I can't find any documentation when it comes to setting up Connect using a cert. I have purchased a SSL certificate and the dns name is vpn.johnny.com. I uploaded it to the firewall and set it in Remote ID. I created a Self Generated Cert called sophosvpn.com and put it in Local ID. When I try to connect using those setting I get "failed to Validate server Certificate"
Here's the log file:
2020-04-10 07:40:23PM 25[KNL] interface 9 'Intel(R) Dual Band Wireless-AC 8265' changed state from Down to Up
2020-04-10 07:40:23PM 25[KNL] interface 9 'Intel(R) Dual Band Wireless-AC 8265' changed state from Up to Down
2020-04-10 07:44:00PM 14[CFG] loaded certificate 'CN=vpn.johnny.com'
2020-04-10 07:44:00PM 16[CFG] loaded RSA private key
2020-04-10 07:44:00PM 13[CFG] loaded EAP shared key with id 'SophosConnectParsippany-user-id' for: 'jdoe'
2020-04-10 07:44:01PM 09[CFG] added vici connection: SophosConnectParsippany
2020-04-10 07:44:01PM 11[CFG] vici initiate CHILD_SA 'SophosConnectParsippany-tunnel-1'
2020-04-10 07:44:01PM 09[IKE] <SophosConnectParsippany|11> initiating Main Mode IKE_SA SophosConnectParsippany[11] to 6.67.81.16
2020-04-10 07:44:01PM 09[ENC] <SophosConnectParsippany|11> generating ID_PROT request 0 [ SA V V V V V ]
2020-04-10 07:44:01PM 09[NET] <SophosConnectParsippany|11> sending packet: from 192.168.1.177[64412] to 6.67.81.16[500] (180 bytes)
2020-04-10 07:44:01PM 12[NET] <SophosConnectParsippany|11> received packet: from 6.67.81.16[500] to 192.168.1.177[64412] (180 bytes)
2020-04-10 07:44:01PM 12[ENC] <SophosConnectParsippany|11> parsed ID_PROT response 0 [ SA V V V V V ]
2020-04-10 07:44:01PM 12[IKE] <SophosConnectParsippany|11> received XAuth vendor ID
2020-04-10 07:44:01PM 12[IKE] <SophosConnectParsippany|11> received DPD vendor ID
2020-04-10 07:44:01PM 12[IKE] <SophosConnectParsippany|11> received Cisco Unity vendor ID
2020-04-10 07:44:01PM 12[IKE] <SophosConnectParsippany|11> received FRAGMENTATION vendor ID
2020-04-10 07:44:01PM 12[IKE] <SophosConnectParsippany|11> received NAT-T (RFC 3947) vendor ID
2020-04-10 07:44:01PM 12[CFG] <SophosConnectParsippany|11> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2020-04-10 07:44:01PM 12[ENC] <SophosConnectParsippany|11> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
2020-04-10 07:44:01PM 12[NET] <SophosConnectParsippany|11> sending packet: from 192.168.1.177[64412] to 6.67.81.16[500] (396 bytes)
2020-04-10 07:44:01PM 10[NET] <SophosConnectParsippany|11> received packet: from 6.67.81.16[500] to 192.168.1.177[64412] (396 bytes)
2020-04-10 07:44:01PM 10[ENC] <SophosConnectParsippany|11> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
2020-04-10 07:44:01PM 10[IKE] <SophosConnectParsippany|11> local host is behind NAT, sending keep alives
2020-04-10 07:44:01PM 10[IKE] <SophosConnectParsippany|11> sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
2020-04-10 07:44:01PM 10[IKE] <SophosConnectParsippany|11> authentication of 'vpn.johnny.com' (myself) successful
