Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 486 views
  • Users 0 members are here
Options
Suggested

I cannot connect to VPN using strongswan or ovpn on linux

Omotola Adeb

My server is Sophos Firewall XG125 (SFOS 17.5.16 MR-16-Build830). Sophos connect works perfectly but the .ovpn file downloaded(via user interface) will not connect. I also used the details from the .tgb to build a config file for strongswan, but didn't work. What can i do to establish a connection

My OVPN file

client
dev tun
proto udp
explicit-exit-notify
verify-x509-name "C=NG, ST=FCT, L=AB, O=ANA, OU=OU, CN=SophosApplianceCertificate_C1A0CATH7TQ9RD3, emailAddress=adminemail@mail.com"
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
(Insert your CA Certificate here)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(Insert your Client Certificate here)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(Insert your Private Key here)
-----END PRIVATE KEY-----
</key>
auth-user-pass # Ensure credentials are provided
cipher AES-128-CBC
data-ciphers AES-256-GCM:AES-128-GCM
auth SHA256
comp-lzo yes
auth-nocache
route-delay 4
verb 5
reneg-sec 86400
remote ServerIP 8443
remote 10.255.255.1 8443
remote 10.255.0.1 8443

my ipsec.conf



Added TAGs
[edited by: Erick Jan at 12:16 AM (GMT -7) on 7 Oct 2024]
Parents Reply Children
  • 0 in reply to Omotola Adeb

    * On Windows, use OpenVPN Connect (downloadable from Internet), after configuring the SSLVPN RA on SFOS, download the .ovpn file file from VPN portal (by the way you are on very very old SFOS with no support, recommended to upgrade to v20.0GA or latest MRs on v20) and use this file on OpenVPN Connect application.

    * On Linux, whether it is UI based on CLI based, you can follow the same procedure mentioned above.

    * On Linux, download Strongswan and build/install it, 

    One example as below:

    /etc/strongswan.conf

    charon {
        reuse_ikesa = no
        threads = 32

        plugins {
            load-tester {
                # enable the plugin
                enable = yes
                initiators = 1
                iterations = 1
                delay = 250
                mode = tunnel
                version = 1
                initiator = <Linux ip>
                responder = <SFOS wan ip where ipsec ra configured> 
                responder_id = <SFOS wan ip>
                # IKE-proposal to use
                proposal = aes128-sha1-modp1024
                esp = aes256-sha2_256-modp1024
                initiator_auth = psk
                responder_auth = psk
                preshared_key = abcdef
                authby = psk
                # disable IKE_SA rekeying (default)
                ike_rekey = 0
                # enable CHILD_SA every 3200s
                initiator_tsr = <local subnet of Linux node>
                child_rekey = 3200
                # do not delete the IKE_SA after it has been established (default)
                delete_after_established = no
                # do not shut down the daemon if all IKE_SAs established
                shutdown_when_complete = no
            }
        }
    }

    Configure the above given IPsec phase1, phase2 proposals, psk on SFOS.

    ipsec start // command on Linux node to initiate the tunnel.

Unfiltered HTML