Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 37 subscribers
  • Views 926 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate based site-to-site tunnel issue cannot choose Local ID type or define Local ID once I choose a local certificate

Raul Fernandez1

Howdy,

Issue with configuring cert based site-to-site VPN on Sophos XG 87

I am trying to build a certificate based IPsec tunnel on my new Sophos XG 87 FW v19. 

1) I created the CSR by going to certificates > add> generate certificate signing request

-go through the process and get the CSR downloaded

2) I submit the CSR to digicert and I get a certificate 

3) I import the certificate via the import on the CSR in certificates (just find the CSR I generated and hit the import icon)

4) The certificate imports correctly and is trusted 

5) I go to site-to-site VPN  then hit add under IPSec connections

6) under general setting  I give the IPsec connection a name, a description, connection type site-to-site and gateway respond only

7) under encryption  I choose profile IKEv2, authentication type Digital Certificate, local certificate I choose the uploaded cert, remote certificate I choose external and the remote ca cert

8)  under Gateway Setting I choose the listening interface now here is the problem 

              for local ID it is hard set to DER ANSI DN (X.509) and it wont allow me to choose the local ID

Is there something I am missing ? I don't get why the Firewall wants to auto populate the Local ID type. 



This thread was automatically locked due to age.
  • 0

    I wanted to add that it seems like the Sophos firewall is not reading the distinguished name correctly from the cert. The cert is validated as it finds the intermediate certificate I loaded onto the firewall. 

  • +1

    This has been interesting to figure out. It all has to do where the FQDN should be entered when creating a CSR (Certificate Signing Request). In the certificate CSR creation screen you go through the process giving the CSR a name, choosing key type, key length and secure hash. That is straight forward.

    You move onto the Subject name attribute and enter the necessary information. If you are actually creating a CSR for purchasing I would suggest to just choose your country and leave the rest NA. Also delete the email address so it is blank and make sure you have you add the common name (CN ie FQDN).   

    The trick for me was in the last portion of creating the CSR at the Subject Alternative Names (SANs section). There are to areas to input information about DNS Names and IP address. I was putting the FQDN in the DNS names. This was the problem. Right below the SANs area there is the advanced settings. Click on this to reveal what certificate ID you will be using. Here is where the FQDN needs to go for this section in SANs. Choose DNS and add your FQDN. Save.  After that  in the site to site VPN  creation screen the certificate ID was automatically populated once I chose the local certificate created from the CSR above. 

    All in all pretty slick GUI and works well once you know what you are doing but I guess that is with everything in life. 

    Workout your traffic selectors and your should have a working cert based IPsec tunnel.

    Raul

Unfiltered HTML