Remote Access VPN - IPSEC with Certificate - connection export .scx file invalid - SFOS 19.5

Question

Remote Access VPN IPSEC with Authentication type certificate does still lead to invalid connection .scx file on SFOS 19.5.0 GA-Build197, SFOS 19.5.1 MR-1-Build278 and SFOS 19.5.2 MR-2-Build624 if the "Organization name" in the Certificate does contain Whitespaces . 
 There are some Bug Reports like NC-85383 and NC-95633 whitch are listed as "resoled issues" at the release notes: https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.5 
 Looks like the same Problem is reported for older Firmware Versions: IPSEC Remote Access .scx file invalid 
 
 CA Settings 
 No "German" Umlaute / "Special" Characters but Whitespaces in Company Name Organization Name. 
 
 Certificate Settings

Content of xxx.scx: 
 cannot open file /tmp/root_cert.txt at /scripts/vpn/ipsec/generateJSONVPNClientConf.pl line 331. 
 Distinguished name: 
 /C=DE/ST=NRW/L=City/O=The Example GmbH/OU=IT/emailAddress=info@example.com 
 
 Update 
 It does still happen on 19.5-MR2.

Giridhar Katti · Accepted Answer

There is 1 known issue that when the subject fields of the issuer cert exactly matches with the subject fields of the issued cert we see this issue. Ideally default ca's fields should be unique. Could you please check if you have the unique default CA, if we hit this issue ?

Giridhar Katti · Answer

Update from the team on this - 
 The issuer and subject field is same for the client certificate. Only Root CA will have the issuer and subject fields same. Whenever certs are generated using Default.pem as the root CA we should ensure that the subject fields are not same. This is the reason they are seeing this issue and when they remove the space it goes away. For now they can change this. But to handle this kind of issues in future, we should block the user from creating these certs with the same fields that matches issuer&rsquo;s in the UI.

Giridhar Katti · Answer

Hi Philbert, 
 This is the update after some more testing on this issue by our QE. 
 >>> 
 I configured IPSec RA in 19.0 MR1 (Akamaru) build 367, with spaces in Organization Name (also in common name and organizational unit), where the issue is present. Then I upgraded to 19.5 MR1 (Hatutu) build 278, where the fix is present. Before upgrade, I could see the scx file throwing the error and after the upgrade I could see the scx file getting generated successfully and I was able to connect from Windows too. 
 We suspect that there could be some other issue in the certificate in the customer&rsquo;s case. Would it be possible to get access to the customer device to check what else may be missing? 
 >>>

Remote Access VPN - IPSEC with Certificate - connection export .scx file invalid - SFOS 19.5

CA Settings

Certificate Settings

Update

Top Replies