Open VPN cant connect to Sophos XG

Hello,

from one day to another I cant connect to XQ (latest Firmware). Opebn VPN sayes (I wil post only RED sections here):

Fri Sep  2 15:43:48 2022 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Fri Sep  2 15:43:48 2022 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

And later:

Fri Sep  2 15:44:00 2022 ROUTE: route addition failed using service: Das Objekt ist bereits vorhanden.   [status=5010 if_index=6]
Fri Sep  2 15:44:00 2022 Route addition via service failed.

Its green tough but I cant connect with RDP.



Edited TAGs
[edited by: emmosophos at 5:12 PM (GMT -7) on 5 Sep 2022]
  • Hey ,

    Thank you for reaching out to the community, please let us know the following:
    1.) Firmware of the SFOS currently using?
    2.) Are you using SSL VPN or IPsec remote access [sophos connect client]
    3.) What operating system are you using ?
    4.) Since when are you facing the challenge ?
    5.) Please share your config screenshots...

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hello

    1. SFOS 19.0.1 MR-1-Build365

    2. SSL VPN

    3. Win 11

    4. since today, I had the problem that I need to reconnect SSL VPN to be able to use RDP from time to time. So 2-3 Times then it worked.

    5. which Screenshoots?

  • In the Email I get it tells:

    Alert for SFVH (SFOS 19.0.1 MR-1-Build365) C01001J3H6TWP7C

    Device Information:

    Management Interface IP: Not configured/Not available
    Date/Time: 2022-09-02 15:49:22
    Alert ID: 17824

  • Configurations of the Sophos IPsec remote access/SSL VPN which ever you are using...
    And the log file from the client you are connecting....

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Its mostl the setting from Sophos:

    Client Setting

    client
    dev tun
    proto udp
    explicit-exit-notify
    verify-x509-name "C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxx, emailAddress=xxx"
    route remote_host 255.255.255.255 net_gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    <ca>
    ...........................
    </ca>
    <cert>
    ..........................
    </cert>
    <key>
    </key>
    auth-user-pass a.txt
    cipher AES-256-CBC
    auth SHA512
    comp-lzo yes
    ;can_save no
    ;otp no
    ;run_logon_script no
    ;auto_connect
    route-delay 4
    verb 3
    reneg-sec 0
    remote xx.xx.xx.xx 4600

    Client Log:

