Open VPN cant connect to Sophos XG

Hey DAENG,

Thank you for reaching out to the community, please let us know the following:
1.) Firmware of the SFOS currently using?
2.) Are you using SSL VPN or IPsec remote access [sophos connect client]
3.) What operating system are you using ?
4.) Since when are you facing the challenge ?
5.) Please share your config screenshots...

Hello

1. SFOS 19.0.1 MR-1-Build365

2. SSL VPN

3. Win 11

4. since today, I had the problem that I need to reconnect SSL VPN to be able to use RDP from time to time. So 2-3 Times then it worked.

5. which Screenshoots?

In the Email I get it tells:

Alert for SFVH (SFOS 19.0.1 MR-1-Build365) C01001J3H6TWP7C

Device Information:

Management Interface IP: Not configured/Not available
Date/Time: 2022-09-02 15:49:22
Alert ID: 17824

Configurations of the Sophos IPsec remote access/SSL VPN which ever you are using...
And the log file from the client you are connecting....

Its mostl the setting from Sophos:

Client Setting

client
dev tun
proto udp
explicit-exit-notify
verify-x509-name "C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxx, emailAddress=xxx"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
...........................
</ca>
<cert>
..........................
</cert>
<key>
</key>
auth-user-pass a.txt
cipher AES-256-CBC
auth SHA512
comp-lzo yes
;can_save no
;otp no
;run_logon_script no
;auto_connect
route-delay 4
verb 3
reneg-sec 0
remote xx.xx.xx.xx 4600

Client Log:

Fri Sep  2 15:49:44 2022 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Fri Sep  2 15:49:44 2022 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Fri Sep  2 15:49:44 2022 OpenVPN 2.5.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 27 2022
Fri Sep  2 15:49:44 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Fri Sep  2 15:49:44 2022 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
Fri Sep  2 15:49:44 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri Sep  2 15:49:44 2022 Need hold release from management interface, waiting...
Fri Sep  2 15:49:44 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'state on'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'log all on'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'echo all on'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'bytecount 5'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'hold off'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'hold release'
Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,RESOLVE,,,,,,
Fri Sep  2 15:49:44 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxx:4600
Fri Sep  2 15:49:44 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Sep  2 15:49:44 2022 UDP link local: (not bound)
Fri Sep  2 15:49:44 2022 UDP link remote: [AF_INET]xxxx:4600
Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,WAIT,,,,,,
Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,AUTH,,,,,,
Fri Sep  2 15:49:44 2022 TLS: Initial packet from [AF_INET]xxxx:4600, sid=beb89edd e6bee5aa
Fri Sep  2 15:49:44 2022 VERIFY OK: depth=1, C=DE, ST=NA, L=NA, O=kein, OU=OU, CN=Sophos_CA_xxxx, emailAddress=xxx
Fri Sep  2 15:49:44 2022 VERIFY X509NAME OK: C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxxx, emailAddress=xxx
Fri Sep  2 15:49:44 2022 VERIFY OK: depth=0, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxxx, emailAddress=xxx
Fri Sep  2 15:49:44 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Fri Sep  2 15:49:44 2022 [Appliance_Certificate_xxxx] Peer Connection Initiated with [AF_INET]xxxx:4600
Fri Sep  2 15:49:46 2022 MANAGEMENT: >STATE:1662126586,GET_CONFIG,,,,,,
Fri Sep  2 15:49:46 2022 SENT CONTROL [Appliance_Certificate_xxx]: 'PUSH_REQUEST' (status=1)
Fri Sep  2 15:49:51 2022 SENT CONTROL [Appliance_Certificate_xxx]: 'PUSH_REQUEST' (status=1)
Fri Sep  2 15:49:51 2022 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 192.168.1.3 255.255.255.255,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 1200 10240,ifconfig 10.81.234.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Fri Sep  2 15:49:51 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: route options modified
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: route-related options modified
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: peer-id set
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: data channel crypto options modified
Fri Sep  2 15:49:51 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Sep  2 15:49:51 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep  2 15:49:51 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep  2 15:49:51 2022 interactive service msg_channel=652
Fri Sep  2 15:49:51 2022 open_tun
Fri Sep  2 15:49:51 2022 tap-windows6 device [OpenVPN TAP-Windows6] opened
Fri Sep  2 15:49:51 2022 TAP-Windows Driver Version 9.24
Fri Sep  2 15:49:51 2022 Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.2/255.255.255.0 [SUCCEEDED]
Fri Sep  2 15:49:51 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.2/255.255.255.0 on interface {xxxx} [DHCP-serv: 10.81.234.0, lease-time: 31536000]
Fri Sep  2 15:49:51 2022 Successful ARP Flush on interface [7] {xxxx}
Fri Sep  2 15:49:51 2022 MANAGEMENT: >STATE:1662126591,ASSIGN_IP,,10.81.234.2,,,,
Fri Sep  2 15:49:51 2022 IPv4 MTU set to 1500 on interface 7 using service
Fri Sep  2 15:49:55 2022 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Fri Sep  2 15:49:55 2022 MANAGEMENT: >STATE:1662126595,ADD_ROUTES,,,,,,
Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD xxx MASK 255.255.255.255 192.168.22.1
Fri Sep  2 15:49:55 2022 Route addition via service succeeded
Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD 192.168.1.3 MASK 255.255.255.255 10.81.234.1
Fri Sep  2 15:49:55 2022 Route addition via service succeeded
Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD xxxx MASK 255.255.255.255 192.168.22.1
Fri Sep  2 15:49:55 2022 ROUTE: route addition failed using service: The object already exists.   [status=5010 if_index=6]
Fri Sep  2 15:49:55 2022 Route addition via service failed
Fri Sep  2 15:49:55 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Sep  2 15:49:55 2022 Initialization Sequence Completed
Fri Sep  2 15:49:55 2022 MANAGEMENT: >STATE:1662126595,CONNECTED,SUCCESS,10.81.234.2,xxxx,4600,,

