Sophos Connect Client Authentication failes with certificate

Hi all!

I would like to setup a Client-VPN connection using Sophos Connect Client. Authentication should be digital certificate.

After username & PW Sophos Connect Client says Failed to establish CHILD_SA. Here's the Log:

sophos-log1.txt
2019-03-27 09:54:41AM 16[CFG] added vici connection: VPNClientTEST
2019-03-27 09:54:41AM 11[CFG] loaded certificate 'C=DE, ST=Bayern, L=XXX, O=XXX, OU=XXX, CN=vpn.XXX.de'
2019-03-27 09:54:41AM 07[CFG] loaded RSA private key
2019-03-27 09:54:41AM 13[CFG] loaded EAP shared key with id 'VPNClientTEST-xauth-id' for: 'testp'
2019-03-27 09:54:42AM 15[CFG] vici initiate 'VPNClientTEST-1'
2019-03-27 09:54:42AM 14[IKE] <VPNClientTEST|9> initiating Main Mode IKE_SA VPNClientTEST[9] to 194.39.183.50
2019-03-27 09:54:42AM 14[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ SA V V V V V ]
2019-03-27 09:54:42AM 14[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69[57468] to 194.39.183.50[500] (204 bytes)
2019-03-27 09:54:42AM 12[NET] <VPNClientTEST|9> received packet: from 194.39.183.50[500] to 192.168.43.69[57468] (180 bytes)
2019-03-27 09:54:42AM 12[ENC] <VPNClientTEST|9> parsed ID_PROT response 0 [ SA V V V V V ]
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received XAuth vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received DPD vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received Cisco Unity vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received FRAGMENTATION vendor ID
2019-03-27 09:54:42AM 12[IKE] <VPNClientTEST|9> received NAT-T (RFC 3947) vendor ID
2019-03-27 09:54:42AM 12[CFG] <VPNClientTEST|9> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
2019-03-27 09:54:42AM 12[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
2019-03-27 09:54:42AM 12[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69[57468] to XXX[500] (204 bytes)
2019-03-27 09:54:42AM 08[NET] <VPNClientTEST|9> received packet: from XXX[500] to 192.168.43.69[57468] (204 bytes)
2019-03-27 09:54:42AM 08[ENC] <VPNClientTEST|9> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> local host is behind NAT, sending keep alives
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> sending cert request for "C=DE, O=XXX"
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> sending cert request for "C=DE, XXX, OU=OU, CN=Sophos_CA_XXX, E=XXX"
2019-03-27 09:54:42AM 08[IKE] <VPNClientTEST|9> authentication of 'vpn.XXX.de' (myself) successful
2019-03-27 09:54:42AM 08[ENC] <VPNClientTEST|9> generating ID_PROT request 0 [ ID SIG CERTREQ CERTREQ N(INITIAL_CONTACT) ]
2019-03-27 09:54:42AM 08[NET] <VPNClientTEST|9> sending packet: from 192.168.43.69[57469] to XXX[4500] (700 bytes)
2019-03-27 09:54:42AM 11[NET] <VPNClientTEST|9> received packet: from XXX[4500] to 192.168.43.69[57469] (108 bytes)
2019-03-27 09:54:42AM 11[ENC] <VPNClientTEST|9> parsed INFORMATIONAL_V1 request 2569106983 [ HASH N(AUTH_FAILED) ]
2019-03-27 09:54:42AM 11[IKE] <VPNClientTEST|9> received AUTHENTICATION_FAILED error notify
2019-03-27 09:54:43AM 07[CFG] unloaded private key with id 076355e74d5920bd7d8e44759fe1299860180500
2019-03-27 09:54:43AM 13[CFG] unloaded shared key with id 'VPNClientTEST-xauth-id'

  • Hello Christian,

     

    I saw your post. Yes this is a bug in SFOS. The fix will be available in the next version of SFOS. v17.5 MR4-1

     

    Thank you,

    Ramesh

  • In reply to rmk_2018:

    I just opened a support case...

  • In reply to ChristianD:

    Hello Christian,

    The firmware 17.5 Mr-4 is now available. Please upgarde your firmware to rectify this issue.

  • In reply to Aditya Patel:

    Thank you Aditya, I'll report back as soon as I did the upgrade.

  • In reply to Aditya Patel:

    I had to reconfigure the connection on the XG, export it again and now it works! Thanks :-)

  • In reply to ChristianD:

    Hello ,

    Thank you for the update, we are glad you were able to resolve the issue with the latest firmware. 

