I've got a fresh new install of X.G. 18. Everything runs well *but*...
SSL VPNs can't be stablished from android devices. I've tested every combination of cipher and authentication, but the log still shows "no shared cipher".
Mon May 3 13:10:30 2021 us=52099  TCP connection established with [AF_INET6]::ffff:1XX.1XX.2XX.2:45776 Mon May 3 13:10:30 2021 us=52115  TCPv6_SERVER link remote: [AF_INET6]::ffff:1XX.1XX.2XX.2:45776 Mon May 3 13:10:30 2021 us=52561  ::ffff:1XX.1XX.2XX.2 TCPv6_SERVER READ  from [AF_INET6]::ffff:1XX.1XX.2XX.2:45776: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 Mon May 3 13:10:30 2021 us=52571  ::ffff:1XX.1XX.2XX.2 TLS: Initial packet from [AF_INET6]::ffff:1XX.1XX.2XX.2:45776, sid=c548a4be 80665ec5 Mon May 3 13:10:30 2021 us=52587  ::ffff:1XX.1XX.2XX.2 TCPv6_SERVER WRITE  to [AF_INET6]::ffff:1XX.1XX.2XX.2:45776: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0 Mon May 3 13:10:30 2021 us=82158  ::ffff:1XX.1XX.2XX.2 TCPv6_SERVER READ  from [AF_INET6]::ffff:1XX.1XX.2XX.2:45776: P_CONTROL_V1 kid=0 [ 0 ] pid=1 DATA len=239 Mon May 3 13:10:30 2021 us=82233  ::ffff:1XX.1XX.2XX.2 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher Mon May 3 13:10:30 2021 us=82242  ::ffff:1XX.1XX.2XX.2 TLS Error: TLS object -> incoming plaintext read error Mon May 3 13:10:30 2021 us=82249  ::ffff:1XX.1XX.2XX.2 TLS Error: TLS handshake failed Mon May 3 13:10:30 2021 us=82277  ::ffff:1XX.1XX.2XX.2 Fatal TLS error (check_tls_errors_co), restarting Mon May 3 13:10:30 2021 us=82286  ::ffff:1XX.1XX.2XX.2 SIGUSR1[soft,tls-error] received, client-instance restarting
Any idea? I am using the OpenVPN Connect android client, and I have tried to activate AES-CBC cipher algoritm under "Settings".
Try to use MR5 and redo this test. Check the android settings, which TLS Version is enforced by the phone. I do not have a android device.
Hi Eduardo Diaz Comellas,
Thanks for reaching out to the Community!
What is the current firmware version on your firewall? The errors in the logs suggested it's an issue with the TLS handshake; it could be related to the user certificate.
I'd suggest you delete the user certificate and redownload the configuration for the user. When you login to the user portal and download the configuration, the process will re-generate the user certificate.
You could find the user certificate under Certificates > Search for the username to find the user certificate.
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Thanks very much for the answer.
Thi is 18.0.4 MR4. The user was created 1 hour ago, so I don't think that deleting it and creating it again will make any difference. Please tell me if it is worth giving it a try.
What is driving me mad is the "no shared cipher" message. What has changed so there are no common ciphers between the openvpn connect client and a sophos XG?
Hi Eduardo Diaz Comellas,
Thanks for the update.
Are you able to connect to the SSL Remote VPN from a different device? Is the default certificate on the firewall properly configured?
If you made any changes to the configuration on the firewall related to the SSL VPN, you'd have to download the new configuration.
Sure. SSL access is working from PCs. It is just android phones that can't connect. That is the weird thing about it.
I've not tested from iphones (no one at hand) but will try tomorrow.
The Android device could have a preference to select specific ciphers, which are not supported on Xg.
Unfortunately MR5 is still not available for this firewall (it is an HA cluster, and it takes a bit more to receive updates). The problem with the tls version in the phone can be the key... any idea on how I can force to use a compatible tls version?
MR5 is available to download from id.sophos.com (https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-xg-firewall-v18-mr5--build-586-is-now-available)