Its mostl the setting from Sophos:

Client Setting

client
dev tun
proto udp
explicit-exit-notify
verify-x509-name "C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxx, emailAddress=xxx"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
...........................
</ca>
<cert>
..........................
</cert>
<key>
</key>
auth-user-pass a.txt
cipher AES-256-CBC
auth SHA512
comp-lzo yes
;can_save no
;otp no
;run_logon_script no
;auto_connect
route-delay 4
verb 3
reneg-sec 0
remote xx.xx.xx.xx 4600

Client Log:

Fri Sep  2 15:49:44 2022 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Fri Sep  2 15:49:44 2022 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Fri Sep  2 15:49:44 2022 OpenVPN 2.5.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 27 2022
Fri Sep  2 15:49:44 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Fri Sep  2 15:49:44 2022 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
Fri Sep  2 15:49:44 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri Sep  2 15:49:44 2022 Need hold release from management interface, waiting...
Fri Sep  2 15:49:44 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'state on'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'log all on'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'echo all on'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'bytecount 5'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'hold off'
Fri Sep  2 15:49:44 2022 MANAGEMENT: CMD 'hold release'
Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,RESOLVE,,,,,,
Fri Sep  2 15:49:44 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxx:4600
Fri Sep  2 15:49:44 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Sep  2 15:49:44 2022 UDP link local: (not bound)
Fri Sep  2 15:49:44 2022 UDP link remote: [AF_INET]xxxx:4600
Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,WAIT,,,,,,
Fri Sep  2 15:49:44 2022 MANAGEMENT: >STATE:1662126584,AUTH,,,,,,
Fri Sep  2 15:49:44 2022 TLS: Initial packet from [AF_INET]xxxx:4600, sid=beb89edd e6bee5aa
Fri Sep  2 15:49:44 2022 VERIFY OK: depth=1, C=DE, ST=NA, L=NA, O=kein, OU=OU, CN=Sophos_CA_xxxx, emailAddress=xxx
Fri Sep  2 15:49:44 2022 VERIFY X509NAME OK: C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxxx, emailAddress=xxx
Fri Sep  2 15:49:44 2022 VERIFY OK: depth=0, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_xxxx, emailAddress=xxx
Fri Sep  2 15:49:44 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Fri Sep  2 15:49:44 2022 [Appliance_Certificate_xxxx] Peer Connection Initiated with [AF_INET]xxxx:4600
Fri Sep  2 15:49:46 2022 MANAGEMENT: >STATE:1662126586,GET_CONFIG,,,,,,
Fri Sep  2 15:49:46 2022 SENT CONTROL [Appliance_Certificate_xxx]: 'PUSH_REQUEST' (status=1)
Fri Sep  2 15:49:51 2022 SENT CONTROL [Appliance_Certificate_xxx]: 'PUSH_REQUEST' (status=1)
Fri Sep  2 15:49:51 2022 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.81.234.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 192.168.1.3 255.255.255.255,topology subnet,route remote_host 255.255.255.255 net_gateway,inactive 1200 10240,ifconfig 10.81.234.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Fri Sep  2 15:49:51 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: route options modified
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: route-related options modified
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: peer-id set
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: adjusting link_mtu to 1625
Fri Sep  2 15:49:51 2022 OPTIONS IMPORT: data channel crypto options modified
