Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN REMOTE ISSUE

HI ALL,

 

i configure Policy for ssl vpn remote into sophos xg with firmware SFOS 17.5.9 MR-9,

but i could not connect,

>i regenerate default certificate 5 times with ssl certificate but the problem still.

>i do reset factory for the firewall but still have same problem 

bellow there is all log from my vpn client 

 

2020-02-20 02:11:43.040211 *Tunnelblick: macOS 10.15.3 (19D76); Tunnelblick 3.8.1 (build 5400); prior version 3.8.0 (build 5370)

2020-02-20 02:11:43.203074 *Tunnelblick: Attempting connection with thewarehouse__ssl_vpn_config (8); Set nameserver = 769; monitoring connection

2020-02-20 02:11:43.203865 *Tunnelblick: openvpnstart start thewarehouse__ssl_vpn_config\ (8).tblk 63348 769 0 3 0 1098032 -ptADGNWradsgnw 2.4.7-openssl-1.0.2t

2020-02-20 02:11:43.231277 *Tunnelblick: openvpnstart starting OpenVPN

2020-02-20 02:11:43.552606 OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Sep 11 2019

2020-02-20 02:11:43.552707 library versions: OpenSSL 1.0.2t  10 Sep 2019, LZO 2.10

2020-02-20 02:11:43.554245 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:63348

2020-02-20 02:11:43.554297 Need hold release from management interface, waiting...

2020-02-20 02:11:43.830475 *Tunnelblick: openvpnstart log:

     OpenVPN started successfully.

     Command used to start OpenVPN (one argument per displayed line):

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.7-openssl-1.0.2t/openvpn

          --daemon

          --log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sthewarehouse__ssl_vpn_config (8).tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1098032.63348.openvpn.log

          --cd /Library/Application Support/Tunnelblick/Shared/thewarehouse__ssl_vpn_config (8).tblk/Contents/Resources

          --machine-readable-output

          --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5400 3.8.1 (build 5400)"

          --verb 3

          --config /Library/Application Support/Tunnelblick/Shared/thewarehouse__ssl_vpn_config (8).tblk/Contents/Resources/config.ovpn

          --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/thewarehouse__ssl_vpn_config (8).tblk/Contents/Resources

          --verb 3

          --cd /Library/Application Support/Tunnelblick/Shared/thewarehouse__ssl_vpn_config (8).tblk/Contents/Resources

          --management 127.0.0.1 63348 /Library/Application Support/Tunnelblick/gbgogjoabaiioonejjcpchbeidfcghanljohmfoe.mip

          --management-query-passwords

          --management-hold

          --script-security 2

          --route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

          --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2020-02-20 02:11:43.842471 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63348

2020-02-20 02:11:43.883308 MANAGEMENT: CMD 'pid'

2020-02-20 02:11:43.883380 MANAGEMENT: CMD 'auth-retry interact'

2020-02-20 02:11:43.883422 MANAGEMENT: CMD 'state on'

2020-02-20 02:11:43.883476 MANAGEMENT: CMD 'state'

2020-02-20 02:11:43.883552 MANAGEMENT: CMD 'bytecount 1'

2020-02-20 02:11:43.887755 *Tunnelblick: Established communication with OpenVPN

2020-02-20 02:11:43.889663 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info

2020-02-20 02:11:43.898280 MANAGEMENT: CMD 'hold release'

2020-02-20 02:11:57.141672 MANAGEMENT: CMD 'username "Auth" "thewarehouse"'

2020-02-20 02:11:57.141742 MANAGEMENT: CMD 'password [...]'