2020-04-10 07:44:01PM 10[ENC] <SophosConnectParsippany|11> generating ID_PROT request 0 [ ID SIG CERTREQ N(INITIAL_CONTACT) ]
2020-04-10 07:44:01PM 10[NET] <SophosConnectParsippany|11> sending packet: from 192.168.1.177[64413] to 6.67.81.16[4500] (492 bytes)
2020-04-10 07:44:01PM 08[NET] <SophosConnectParsippany|11> received packet: from 6.67.81.16[4500] to 192.168.1.177[64413] (1248 bytes)
2020-04-10 07:44:01PM 08[ENC] <SophosConnectParsippany|11> parsed ID_PROT response 0 [ FRAG(1) ]
2020-04-10 07:44:01PM 08[ENC] <SophosConnectParsippany|11> received fragment #1, waiting for complete IKE message
2020-04-10 07:44:01PM 16[NET] <SophosConnectParsippany|11> received packet: from 6.67.81.16[4500] to 192.168.1.177[64413] (420 bytes)
2020-04-10 07:44:01PM 16[ENC] <SophosConnectParsippany|11> parsed ID_PROT response 0 [ FRAG(2/2) ]
2020-04-10 07:44:01PM 16[ENC] <SophosConnectParsippany|11> received fragment #2, reassembled fragmented IKE message (1596 bytes)
2020-04-10 07:44:01PM 09[NET] <SophosConnectParsippany|11> received packet: from 6.67.81.16[4500] to 192.168.1.177[64413] (92 bytes)
2020-04-10 07:44:01PM 09[IKE] <SophosConnectParsippany|11> queueing TRANSACTION request as tasks still active
2020-04-10 07:44:01PM 08[NET] <SophosConnectParsippany|11> received packet: from 6.67.81.16[4500] to 192.168.1.177[64413] (1596 bytes)
2020-04-10 07:44:01PM 08[ENC] <SophosConnectParsippany|11> parsed ID_PROT response 0 [ ID CERT SIG ]
2020-04-10 07:44:01PM 08[IKE] <SophosConnectParsippany|11> received end entity cert "C=US, ST=NJ, L=Parsippany, O=johnny, OU=OU, CN=sophosvpn.com, E=jdoe@johnny.com"
2020-04-10 07:44:01PM 08[CFG] <SophosConnectParsippany|11> using certificate "C=US, ST=NJ, L=Parsippany, O=johnny, OU=OU, CN=sophosvpn.com, E=jdoe@johnny.com"
2020-04-10 07:44:01PM 08[CFG] <SophosConnectParsippany|11> no issuer certificate found for "C=US, ST=NJ, L=Parsippany, O=johnny, OU=OU, CN=sophosvpn.com, E=jdoe@johnny.com"
2020-04-10 07:44:01PM 08[CFG] <SophosConnectParsippany|11> issuer is "C=US, ST=NJ, L=Parsippany, O=johnny, OU=OU, CN=Sophos_CA_C22042HFPVP230B, E=jdoe@johnny.com"
2020-04-10 07:44:01PM 08[IKE] <SophosConnectParsippany|11> no trusted RSA public key found for 'sophosvpn.com'
2020-04-10 07:44:01PM 08[IKE] <SophosConnectParsippany|11> deleting IKE_SA SophosConnectParsippany[11] between 192.168.1.177[vpn.johnny.com]...6.67.81.16[sophosvpn.com]
2020-04-10 07:44:01PM 08[IKE] <SophosConnectParsippany|11> sending DELETE for IKE_SA SophosConnectParsippany[11]
2020-04-10 07:44:01PM 08[ENC] <SophosConnectParsippany|11> generating INFORMATIONAL_V1 request 1344563122 [ HASH D ]
2020-04-10 07:44:01PM 08[NET] <SophosConnectParsippany|11> sending packet: from 192.168.1.177[64413] to 6.67.81.16[4500] (108 bytes)
2020-04-10 07:44:01PM 13[CFG] vici terminate IKE_SA 'SophosConnectParsippany'
2020-04-10 07:44:02PM 09[CFG] unloaded private key with id 96a18ac9482872bafe0d7f4f73527f6f62861ede
2020-04-10 07:44:03PM 14[CFG] unloaded shared key with id 'SophosConnectParsippany-user-id'
This thread was automatically locked due to age.
