,,,

2020-02-20 02:11:58.296032 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=18fcfc5a 5d6ff0e4

2020-02-20 02:11:58.296385 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

2020-02-20 02:11:59.265231 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:11:59.266080 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:11:59.274263 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:11:59.274301 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:11:59.274318 TLS Error: TLS handshake failed

2020-02-20 02:11:59.274415 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:11:59.274651 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:11:59.274686 MANAGEMENT: >STATE:1582157519,RECONNECTING,tls-error,,,,,

2020-02-20 02:11:59.293672 MANAGEMENT: CMD 'hold release'

2020-02-20 02:11:59.293740 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:11:59.293761 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:11:59.294621 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:11:59.294728 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:11:59.294759 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:11:59.294780 MANAGEMENT: >STATE:1582157519,TCP_CONNECT,,,,,,

2020-02-20 02:11:59.295192 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:00.366596 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:00.366765 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:00.366856 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:00.366904 MANAGEMENT: >STATE:1582157520,WAIT,,,,,,

2020-02-20 02:12:00.441857 MANAGEMENT: >STATE:1582157520,AUTH,,,,,,

2020-02-20 02:12:00.441996 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=f0a66648 eb085b3d

2020-02-20 02:12:03.374469 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:12:03.374686 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:12:03.374706 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:12:03.374717 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:12:03.374727 TLS Error: TLS handshake failed

2020-02-20 02:12:03.374803 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:12:03.375020 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:12:03.375069 MANAGEMENT: >STATE:1582157523,RECONNECTING,tls-error,,,,,

2020-02-20 02:12:03.404594 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:03.404662 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:12:03.404684 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:12:03.404839 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:03.405612 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:12:03.405657 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:12:03.405679 MANAGEMENT: >STATE:1582157523,TCP_CONNECT,,,,,,

2020-02-20 02:12:03.406059 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:04.449324 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:04.449511 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:04.449566 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:04.449604 MANAGEMENT: >STATE:1582157524,WAIT,,,,,,

2020-02-20 02:12:04.501208 MANAGEMENT: >STATE:1582157524,AUTH,,,,,,

2020-02-20 02:12:04.501349 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=c125b8af 7c60d1d0

2020-02-20 02:12:05.936970 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:12:05.937139 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:12:05.937163 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:12:05.937180 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:12:05.937195 TLS Error: TLS handshake failed

2020-02-20 02:12:05.937287 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:12:05.937436 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:12:05.937520 MANAGEMENT: >STATE:1582157525,RECONNECTING,tls-error,,,,,

2020-02-20 02:12:05.971185 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:05.971253 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:12:05.971276 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:12:05.972172 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:05.972277 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:12:05.972308 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:12:05.972334 MANAGEMENT: >STATE:1582157525,TCP_CONNECT,,,,,,

2020-02-20 02:12:05.972714 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:07.017146 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:07.017319 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:07.017373 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:07.017412 MANAGEMENT: >STATE:1582157527,WAIT,,,,,,

2020-02-20 02:12:07.057113 MANAGEMENT: >STATE:1582157527,AUTH,,,,,,

2020-02-20 02:12:07.057252 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=fc8f1cb2 ac2f89c7

2020-02-20 02:12:08.105730 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:12:08.105849 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:12:08.105904 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:12:08.105913 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:12:08.105920 TLS Error: TLS handshake failed

2020-02-20 02:12:08.106043 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:12:08.106207 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:12:08.106271 MANAGEMENT: >STATE:1582157528,RECONNECTING,tls-error,,,,,

2020-02-20 02:12:08.127881 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:08.128003 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:08.129228 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:12:08.129268 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:12:08.129394 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:08.129467 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:12:08.129492 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:12:08.129508 MANAGEMENT: >STATE:1582157528,TCP_CONNECT,,,,,,

2020-02-20 02:12:09.129895 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:09.129990 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:09.130022 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:09.130058 MANAGEMENT: >STATE:1582157529,WAIT,,,,,,

2020-02-20 02:12:09.190385 MANAGEMENT: >STATE:1582157529,AUTH,,,,,,

2020-02-20 02:12:09.190543 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=663578c8 28276a8d

2020-02-20 02:12:10.203679 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:12:10.203877 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:12:10.203902 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:12:10.203919 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:12:10.203934 TLS Error: TLS handshake failed

2020-02-20 02:12:10.204057 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:12:10.204242 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:12:10.204316 MANAGEMENT: >STATE:1582157530,RECONNECTING,tls-error,,,,,

2020-02-20 02:12:10.237007 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:10.237088 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:12:10.237189 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:12:10.238036 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:10.238140 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:12:10.238172 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:12:10.238196 MANAGEMENT: >STATE:1582157530,TCP_CONNECT,,,,,,

2020-02-20 02:12:10.238561 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:11.055519 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed

2020-02-20 02:12:11.303054 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:11.304238 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:11.304904 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:11.304985 MANAGEMENT: >STATE:1582157531,WAIT,,,,,,

2020-02-20 02:12:11.352447 MANAGEMENT: >STATE:1582157531,AUTH,,,,,,

2020-02-20 02:12:11.352547 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=9c821b27 2014b7d7

2020-02-20 02:12:11.363362 *Tunnelblick: Disconnecting using 'kill'

2020-02-20 02:12:11.533125 event_wait : Interrupted system call (code=4)

2020-02-20 02:12:11.533459 SIGTERM[hard,] received, process exiting

2020-02-20 02:12:11.533527 MANAGEMENT: >STATE:1582157531,EXITING,SIGTERM,,,,,

2020-02-20 02:12:12.175614 *Tunnelblick: Expected disconnection occurred.

  • Hi  

    Are you trying to connect SSL VPN from Mac OS using tunnel blick client?

    Please refer to the article - https://community.sophos.com/kb/en-us/125374

  • In reply to Keyur:

    hey keyur,

    thanks to reply to me,

    i already do that , the problem her is unusual, i try to connect the ssl vpn client through windows and mac and IOS mobile, but still return to me same error

     

     

     

    2020-02-20 02:11:59.265231 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

    2020-02-20 02:11:59.266080 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

    2020-02-20 02:11:59.274263 TLS_ERROR: BIO read tls_read_plaintext error

    2020-02-20 02:11:59.274301 TLS Error: TLS object -> incoming plaintext read error

    2020-02-20 02:11:59.274318 TLS Error: TLS handshake failed

    2020-02-20 02:11:59.274415 Fatal TLS error (check_tls_errors_co), restarting

  • In reply to tareq albaik2:

    Check the Time of your Device and the Time of your XG.

    Timezone correct? 

  • In reply to LuCar Toni:

    hey Lucar,

    thanks for reply,

    yah the time is correct. 

  • In reply to tareq albaik2:

    When will the Certificate start? 

    This one : C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

     

    Could you post a Screenshot of this certificate? 

  • In reply to LuCar Toni:

    yah sure , i think i find the problem the certificate valid from 21 FEB , and the date into firewall is wrong , it should be 20 FEB so i have to generate a new default certificate.

     

    thanks LuCar thats right the wrong on date 

    thanks for your time