    Fri Sep  2 15:49:44 2022 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
    Fri Sep  2 15:49:44 2022 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
    Fri Sep  2 15:49:44 2022 OpenVPN 2.5.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 27 2022
    Fri Sep  2 15:49:44 2022 Windows version 10.0 (Windows 10 or greater) 64bit
    Fri Sep  2 15:49:44 2022 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
    Fri Sep  2 15:49:44 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
    Fri Sep  2 15:49:44 2022 Need hold release from management interface, waiting...
    Fri Sep  2 15:49:44 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'state on'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'log all on'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'echo all on'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'bytecount 5'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'hold off'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'hold release'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,RESOLVE,,,,,,
    Fri Sep  2 15:49:44 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxx:4600
    Fri Sep  2 15:49:44 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Fri Sep  2 15:49:44 2022 UDP link local: (not bound)
    Fri Sep  2 15:49:44 2022 UDP link remote: [AF_INET]xxxx:4600
    Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,WAIT,,,,,,
    Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,AUTH,,,,,,
    Fri Sep  2 15:49:44 2022 TLS: Initial packet from [AF_INET]xxxx:4600, sid=beb89edd e6bee5aa
    Fri Sep  2 15:49:44 2022 VERIFY OK: depth=1, C=DE, ST=NA, L=NA, O=kein, OU=OU, CN=Sophos_CA_xxxx, emailAddress=xxx
    Fri Sep  2 15:49:44 2022 VERIFY X509NAME OK: C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxxx, emailAddress=xxx
    Fri Sep  2 15:49:44 2022 VERIFY OK: depth=0, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxxx, emailAddress=xxx
    Fri Sep  2 15:49:44 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
    Fri Sep  2 15:49:44 2022 [Appliance_Certificate_xxxx] Peer Connection Initiated with [AF_INET]xxxx:4600
    Fri Sep  2 15:49:46 2022 MANAGEMENT: >STATE:1662126586,GET_CONFIG,,,,,,
    Fri Sep  2 15:49:46 2022 SENT CONTROL [Appliance_Certificate_xxx]: 'PUSH_REQUEST' (status=1)
    Fri Sep  2 15:49:51 2022 SENT CONTROL [Appliance_Certificate_xxx]: 'PUSH_REQUEST' (status=1)
    Fri Sep  2 15:49:51 2022 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 192.168.1.3 255.255.255.255,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 1200 10240,ifconfig 10.81.234.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: timers and/or timeouts modified
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
    Fri Sep  2 15:49:51 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: --ifconfig/up options modified
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: route options modified
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: route-related options modified
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: peer-id set
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: data channel crypto options modified
    Fri Sep  2 15:49:51 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
    Fri Sep  2 15:49:51 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Fri Sep  2 15:49:51 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Fri Sep  2 15:49:51 2022 interactive service msg_channel=652
    Fri Sep  2 15:49:51 2022 open_tun
    Fri Sep  2 15:49:51 2022 tap-windows6 device [OpenVPN TAP-Windows6] opened
    Fri Sep  2 15:49:51 2022 TAP-Windows Driver Version 9.24
    Fri Sep  2 15:49:51 2022 Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.2/255.255.255.0 [SUCCEEDED]
    Fri Sep  2 15:49:51 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.2/255.255.255.0 on interface {xxxx} [DHCP-serv: 10.81.234.0, lease-time: 31536000]
    Fri Sep  2 15:49:51 2022 Successful ARP Flush on interface [7] {xxxx}
    Fri Sep  2 15:49:51 2022 MANAGEMENT: >STATE:1662126591,ASSIGN_IP,,10.81.234.2,,,,
    Fri Sep  2 15:49:51 2022 IPv4 MTU set to 1500 on interface 7 using service
    Fri Sep  2 15:49:55 2022 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
    Fri Sep  2 15:49:55 2022 MANAGEMENT: >STATE:1662126595,ADD_ROUTES,,,,,,
    Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD xxx MASK 255.255.255.255 192.168.22.1
    Fri Sep  2 15:49:55 2022 Route addition via service succeeded
    Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD 192.168.1.3 MASK 255.255.255.255 10.81.234.1
    Fri Sep  2 15:49:55 2022 Route addition via service succeeded
    Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD xxxx MASK 255.255.255.255 192.168.22.1
    Fri Sep  2 15:49:55 2022 ROUTE: route addition failed using service: The object already exists.   [status=5010 if_index=6]
    Fri Sep  2 15:49:55 2022 Route addition via service failed
    Fri Sep  2 15:49:55 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Fri Sep  2 15:49:55 2022 Initialization Sequence Completed
    Fri Sep  2 15:49:55 2022 MANAGEMENT: >STATE:1662126595,CONNECTED,SUCCESS,10.81.234.2,xxxx,4600,,

  • Another Question: I tried the the New Sophos Connect Client, but I cant find a way to Edit the settings. Thre should be a Admin Version but I cant find a URL to download.

  • Hey ,

    You can download the bundle from Remote Access VPN > IPsec > download client as highlighted below :

    Upon extracting:
      

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • If you already have routes on your machine, then the error Object already exists will occur. I would appreciate it if you could check by entering route print in CMD and see if the route already exists. It is possible to have two different networks with the same IP subnet if there is a route already there. Once you've taken care of that, you shouldn't see the error when connecting VPN.

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • What do I need todo, I am not that good in CMD

  • As for the Client

    I got it, it was in the package on the Server Sophos XG site/page, but its not on the client site(page).