Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I am in process of testing some MDM solution which will push VPN solution to IOS devices and having issues.
This has been raised many times before but nothing has been fixed with regards to this.
The only option from the MDM solution is to select one certificate being the remote certificate in Sophos XG setup. I am mentioning this before i get a reply as before mentioning i also need to import both the certificates for it to work. I and others within the forums have already tried this and it still failed.
The error as always is "The servers certificates identity is incorrect"
Logs from sophos xg is:
Any chance someone from Sophos could look into this? FloSupport
During the beta stage/forums you had raised an issue with regards to this, i am not sure if you managed to get it fixed or not, we still having same issues.
Old thread https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/97037/possible-bug---iphone-ipsec-vpn-connection-install-download
In reply to waghelak:
You may be experiencing a different issue, as that thread you referenced and it's bug ID (NC-22793) has already been resolved.
Which firmware version is your XG firewall appliance running? Have you inquired with support of your third-party MDM solution, to verify if there are any other potential workarounds or steps for this one certificate restriction?
Also, have you already tried our Sophos Mobile Control solution?
FloSupport | Community Support Engineer
In reply to FloSupport:
We are currently running the latest version SFOS 17.0.6 MR-6. We are in process of testing various MDM solutions and until now we have not been able to achieve what is required. We are looking to enable per-app VPN which requires certificate authentication for it to be able to work.
I'd suggest to take a look at our Sophos Mobile Control and this related KB article. I would also advise to contact your Sophos Partner/Reseller, if you had questions regarding product trialing and how to best utilize this product in your network environment.
I fully understand you pushing for the sophos version to be tried as well but it still does not solve the issue with certificate authentication with IOS. I am surprised rather than getting to the bottom of this issue i am being asked to trial another Sophos product.
Currently with all the issues we are having after suggesting the company to go with Sophos XG, i am in no position to suggest another Sophos product.
Which VPN solution are you currently trying to push out to your iOS clients? Have you also attempted to use Preshared Key authentication for troubleshooting purposes? Also note our KB article for the Cisco VPN client.
We are trying to use the IPSEC with certificate authentication. We don't have any issues using preshared key which works as we expect.
There are number various post by different users from past year having had similar issue with certificates and IPSEC VPN with IOS.
Preshared key has always worked although VPN on demand, per-app VPN requires certificates on IOS and preshared key is not something our CAB (change request board) will approve.
In regards to the certificates you are utilizing for authentication, are you usingthe XG's Appliance Certificate for the local certificate? How did you have this configured?
The local certificate is the XG Appliance certificate and for the remote certificate we have created a self signed certificate through the XG appliance.
Maybe still not works.
Same situation. PSK connection is good, but cert connection does not work at iOS. (SC Client is working)
Certificate identity is incorrect
In reply to FoW:
Would it be possible to please enable the support access tunnel on your appliance and PM me with the ID for a closer look?
I guess, this is an open Bug in Authentication via Certificate right now.
Saw a bug ID attached to V17.5 MR4.
Thanks. I will contacts.
In reply to LuCar Toni:
SFOS 17.5 MR4 Released
NC-42099 [IPsec] Sophos Connect Client cannot connect to Sophos Connect Client policy using digital certificate