2020-02-20 02:11:57.143351 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:11:57.143390 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:11:57.168827 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:11:57.169013 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:11:57.169052 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:11:57.169126 MANAGEMENT: >STATE:1582157517,TCP_CONNECT,,,,,,

2020-02-20 02:11:58.232595 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:11:58.232701 TCP_CLIENT link local: (not bound)

2020-02-20 02:11:58.232753 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:11:58.233043 MANAGEMENT: >STATE:1582157518,WAIT,,,,,,

2020-02-20 02:11:58.295885 MANAGEMENT: >STATE:1582157518,AUTH,,,,,,

2020-02-20 02:11:58.296032 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=18fcfc5a 5d6ff0e4

2020-02-20 02:11:58.296385 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

2020-02-20 02:11:59.265231 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:11:59.266080 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:11:59.274263 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:11:59.274301 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:11:59.274318 TLS Error: TLS handshake failed

2020-02-20 02:11:59.274415 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:11:59.274651 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:11:59.274686 MANAGEMENT: >STATE:1582157519,RECONNECTING,tls-error,,,,,

2020-02-20 02:11:59.293672 MANAGEMENT: CMD 'hold release'

2020-02-20 02:11:59.293740 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:11:59.293761 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:11:59.294621 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:11:59.294728 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:11:59.294759 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:11:59.294780 MANAGEMENT: >STATE:1582157519,TCP_CONNECT,,,,,,

2020-02-20 02:11:59.295192 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:00.366596 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:00.366765 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:00.366856 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:00.366904 MANAGEMENT: >STATE:1582157520,WAIT,,,,,,

2020-02-20 02:12:00.441857 MANAGEMENT: >STATE:1582157520,AUTH,,,,,,

2020-02-20 02:12:00.441996 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=f0a66648 eb085b3d

2020-02-20 02:12:03.374469 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:12:03.374686 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:12:03.374706 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:12:03.374717 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:12:03.374727 TLS Error: TLS handshake failed

2020-02-20 02:12:03.374803 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:12:03.375020 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:12:03.375069 MANAGEMENT: >STATE:1582157523,RECONNECTING,tls-error,,,,,

2020-02-20 02:12:03.404594 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:03.404662 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:12:03.404684 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:12:03.404839 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:03.405612 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:12:03.405657 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:12:03.405679 MANAGEMENT: >STATE:1582157523,TCP_CONNECT,,,,,,

2020-02-20 02:12:03.406059 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:04.449324 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:04.449511 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:04.449566 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:04.449604 MANAGEMENT: >STATE:1582157524,WAIT,,,,,,

2020-02-20 02:12:04.501208 MANAGEMENT: >STATE:1582157524,AUTH,,,,,,

2020-02-20 02:12:04.501349 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=c125b8af 7c60d1d0

2020-02-20 02:12:05.936970 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:12:05.937139 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:12:05.937163 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:12:05.937180 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:12:05.937195 TLS Error: TLS handshake failed

2020-02-20 02:12:05.937287 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:12:05.937436 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:12:05.937520 MANAGEMENT: >STATE:1582157525,RECONNECTING,tls-error,,,,,

2020-02-20 02:12:05.971185 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:05.971253 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:12:05.971276 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:12:05.972172 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:05.972277 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:12:05.972308 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:12:05.972334 MANAGEMENT: >STATE:1582157525,TCP_CONNECT,,,,,,

2020-02-20 02:12:05.972714 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:07.017146 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:07.017319 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:07.017373 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:07.017412 MANAGEMENT: >STATE:1582157527,WAIT,,,,,,

2020-02-20 02:12:07.057113 MANAGEMENT: >STATE:1582157527,AUTH,,,,,,

2020-02-20 02:12:07.057252 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=fc8f1cb2 ac2f89c7

2020-02-20 02:12:08.105730 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:12:08.105849 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:12:08.105904 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:12:08.105913 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:12:08.105920 TLS Error: TLS handshake failed

2020-02-20 02:12:08.106043 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:12:08.106207 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:12:08.106271 MANAGEMENT: >STATE:1582157528,RECONNECTING,tls-error,,,,,

2020-02-20 02:12:08.127881 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:08.128003 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:08.129228 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:12:08.129268 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:12:08.129394 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:08.129467 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:12:08.129492 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:12:08.129508 MANAGEMENT: >STATE:1582157528,TCP_CONNECT,,,,,,

2020-02-20 02:12:09.129895 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:09.129990 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:09.130022 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:09.130058 MANAGEMENT: >STATE:1582157529,WAIT,,,,,,

2020-02-20 02:12:09.190385 MANAGEMENT: >STATE:1582157529,AUTH,,,,,,

2020-02-20 02:12:09.190543 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=663578c8 28276a8d

