Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Answers 2 answers
  • Subscribers 43 subscribers
  • Views 5123 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SSL VPN issue on 2.3 version - Case 07368183

umesh prajapati

Case is not resolved. Please open the case.

Sophos team has migrated cyberoam to Sophos firewall & Its working properly from last 3years with Cyberaom certificate which expiry is 2036.

The issue is Sophos connect 2.3 is not working but 2.2 & 2.1 version is working proeprly.

The issue is in Sophos connect 2.3 version not in certificates. If the issue in the certificate then why its working in 2.2 and 2.1 version.

That means you guys have not updated everything in 2.3 version & even not informed to customer of your firmware update documentation.

I have logged the ticket & you guys told me regenerate the certificate but its not easy for me.. More than 100 users are connected with Sophos connect SSL VPN.

If I will regenerate the certificate then I will have to install VPN configuration on all the system again which is not possible for me to attend all the users. 

Its Sophso responsibility to resolve the customer issue on Sophos 2.3 version instead of change whole certificate... 2.3 version is not compatible with certificate.

We are not ready to change sophos certificate because of expiry is 2036. Please involve your senior team and solve the issue.

Thanks

Umesh



This thread was automatically locked due to age.
  • 0

    Can you share the content of your current used OVPN File? Because with 2.3 we updated also openvpn to a secure version and it could potentially make older / insecure options not valid anymore. 

    __________________________________________________________________________________________________________________

  • 0

    client
    dev tun
    proto tcp
    verify-x509-name "C=IN, ST=Gujarat, L=Ahmedabad, O=Cyberoam, OU=Cyberoam Appliance, CN=CyberoamApplianceCertificate_C18615277667, emailAddress=info@cyberoam.com"
    route remote_host 255.255.255.255 net_gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun

    </key>
    auth-user-pass
    cipher AES-128-CBC
    auth SHA256
    comp-lzo yes
    ;can_save no
    ;otp no
    ;run_logon_script no
    ;auto_connect
    route-delay 4
    verb 3
    reneg-sec 0
    remote  8443 tcp-client

  • 0 in reply to umesh prajapati

    above content of OVPN is working properly in Sophos Connect 2.2 & all the older version..

  • 0

    Hi  Thank you for sharing the case details with us. I reviewed the error observed while connecting with SSL VPN with Sophos connect 2.3 and your reported issue is getting matched with an existing open investigation "NCL-1852" where Dev is investigating a similar kind of situation reported to us. 

    A new Support case 07393422 has been raised for this to work on it and to collect the required logs to review it and to confirm whether your situation matches with the above ID or not. One of our Support engineers will connect with you on the case to work further on this.

    Rest assured I will personally keep an eye on the progress of the new case.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0

    Hello Umesh,

    Regret to hear about your experience on this concern.

    We are now aware of your new support case - 07393422 and tracking progress on our end. 

    The latest activity of the engineer assigned to the case shows that he tried to reach out to your registered mobile number, but you were unable to answer.

    Could you please provide your availability on the case thread so the call can be arranged accordingly, 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Please connect now, I am available

  • 0 in reply to Vishal_R

    Any solution from dev side ?

  • 0 in reply to umesh prajapati

    I have shared logs with Haardikh. You can check via the below URL.

    easyupload.io/m/9pihu7

  • 0 in reply to umesh prajapati

    Hi   I reviewed the submitted logs and as suspected in my previous comment your issue is matching with ID NCL-1852 as per the logs.

    2024-06-17 13:34:30 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=IN, XXXXXX.... 
    2024-06-17 13:34:30 Sent fatal SSL alert: bad certificate
    2024-06-17 13:34:30 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
    2024-06-17 13:34:30 TLS_ERROR: BIO read tls_read_plaintext error
    2024-06-17 13:34:30 TLS Error: TLS object -> incoming plaintext

    Since OpenVPN has been updated in the Sophos Connect 2.3 client, it fails to connect to SSL VPN behind Sophos XG when the server certificate authority uses a weak signature algorithm like SHA1.

    The Sophos Connect 2.2 client is not affected as it still accepts SHA1.

    You will also receive an update on the support case with the next POA/workaround details.

    I hope the above information and clarification will help you with this.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    What is the solution for this?

    We can't regenerate the certificates. Its very difficult for us to install the certificate again on all 100 users & also setup SSL VPN with ovpn file again..

    Why Sophos not implemented in Sophos Connect 2.3 version.. you will have to update the backward support certificate in new application 2.3 also Please check with dev team and resolve this.

Unfiltered HTML