  • In reply to Aditya Patel:

    Hi Aditya,

     

    Hope you find this mail in good health , i have a similar issue , but related to IKE Port has been blocked and No response from gateway

     

    Please find attached logSophos Connect Log.docx

     

    This is the setup i have in my home lab

     

    I’m testing Sophos XG ( installed on Mini PC ) for my home lab. I have SSL VPN ( remote access ) working fine for my environment

    I use Sophos's Dynamic DNS , https://bethelsophosxg.myfirewall.co

    I’m able to access this link from outside network and download vpn client and access resources

    Port 1 and Port 3 have 172.16.16.0/24 and 10.0.0.0/24 Networks configured on Sophos XG

    Port 2 is connected to WAN 192.168.1.150

    Have NBN ( FTTN ) , no public IP from ISP

    I’m trying to test Sophos Connect similarly.

    Have downloaded Sophos Connect from the firewall, installed it on the test laptop (which is connected to mobile hotspot , so that its on different network )

    When I login to Sophos Connect , I will the following errors :

    “ IKE UDP port seems to be blocked “ , Connection Failed “ No response from gateway bethelsophosxg.myfirewall.co “ , these messages keep rotating

    Please find attached logs as requested

    Appreciate your assistance

  • In reply to Ruka:

    Hello Ruka,

     

    I think I know why you are having the problem. Are you using .tgb file or .scx file to import the connection? You need to modify the gateway IP to a the DDNS name. YOu have to do this manually.

    1) If you are using tgb file then this is the line you need to update that IP to your DDNS.

    [Phase 1]
    192.168.1.150 = <YourPolicyName>-P1

     

    2) If you are using scadmin to modify the tgb file, you need to Modify Target Host and set it your DDNS.

     

    After you make the modification, you MUST import the connection again and then it will work.

     

    Please let us know.

     

    Regards,

    Ramesh

  • In reply to rmk_2018:

    Hi Ramesh,

    Thanks for your reply , i use tgb file.

    Opened the file using Notepad++  bethelsophosxg.myfirewall.co = Sophos_Connect_Tunnel-P1

    Please advise to update tgb , can i do it using Notepad

    update it to :

    [Phase 1]
    192.168.1.150 = Sophos_Connect_Tunnel-P1

    Appreciate your help

    Thanks

    Raju

  • In reply to Ruka:

    Hello Raju, 

    According to the logs, it does seem there is no packet received from the firewall, either the packet is not set to XG or not received. Could you take a packet capture from your local system and on XG firewall and compare the two.

  • In reply to Aditya Patel:

    Thanks Aditya for your reply

    Im pretty new to Sophos , please advise how to capture traffic from Sophos , also when you say local system , should i run packet tracer on the laptop thats running Sophos Connect and capture packet info through there

    Appreciate your help

    Regards

  • In reply to Ruka:

    Hello  

    You may check the traffic on your local system from your ethernet or WIFI port from where the connection is ongoing using Wireshark. 

    As for the XG firewall, you would need to follow the steps in this KB article. Follow the steps to download from a web browser.

    Things to note down: 

    The public address of your remote location and Public address of your XG firewall location.

    Compare the two PCAP and you may use timestamp on the packets as a reference point.

    You should see if there is any ISAKMP packet from the remote end or if received on the XG firewall.

  • In reply to Aditya Patel:

    Thanks Aditya,

    Will try that and let know how it goes

    Appreciate your help

    Have a good day 

    Cheers


    Raju

  • In reply to rmk_2018:

    G'Day Ramesh,

    I think changing the tgb file as per your advise did the trick. It has connected now

    Appreciate your help on this , it has been haunting me for few days now , also apologies for delayed response

    It does not seem to work when i use my mobile phone as a hot spot , but i believe its something to do with mobile network

    Once again appreciate your time for sorting this

    Have a good day 

    God bless

    Regards 

    Raju

  • In reply to Aditya Patel:

    G'Day Aditya,

    One of the community members ( Ramesh ) had advised to do the below :

    I think I know why you are having the problem. Are you using .tgb file or .scx file to import the connection? You need to modify the gateway IP to a the DDNS name. YOu have to do this manually.

    1) If you are using tgb file then this is the line you need to update that IP to your DDNS.

    [Phase 1]
    192.168.1.150 = <YourPolicyName>-P1

     

    2) If you are using scadmin to modify the tgb file, you need to Modify Target Host and set it your DDNS.

     

    After you make the modification, you MUST import the connection again and then it will work.

     

    After performing the above , Sophos Connect seems to work now. 

    Appreciate your guys help on the Community

    Have a good day 

    Regards

    Raju