2020-02-20 02:12:10.203679 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

2020-02-20 02:12:10.203877 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2020-02-20 02:12:10.203902 TLS_ERROR: BIO read tls_read_plaintext error

2020-02-20 02:12:10.203919 TLS Error: TLS object -> incoming plaintext read error

2020-02-20 02:12:10.203934 TLS Error: TLS handshake failed

2020-02-20 02:12:10.204057 Fatal TLS error (check_tls_errors_co), restarting

2020-02-20 02:12:10.204242 SIGUSR1[soft,tls-error] received, process restarting

2020-02-20 02:12:10.204316 MANAGEMENT: >STATE:1582157530,RECONNECTING,tls-error,,,,,

2020-02-20 02:12:10.237007 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:10.237088 WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html for more info.

2020-02-20 02:12:10.237189 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2020-02-20 02:12:10.238036 TCP/UDP: Preserving recently used remote address: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:10.238140 Socket Buffers: R=[131072->131072] S=[131072->131072]

2020-02-20 02:12:10.238172 Attempting to establish TCP connection with [AF_INET]86.108.14.185:8443 [nonblock]

2020-02-20 02:12:10.238196 MANAGEMENT: >STATE:1582157530,TCP_CONNECT,,,,,,

2020-02-20 02:12:10.238561 MANAGEMENT: CMD 'hold release'

2020-02-20 02:12:11.055519 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed

2020-02-20 02:12:11.303054 TCP connection established with [AF_INET]86.108.14.185:8443

2020-02-20 02:12:11.304238 TCP_CLIENT link local: (not bound)

2020-02-20 02:12:11.304904 TCP_CLIENT link remote: [AF_INET]86.108.14.185:8443

2020-02-20 02:12:11.304985 MANAGEMENT: >STATE:1582157531,WAIT,,,,,,

2020-02-20 02:12:11.352447 MANAGEMENT: >STATE:1582157531,AUTH,,,,,,

2020-02-20 02:12:11.352547 TLS: Initial packet from [AF_INET]86.108.14.185:8443, sid=9c821b27 2014b7d7

2020-02-20 02:12:11.363362 *Tunnelblick: Disconnecting using 'kill'

2020-02-20 02:12:11.533125 event_wait : Interrupted system call (code=4)

2020-02-20 02:12:11.533459 SIGTERM[hard,] received, process exiting

2020-02-20 02:12:11.533527 MANAGEMENT: >STATE:1582157531,EXITING,SIGTERM,,,,,

2020-02-20 02:12:12.175614 *Tunnelblick: Expected disconnection occurred.



This thread was automatically locked due to age.
Parents Reply Children
  • hey keyur,

    thanks to reply to me,

    i already do that , the problem her is unusual, i try to connect the ssl vpn client through windows and mac and IOS mobile, but still return to me same error

     

     

     

    2020-02-20 02:11:59.265231 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

    2020-02-20 02:11:59.266080 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

    2020-02-20 02:11:59.274263 TLS_ERROR: BIO read tls_read_plaintext error

    2020-02-20 02:11:59.274301 TLS Error: TLS object -> incoming plaintext read error

    2020-02-20 02:11:59.274318 TLS Error: TLS handshake failed

    2020-02-20 02:11:59.274415 Fatal TLS error (check_tls_errors_co), restarting

  • Check the Time of your Device and the Time of your XG.

    Timezone correct? 

    __________________________________________________________________________________________________________________

  • hey Lucar,

    thanks for reply,

    yah the time is correct. 

  • When will the Certificate start? 

    This one : C=JO, ST=Jordan, L=Amman, O=Maintech, OU=OU, CN=thewarehousecafefirewall, emailAddress=t.albaik@maintechjo.com

     

    Could you post a Screenshot of this certificate? 

    __________________________________________________________________________________________________________________

  • yah sure , i think i find the problem the certificate valid from 21 FEB , and the date into firewall is wrong , it should be 20 FEB so i have to generate a new default certificate.

     

    thanks LuCar thats right the wrong on date 

    thanks for your time