Fri Sep  2 15:49:51 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Sep  2 15:49:51 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep  2 15:49:51 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Sep  2 15:49:51 2022 interactive service msg_channel=652
Fri Sep  2 15:49:51 2022 open_tun
Fri Sep  2 15:49:51 2022 tap-windows6 device [OpenVPN TAP-Windows6] opened
Fri Sep  2 15:49:51 2022 TAP-Windows Driver Version 9.24
Fri Sep  2 15:49:51 2022 Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.2/255.255.255.0 [SUCCEEDED]
Fri Sep  2 15:49:51 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.2/255.255.255.0 on interface {xxxx} [DHCP-serv: 10.81.234.0, lease-time: 31536000]
Fri Sep  2 15:49:51 2022 Successful ARP Flush on interface [7] {xxxx}
Fri Sep  2 15:49:51 2022 MANAGEMENT: >STATE:1662126591,ASSIGN_IP,,10.81.234.2,,,,
Fri Sep  2 15:49:51 2022 IPv4 MTU set to 1500 on interface 7 using service
Fri Sep  2 15:49:55 2022 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Fri Sep  2 15:49:55 2022 MANAGEMENT: >STATE:1662126595,ADD_ROUTES,,,,,,
Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD xxx MASK 255.255.255.255 192.168.22.1
Fri Sep  2 15:49:55 2022 Route addition via service succeeded
Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD 192.168.1.3 MASK 255.255.255.255 10.81.234.1
Fri Sep  2 15:49:55 2022 Route addition via service succeeded
Fri Sep  2 15:49:55 2022 C:\WINDOWS\system32\route.exe ADD xxxx MASK 255.255.255.255 192.168.22.1
Fri Sep  2 15:49:55 2022 ROUTE: route addition failed using service: The object already exists.   [status=5010 if_index=6]
Fri Sep  2 15:49:55 2022 Route addition via service failed
Fri Sep  2 15:49:55 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Sep  2 15:49:55 2022 Initialization Sequence Completed
Fri Sep  2 15:49:55 2022 MANAGEMENT: >STATE:1662126595,CONNECTED,SUCCESS,10.81.234.2,xxxx,4600,,

Another Question: I tried the the New Sophos Connect Client, but I cant find a way to Edit the settings. Thre should be a Admin Version but I cant find a URL to download.

Hey DAENG,

You can download the bundle from Remote Access VPN > IPsec > download client as highlighted below :

Upon extracting:
 

If you already have routes on your machine, then the error Object already exists will occur. I would appreciate it if you could check by entering route print in CMD and see if the route already exists. It is possible to have two different networks with the same IP subnet if there is a route already there. Once you've taken care of that, you shouldn't see the error when connecting VPN.

What do I need todo, I am not that good in CMD

As for the Client

I got it, it was in the package on the Server Sophos XG site/page, but its not on the client site(page).

I have attached the screenshot how it looks like when you extract the bundle package...
===========
regarding the command prompt on windows client:
 

Please share the status of the Global setting of the SSL VPN as below : 

Also, share  Opebn VPN software you are using and Cryptographic settings applied on the same.

You cannot edit Sophos Connect client settings getting displayed that you have to do it from SSL VPN Policy please go CONFIGURE -->Remote access VPN-->SSL VPN Expand SSL VPN Policy and share the status

Please try again and share the status once user connects with SSL VPN with Sophos Connect client as per the below link

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/HowToArticles/RAVPNSSLWithSConClient/index.html 

You can share what you are getting on client's end 

Regards

I could login now using another user I had.

First thing is I cant save this setting.

I cant find "CONFIGURE -->Remote access VPN-->SSL VPN Expand SSL VPN Policy"

When I import a Setting

Wher will it be saved to / where is the location of that file.