Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Remote Access .scx file invalid

Craig Glaser

I'm trying to configure an IPSEC remote access VPN.  When I download and extract the configuration archive, the .tgb file appear to be valid, but the .sck file only contains the following:

cannot open file /tmp/root_cert.txt at /scripts/vpn/ipsec/generateJSONVPNClientConf.pl line 331.

I am using the appliance certificate for the local cert and an uploaded certificate for the remote.  The remote certificate uploaded successfully and looks fine when I select it in the IPSEC config in the firewall.

This is running on:   SFVH (SFOS 19.0.0 GA-Build317))

Any suggestions would be welcome.



This thread was automatically locked due to age.
  • 0

    Hi Craig,

    Thank you for your query, have you tried with the following command in the advance shell: 

    SFOS 19.0.0 GA-Build317# cat /scripts/vpn/ipsec/generateJSONVPNClientConf.pl

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

    • 0

      I have the same problem with v.19.0.

      The .tbg File seems to be valid but there is an Error at the "Public-RootCA-Key"-Section:


      unable to load certificate
      4153952000:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

      The Perl script can be open with: cat /scripts/vpn/ipsec/generateJSONVPNClientConf.pl

      • +1

        Hi : Based on provided error it seems it is getting matched with a known issue NC-85383 and fixed for the same has been taken in V18.5 MR-4 and V19.0.1 MR-1. This is mostly getting observed when cert or cert chain is containing german umlaut characters and translation of same details fetching in SCX is creating a problem.

        Regards,

        Vishal Ranpariya
        Technical Account Manager | Global Customer Experience
        Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
        If a post solves your question, use the 'Verify Answer' link.

        • 0 in reply to Vishal_R

          When will the fix be pushed to the GA/stable channel?

        • 0 in reply to Vishal_R

          Hello,

          i have the same problem. When i try to import the .scx or .tgb file into sophos connect there comes "Connection could not be parsed". When i open the .scx file in editor i see "cannot open file /tmp/root_cert.txt at /scripts/vpn/ipsec/generateJSONVPNClientConf.pl line 331."

          I try everything to fix these issue. ApplianceCertificate (used for local cert in ipsec vpn config) and remote certificate (localy signied from xg) has no german umlaut characters or spaces. 

          • 0 in reply to Vishal_R

            Is there any workaround in the mean time? I am on 19.0.0 GA-Build317 and I've heard 19.0.1 won't be released until the end of July.

            • 0 in reply to Vishal_R

              Hi,
              I have the same problem.
              Updating to SFOS 19.0.1 MR-1-Build350 did not help.
              Trying to create a new local certificate and remote certificate didn't change anything either.
              When exporting the VPN configuration, there is still an error in client_ipsec.tgb:
              ......
              -----END CERTIFICATE-----

              [client_ipsec-Public-RootCA-Key]
              unable to load certificate
              4154918656:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

              [client_ipsec-secret-client-key]
              -----BEGIN RSA PRIVATE KEY-----
              ...

              and in the client_ipsec.scx:
              cannot open file /tmp/root_cert.txt at /scripts/vpn/ipsec/generateJSONVPNClientConf.pl line 331.