Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

I cannot connect to VPN using strongswan or ovpn on linux

My server is Sophos Firewall XG125 (SFOS 17.5.16 MR-16-Build830). Sophos connect works perfectly but the .ovpn file downloaded(via user interface) will not connect. I also used the details from the .tgb to build a config file for strongswan, but didn't work. What can i do to establish a connection

My OVPN file

client
dev tun
proto udp
explicit-exit-notify
verify-x509-name "C=NG, ST=FCT, L=AB, O=ANA, OU=OU, CN=SophosApplianceCertificate_C1A0CATH7TQ9RD3, emailAddress=adminemail@mail.com"
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
(Insert your CA Certificate here)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(Insert your Client Certificate here)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(Insert your Private Key here)
-----END PRIVATE KEY-----
</key>
auth-user-pass # Ensure credentials are provided
cipher AES-128-CBC
data-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
comp-lzo yes
auth-nocache
route-delay 4
verb 5
reneg-sec 86400
remote ServerIP 8443
remote 10.255.255.1 8443
remote 10.255.0.1 8443

my ipsec.conf



Added TAGs
[edited by: Erick Jan at 12:16 AM (GMT -7) on 7 Oct 2024]
Parents
  • my ipsec.conf

    conn rmcnx6
    keyexchange=ikev2
    left=%any
    leftid=<your_local_id>
    leftauth=psk
    right=197.159.66.165
    rightauth=psk
    ike=aes256-sha256-modp2048 # Phase 1 proposal
    esp=aes256-sha256-modp2048 # Phase 2 proposal
    dpdaction=restart
    dpddelay=60s
    dpdtimeout=90s
    auto=start
    rightsubnet=0.0.0.0/0
    leftsourceip=%config

    ipsec.secret
    : PSK "<your_preshared_key>"


    error i get

    parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] received NO_PROPOSAL_CHOSEN notify error establishing connection 'rmcnx6' failed

Reply
  • my ipsec.conf

    conn rmcnx6
    keyexchange=ikev2
    left=%any
    leftid=<your_local_id>
    leftauth=psk
    right=197.159.66.165
    rightauth=psk
    ike=aes256-sha256-modp2048 # Phase 1 proposal
    esp=aes256-sha256-modp2048 # Phase 2 proposal
    dpdaction=restart
    dpddelay=60s
    dpdtimeout=90s
    auto=start
    rightsubnet=0.0.0.0/0
    leftsourceip=%config

    ipsec.secret
    : PSK "<your_preshared_key>"


    error i get

    parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] received NO_PROPOSAL_CHOSEN notify error establishing connection 'rmcnx6' failed

Children
  • Hello,

    Seems like policy mismatch. You may refer to the below KBA to troubleshoot it further:

     Sophos Firewall: Troubleshooting site to site IPsec VPN issues 

    While connecting the VPN, you can login to the advanced shell of the firewall. Add the strongswan service in debug and later connect strongswan.log while attempting to connect VPN.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • Do i need to configure SSL VPN (site-to-site) for it to work?

  • Hello,

    No, the KBA is for reference for collecting the logs. The logs for the remote access and IPSec site to site are same.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • Hi @Omotola Adeb, what is your exact requirement? is it IPsec RA or SSLVPN RA? and what is the client you are using - Linux or Windows? and what is the remote access client you are using? Based on this, will get back with the suggestion.

  • I just want to have a successful access to the vpn via my openhead linux(access via SSH)

    On windows with sophos connect it connects successfully. 
    on Windows Openvpn not successful.
    On linux, i used openVPN with the .ovpn file download from the user side, it was not successful.
    I also used strongswan, not successfully.

  • * On Windows, use OpenVPN Connect (downloadable from Internet), after configuring the SSLVPN RA on SFOS, download the .ovpn file file from VPN portal (by the way you are on very very old SFOS with no support, recommended to upgrade to v20.0GA or latest MRs on v20) and use this file on OpenVPN Connect application.

    * On Linux, whether it is UI based on CLI based, you can follow the same procedure mentioned above.

    * On Linux, download Strongswan and build/install it, 

    One example as below:

    /etc/strongswan.conf

    charon {
        reuse_ikesa = no
        threads = 32

        plugins {
            load-tester {
                # enable the plugin
                enable = yes
                initiators = 1
                iterations = 1
                delay = 250
                mode = tunnel
                version = 1
                initiator = <Linux ip>
                responder = <SFOS wan ip where ipsec ra configured>
                responder_id = <SFOS wan ip>
                # IKE-proposal to use
                proposal = aes128-sha1-modp1024
                esp = aes256-sha2_256-modp1024
                initiator_auth = psk
    responder_auth = psk
                preshared_key = abcdef
                authby = psk
                # disable IKE_SA rekeying (default)
                ike_rekey = 0
                # enable CHILD_SA every 3200s
    initiator_tsr = <local subnet of Linux node>
                child_rekey = 3200
                # do not delete the IKE_SA after it has been established (default)
                delete_after_established = no
                # do not shut down the daemon if all IKE_SAs established
                shutdown_when_complete = no
            }
        }
    }

    Configure the above given IPsec phase1, phase2 proposals, psk on SFOS.

    ipsec start // command on Linux node to initiate the tunnel.

  • Thank you for your response. I configured strongswan as suggested above

    i deleted the /etc/ipsec.conf and got error below

    root@v844776628:~# sudo rm /etc/ipsec.conf
    root@v844776628:~# sudo ipsec restart
    Stopping strongSwan IPsec...
    Starting strongSwan 5.9.5 IPsec [starter]...
    no files found matching '/etc/ipsec.conf'
    failed to open config file '/etc/ipsec.conf'
    unable to start strongSwan -- fatal errors in config

    i added it back with few lines then ran the command

    config setup
    uniqueids=yes
    charondebug="ike 2, knl 2, cfg 2"


    root@v844776628:~# sudo ipsec restart
    Stopping strongSwan IPsec...
    Starting strongSwan 5.9.5 IPsec [starter]...

    root@v844776628:~# sudo ipsec start
    Starting strongSwan 5.9.5 IPsec [starter]...
    charon is already running (/var/run/charon.pid exists) -- skipping daemon start
    starter is already running (/var/run/starter.charon.pid exists) -- no fork done

    root@v844776628:~# sudo ipsec statusall
    Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-122-generic, x86_64):
    uptime: 11 seconds, since Oct 08 23:40:42 2024
    malloc: sbrk 1622016, mmap 0, used 512944, free 1109072
    worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
    loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default bypass-lan connmark stroke updown eap-mschapv2 xauth-generic counters
    Listening IP addresses:
    37.1.210.216
    Connections:
    Shunted Connections:
    Bypass LAN ::1/128: ::1/128 === ::1/128 PASS
    Bypass LAN fe80::/64: fe80::/64 === fe80::/64 PASS
    Security Associations (0 up, 0 connecting):
    none


    With this response, no successful connection was made.