This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open VPN cant connect to Sophos XG

Hello,

from one day to another I cant connect to XQ (latest Firmware). Opebn VPN sayes (I wil post only RED sections here):

Fri Sep  2 15:43:48 2022 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Fri Sep  2 15:43:48 2022 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

And later:

Fri Sep  2 15:44:00 2022 ROUTE: route addition failed using service: Das Objekt ist bereits vorhanden.   [status=5010 if_index=6]
Fri Sep  2 15:44:00 2022 Route addition via service failed.

Its green tough but I cant connect with RDP.



This thread was automatically locked due to age.
Parents Reply Children
  • Its mostl the setting from Sophos:

    Client Setting

    client
    dev tun
    proto udp
    explicit-exit-notify
    verify-x509-name "C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxx, emailAddress=xxx"
    route remote_host 255.255.255.255 net_gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    <ca>
    ...........................
    </ca>
    <cert>
    ..........................
    </cert>
    <key>
    </key>
    auth-user-pass a.txt
    cipher AES-256-CBC
    auth SHA512
    comp-lzo yes
    ;can_save no
    ;otp no
    ;run_logon_script no
    ;auto_connect
    route-delay 4
    verb 3
    reneg-sec 0
    remote xx.xx.xx.xx 4600

    Client Log:

    Fri Sep  2 15:49:44 2022 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
    Fri Sep  2 15:49:44 2022 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
    Fri Sep  2 15:49:44 2022 OpenVPN 2.5.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 27 2022
    Fri Sep  2 15:49:44 2022 Windows version 10.0 (Windows 10 or greater) 64bit
    Fri Sep  2 15:49:44 2022 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
    Fri Sep  2 15:49:44 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
    Fri Sep  2 15:49:44 2022 Need hold release from management interface, waiting...
    Fri Sep  2 15:49:44 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'state on'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'log all on'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'echo all on'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'bytecount 5'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'hold off'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'hold release'
    Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,RESOLVE,,,,,,
    Fri Sep  2 15:49:44 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxx:4600
    Fri Sep  2 15:49:44 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Fri Sep  2 15:49:44 2022 UDP link local: (not bound)
    Fri Sep  2 15:49:44 2022 UDP link remote: [AF_INET]xxxx:4600
    Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,WAIT,,,,,,
    Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,AUTH,,,,,,
    Fri Sep  2 15:49:44 2022 TLS: Initial packet from [AF_INET]xxxx:4600, sid=beb89edd e6bee5aa
    Fri Sep  2 15:49:44 2022 VERIFY OK: depth=1, C=DE, ST=NA, L=NA, O=kein, OU=OU, CN=Sophos_CA_xxxx, emailAddress=xxx
    Fri Sep  2 15:49:44 2022 VERIFY X509NAME OK: C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxxx, emailAddress=xxx
    Fri Sep  2 15:49:44 2022 VERIFY OK: depth=0, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxxx, emailAddress=xxx
    Fri Sep  2 15:49:44 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
    Fri Sep  2 15:49:44 2022 [Appliance_Certificate_xxxx] Peer Connection Initiated with [AF_INET]xxxx:4600
    Fri Sep  2 15:49:46 2022 MANAGEMENT: >STATE:1662126586,GET_CONFIG,,,,,,
    Fri Sep  2 15:49:46 2022 SENT CONTROL [Appliance_Certificate_xxx]: 'PUSH_REQUEST' (status=1)
    Fri Sep  2 15:49:51 2022 SENT CONTROL [Appliance_Certificate_xxx]: 'PUSH_REQUEST' (status=1)
    Fri Sep  2 15:49:51 2022 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 192.168.1.3 255.255.255.255,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 1200 10240,ifconfig 10.81.234.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: timers and/or timeouts modified
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
    Fri Sep  2 15:49:51 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: --ifconfig/up options modified
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: route options modified
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: route-related options modified
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: peer-id set
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
    Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: data channel crypto options modified
    Fri Sep  2 15:49:51 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
    Fri Sep  2 15:49:51 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Fri Sep  2 15:49:51 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Fri Sep  2 15:49:51 2022 interactive service msg_channel=652
    Fri Sep  2 15:49:51 2022 open_tun
    Fri Sep  2 15:49:51 2022 tap-windows6 device [OpenVPN TAP-Windows6] opened
    Fri Sep  2 15:49:51 2022 TAP-Windows Driver Version 9.24
    Fri Sep  2 15:49:51 2022 Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.2/255.255.255.0 [SUCCEEDED]
    Fri Sep  2 15:49:51 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.2/255.255.255.0 on interface {xxxx} [DHCP-serv: 10.81.234.0, lease-time: 31536000]
    Fri Sep  2 15:49:51 2022 Successful ARP Flush on interface [7] {xxxx}
    Fri Sep  2 15:49:51 2022 MANAGEMENT: >STATE:1662126591,ASSIGN_IP,,10.81.234.2,,,,
    Fri Sep  2 15:49:51 2022 IPv4 MTU set to 1500 on interface 7 using service
    Fri Sep  2 15:49:55 2022 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
    Fri Sep  2 15:49:55 2022 MANAGEMENT: >STATE:1662126595,ADD_ROUTES,,,,,,
    Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD xxx MASK 255.255.255.255 192.168.22.1
    Fri Sep  2 15:49:55 2022 Route addition via service succeeded
    Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD 192.168.1.3 MASK 255.255.255.255 10.81.234.1
    Fri Sep  2 15:49:55 2022 Route addition via service succeeded
    Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD xxxx MASK 255.255.255.255 192.168.22.1
    Fri Sep  2 15:49:55 2022 ROUTE: route addition failed using service: The object already exists.   [status=5010 if_index=6]
    Fri Sep  2 15:49:55 2022 Route addition via service failed
    Fri Sep  2 15:49:55 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Fri Sep  2 15:49:55 2022 Initialization Sequence Completed
    Fri Sep  2 15:49:55 2022 MANAGEMENT: >STATE:1662126595,CONNECTED,SUCCESS,10.81.234.2,xxxx,4600,,

  • Another Question: I tried the the New Sophos Connect Client, but I cant find a way to Edit the settings. Thre should be a Admin Version but I cant find a URL to download.

  • Hey ,

    You can download the bundle from Remote Access VPN > IPsec > download client as highlighted below :

    Upon extracting:
      

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • If you already have routes on your machine, then the error Object already exists will occur. I would appreciate it if you could check by entering route print in CMD and see if the route already exists. It is possible to have two different networks with the same IP subnet if there is a route already there. Once you've taken care of that, you shouldn't see the error when connecting VPN.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • What do I need todo, I am not that good in CMD

  • As for the Client

    I got it, it was in the package on the Server Sophos XG site/page, but its not on the client site(page).

  • I have attached the screenshot how it looks like when you extract the bundle package...
    ===========
    regarding the command prompt on windows client:
      

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Please share the status of the Global setting of the SSL VPN as below : 

    Also, share  Opebn VPN software you are using and Cryptographic settings applied on the same.

    You cannot edit Sophos Connect client settings getting displayed that you have to do it from SSL VPN Policy please go CONFIGURE -->Remote access VPN-->SSL VPN Expand SSL VPN Policy and share the status

    Please try again and share the status once user connects with SSL VPN with Sophos Connect client as per the below link

    https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/HowToArticles/RAVPNSSLWithSConClient/index.html 

    You can share what you are getting on client's end 

    Regards

    "Sophos Partner: InfrassistTechnologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • I could login now using another user I had.

    First thing is I cant save this setting.

  • I cant find "CONFIGURE -->Remote access VPN-->SSL VPN Expand SSL VPN Policy"