Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to save login info in the SSL VPN

Hi,

I dont want to enter my login info to ssl vpn client at each time  when I connected to vpn. How can I save my login info like fortigate  ssl vpn client ?



This thread was automatically locked due to age.
Parents Reply Children
  • Sophos uses OpenVPN for SSLVPN.

    The OpenVPN Client does not have a secure way to save the password. 

    https://forums.openvpn.net/viewtopic.php?t=27404

    Hashing the Password would require some mechanism at your own to script. 

    I would recommend to use Sophos Connect (IPsec Client), which can save the password or do not save the password in OpenVPN. 

    __________________________________________________________________________________________________________________

  • FormerMember
    0 FormerMember in reply to LuCar Toni

    Hi LuCar Toni, 

    You are correct, OpenVPN client does not have a secure way to save the password. I support your suggestion to use Sophos Connect Client.

    Thanks,

     

  • Hi,

     

    How can I use Sophos Connect Client.,

     

    İs there any doc to use it

  • Unknown said:

    ...

    İs there any doc to use it

     

    You'll find it here.

    Be aware that any traffic will be going through the VPN tunnel, you have to create firewall rules to allow traffic from VPN to WAN.

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

  • Hi,

     

    thanks for answer . I have a question , when I click the apply button ,  Sophos show this message

    "This will update the preshared key of all the connections configured between the same local and remote peers. Are you sure you want to continue?"

     

    If I click yes , will be change all old preshared keys ?

    İpsec connection preshared key and sophos connect client are same valu or are  they different ?

     

  • In fact, I have only used Sophos Connect on its own without having configured other IPSec connections. I would have to recreate this in the lab, but I don't have the time to do that right now. Maybe someone has already made his experiences here, in the forum I have already found your question, but no suitable answers.

    Try it yourself in a lab environment not in production. I would advise you to configure a Local ID and Remote ID, maybe this message has something to do with it and then affects only clients with the same IDs.

    maybe you know how this will behave?

    Best regards,

    Leon

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 20.X running on Proxmox

    If a post solves your question use the 'Verify Answer' link

  • It depends. 

    Remote Access acts like all "Respond only" IPsec Site to Site tunnel with a Wildcard. 

    XG does not support "PSK Probing". PSK Probing is some sort of technique to try to figure out different PSKs used by different Tunnel in case of Remote Site *. 

     

    Lets assume you have a site to site tunnel configured with respond only and remote gateway is "*" (So basically you dont know). 

    That PSK will be overwritten by Sophos Connect, because XG cannot split this tunnel to all Sophos connect connections coming.

     

    Best practice is always to use a remote gateway (IP or DNS). Not to use "*". 

    If your other end has a dynamic IP, try to use DDNS. 

     

    __________________________________________________________________________________________________________________

  • FormerMember
    0 FormerMember in reply to intrusus

    Hi intrusus,

    It will update all preshared keys with local peer ID (generally public IP of interface bound) and remote peer which is always * (at least it should be). So In order to prevent this I suggest you to have local and remote ID configured on the IPsec connections before saving this connect client configuration.

    Thanks,