This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to save login info in the SSL VPN

Hi,

I dont want to enter my login info to ssl vpn client at each time when I connected to vpn. How can I save my login info like fortigate ssl vpn client ?

This thread was automatically locked due to age.

Top Replies

FormerMember over 4 years ago in reply to intrusus +1 verified

Hi intrusus, It will update all preshared keys with local peer ID (generally public IP of interface bound) and remote peer which is always * (at least it should be). So In order to prevent this I suggest…

0 FormerMember over 4 years ago

Hi Süleyman Akpınar,

Please give me some time to test in my LAB. I believe this should be possible but I will confirm and update this post.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
+1 LuCar Toni over 4 years ago in reply to FormerMember

Sophos uses OpenVPN for SSLVPN.

The OpenVPN Client does not have a secure way to save the password.

https://forums.openvpn.net/viewtopic.php?t=27404

Hashing the Password would require some mechanism at your own to script.

I would recommend to use Sophos Connect (IPsec Client), which can save the password or do not save the password in OpenVPN.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 4 years ago in reply to LuCar Toni

Hi LuCar Toni,

You are correct, OpenVPN client does not have a secure way to save the password. I support your suggestion to use Sophos Connect Client.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Süleyman Akpınar over 4 years ago in reply to FormerMember

Hi,

How can I use Sophos Connect Client.,

İs there any doc to use it
Cancel
Vote Up 0 Vote Down

Cancel
0 intrusus over 4 years ago in reply to Süleyman Akpınar

Unknown said:

...

İs there any doc to use it

You'll find it here.

Be aware that any traffic will be going through the VPN tunnel, you have to create firewall rules to allow traffic from VPN to WAN.

Intrusus
Sophos Certified Engineer | Sophos Certified Technician

_{private lab:
XG firewall with SFOS 20.X running on Proxmox}
_{If a post solves your question use the 'Verify Answer' link}
Cancel
Vote Up 0 Vote Down

Cancel
0 Süleyman Akpınar over 4 years ago in reply to intrusus

Hi,

thanks for answer . I have a question , when I click the apply button , Sophos show this message

"This will update the preshared key of all the connections configured between the same local and remote peers. Are you sure you want to continue?"

If I click yes , will be change all old preshared keys ?

İpsec connection preshared key and sophos connect client are same valu or are they different ?
Cancel
Vote Up 0 Vote Down

Cancel
0 intrusus over 4 years ago in reply to Süleyman Akpınar

In fact, I have only used Sophos Connect on its own without having configured other IPSec connections. I would have to recreate this in the lab, but I don't have the time to do that right now. Maybe someone has already made his experiences here, in the forum I have already found your question, but no suitable answers.

Try it yourself in a lab environment not in production. I would advise you to configure a Local ID and Remote ID, maybe this message has something to do with it and then affects only clients with the same IDs.

maybe you know how this will behave?

Best regards,

Leon

Intrusus
Sophos Certified Engineer | Sophos Certified Technician

_{private lab:
XG firewall with SFOS 20.X running on Proxmox}
_{If a post solves your question use the 'Verify Answer' link}
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to intrusus

It depends.

Remote Access acts like all "Respond only" IPsec Site to Site tunnel with a Wildcard.

XG does not support "PSK Probing". PSK Probing is some sort of technique to try to figure out different PSKs used by different Tunnel in case of Remote Site *.

Lets assume you have a site to site tunnel configured with respond only and remote gateway is "*" (So basically you dont know).

That PSK will be overwritten by Sophos Connect, because XG cannot split this tunnel to all Sophos connect connections coming.

Best practice is always to use a remote gateway (IP or DNS). Not to use "*".

If your other end has a dynamic IP, try to use DDNS.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 4 years ago in reply to intrusus

Hi intrusus,

It will update all preshared keys with local peer ID (generally public IP of interface bound) and remote peer which is always * (at least it should be). So In order to prevent this I suggest you to have local and remote ID configured on the IPsec connections before saving this connect client configuration.

Thanks,
Cancel
Vote Up +1 Vote Down

Cancel