We'd love to hear about it! Click here to go to the product suggestion community
I would like to setup a Client-VPN connection using Sophos Connect Client. Authentication should be digital certificate.
After username & PW Sophos Connect Client says Failed to establish CHILD_SA. Here's the Log:
2019-03-27 09:54:41AM 16[CFG] added vici connection: VPNClientTEST
2019-03-27 09:54:41AM 11[CFG] loaded certificate 'C=DE, ST=Bayern, L=XXX, O=XXX, OU=XXX, CN=vpn.XXX.de'
2019-03-27 09:54:41AM 07[CFG] loaded RSA private key
2019-03-27 09:54:41AM 13[CFG] loaded EAP shared key with id 'VPNClientTEST-xauth-id' for: 'testp'
2019-03-27 09:54:42AM 15[CFG] vici initiate 'VPNClientTEST-1'
2019-03-27 09:54:42AM 14[IKE] <VPNClientTEST|9> initiating Main Mode IKE_SA VPNClientTEST to 22.214.171.124
2019-03-27 09:54:42AM 14[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ SA V V V V V ]
2019-03-27 09:54:42AM 14[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69 to 126.96.36.199 (204 bytes)
2019-03-27 09:54:42AM 12[NET] <VPNClientTEST|9> received packet: from 188.8.131.52 to 192.168.43.69 (180 bytes)
2019-03-27 09:54:42AM 12[ENC] <VPNClientTEST|9> parsed ID_PROT response 0 [ SA V V V V V ]
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received XAuth vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received DPD vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received Cisco Unity vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received FRAGMENTATION vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received NAT-T (RFC 3947) vendor ID
2019-03-27 09:54:42AM 12[CFG] <VPNClientTEST|9> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2019-03-27 09:54:42AM 12[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-03-27 09:54:42AM 12[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69 to XXX (204 bytes)
2019-03-27 09:54:42AM 08[NET] <VPNClientTEST|9> received packet: from XXX to 192.168.43.69 (204 bytes)
2019-03-27 09:54:42AM 08[ENC] <VPNClientTEST|9> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> local host is behind NAT, sending keep alives
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> sending cert request for "C=DE, O=XXX"
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> sending cert request for "C=DE, XXX, OU=OU, CN=Sophos_CA_XXX, E=XXX"
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> authentication of 'vpn.XXX.de' (myself) successful
2019-03-27 09:54:42AM 08[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ ID SIG CERTREQ CERTREQ N(INITIAL_CONTACT) ]
2019-03-27 09:54:42AM 08[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69 to XXX (700 bytes)
2019-03-27 09:54:42AM 11[NET] <VPNClientTEST|9> received packet: from XXX to 192.168.43.69 (108 bytes)
2019-03-27 09:54:42AM 11[ENC] <VPNClientTEST|9> parsed INFORMATIONAL_V1 request 2569106983 [ HASH N(AUTH_FAILED) ]
2019-03-27 09:54:42AM 11[IKE] <VPNClientTEST|9> received AUTHENTICATION_FAILED error notify
2019-03-27 09:54:43AM 07[CFG] unloaded private key with id 076355e74d5920bd7d8e44759fe1299860180500
2019-03-27 09:54:43AM 13[CFG] unloaded shared key with id 'VPNClientTEST-xauth-id'
I saw your post. Yes this is a bug in SFOS. The fix will be available in the next version of SFOS. v17.5 MR4-1
In reply to rmk_2018:
I just opened a support case...
In reply to ChristianD:
The firmware 17.5 Mr-4 is now available. Please upgarde your firmware to rectify this issue.
In reply to Aditya Patel:
Thank you Aditya, I'll report back as soon as I did the upgrade.
I had to reconfigure the connection on the XG, export it again and now it works! Thanks :-)
Thank you for the update, we are glad you were able to resolve the issue with the latest firmware.
Hope you find this mail in good health , i have a similar issue , but related to IKE Port has been blocked and No response from gateway
Please find attached logSophos Connect Log.docx
This is the setup i have in my home lab
I’m testing Sophos XG ( installed on Mini PC ) for my home lab. I have SSL VPN ( remote access ) working fine for my environment
I use Sophos's Dynamic DNS , https://bethelsophosxg.myfirewall.co
I’m able to access this link from outside network and download vpn client and access resources
Port 1 and Port 3 have 172.16.16.0/24 and 10.0.0.0/24 Networks configured on Sophos XG
Port 2 is connected to WAN 192.168.1.150
Have NBN ( FTTN ) , no public IP from ISP
I’m trying to test Sophos Connect similarly.
Have downloaded Sophos Connect from the firewall, installed it on the test laptop (which is connected to mobile hotspot , so that its on different network )
When I login to Sophos Connect , I will the following errors :
“ IKE UDP port seems to be blocked “ , Connection Failed “ No response from gateway bethelsophosxg.myfirewall.co “ , these messages keep rotating
Please find attached logs as requested
Appreciate your assistance
In reply to Ruka:
I think I know why you are having the problem. Are you using .tgb file or .scx file to import the connection? You need to modify the gateway IP to a the DDNS name. YOu have to do this manually.
1) If you are using tgb file then this is the line you need to update that IP to your DDNS.
[Phase 1]192.168.1.150 = <YourPolicyName>-P1
2) If you are using scadmin to modify the tgb file, you need to Modify Target Host and set it your DDNS.
After you make the modification, you MUST import the connection again and then it will work.
Please let us know.
Thanks for your reply , i use tgb file.
Opened the file using Notepad++ bethelsophosxg.myfirewall.co = Sophos_Connect_Tunnel-P1
Please advise to update tgb , can i do it using Notepad
update it to :
[Phase 1]192.168.1.150 = Sophos_Connect_Tunnel-P1
Appreciate your help
According to the logs, it does seem there is no packet received from the firewall, either the packet is not set to XG or not received. Could you take a packet capture from your local system and on XG firewall and compare the two.
Thanks Aditya for your reply
Im pretty new to Sophos , please advise how to capture traffic from Sophos , also when you say local system , should i run packet tracer on the laptop thats running Sophos Connect and capture packet info through there
You may check the traffic on your local system from your ethernet or WIFI port from where the connection is ongoing using Wireshark.
As for the XG firewall, you would need to follow the steps in this KB article. Follow the steps to download from a web browser.
Things to note down:
The public address of your remote location and Public address of your XG firewall location.
Compare the two PCAP and you may use timestamp on the packets as a reference point.
You should see if there is any ISAKMP packet from the remote end or if received on the XG firewall.
Will try that and let know how it goes
Have a good day
I think changing the tgb file as per your advise did the trick. It has connected now
Appreciate your help on this , it has been haunting me for few days now , also apologies for delayed response
It does not seem to work when i use my mobile phone as a hot spot , but i believe its something to do with mobile network
Once again appreciate your time for sorting this
One of the community members ( Ramesh ) had advised to do the below :
After performing the above , Sophos Connect seems to work now.
Appreciate your guys help on the Community