Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPsec Remote Access from iOS using certificates not asking for password

Hi guys

I can't see the wood for the trees -- so please forgive me this (probably stupid) question:

When using PSK for IPsec without certificates, everything is working properly. It asks for password (or I save my password) click Connect and it works.

However, when using Certificates, there is a timeout and it does not ask for password at all when connecting.

I have generated two locally-signed certificate in the Certificate's menu as explained in the knowledge base articles. The remote certificate using Advanced Settings > Certificate ID > DER ASN1 DN (X.509) and the local certificate using Advanced Settings > Certificate ID > DNS with the FQDN of the firewall.

Then I clicked Export Configuration and created three new files with the public key, private key and CA certificate and generated the required PFX file for iOS.

openssl pkcs12 -cafile ca.pem -inkey private.key -in public.pem -export -out ios.pfx

I imported the Certificate on my iPad, created the VPN profile and tried to connect. It says connecting for almost a minute and then disconnects with the error:

Received IKE message with invalid SPI (AA85045D). Deny Session: Couldn't authenticate the remote gateway. Check the authentication settings on both devices.

But it won't prompt for username / password.

Am I doing it wrong?

And why is IKEv2 still not supported? ugh :/



Edited TAGs
[edited by: Erick Jan at 11:07 PM (GMT -7) on 7 Oct 2024]
  • hi,
    authentication without username/password is not implemented in the Sophos firewall.
    ... but often requested ...

    IKE2 - open a feature request ... click on "feedback" in the firewall gui


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi  ,

         There are a few important things we need to take care when using certificates to connect to XG from iOS devices.

    1. Cannot use appliance cert in the policy.

    2. Server cert should have SAN -> IP address as the public IP (WAN ip address on which the IPSec RA is configured)

    3. Client cert should have X.509 in advance settings-> certificate ID (Select X.509 and leave the next field blank)

           4. Should enable the CA cert as trusted from the iOS device when it shows a popup

    With these changes, we should be able to connect to XG. Please retry with the above changes.

    Also which SFOS release version are you using? Better way will be to import the iOS vpn profile from vpn portal. Are you facing any issues with the default profile file downloaded from vpn portal? 

  • That did the trick. Apparently it does NOT work with DNS, but it works with the IP address. I have no explanation for this, but anyway, thanks a lot for your help! :)

  • Dear Dirk

    the feature request already exists and it's on the Sophos Firewall backlog already since version 2019. :/

  • For those who are trying to achieve the same but cannot get it working as well, please find below a step by step article:

    Go to Certificates > Certificate Authorities and download your CA.

    Copy the Default.pem to your Desktop and rename Default.pem to CA.crt. Verify the certificate by running (optional):

    openssl x509 -in certificate.crt -text -noout

    Go to Certificates > Certificates and create a new Server certificate, e. g. IPsec Local. Click Add > Generate locally-signed-certificate:

    Scroll down and click Advanced settings. Select IP address and enter the static IP address of your WAN / firewall.

    Click Save! Now create a new Client certificate, e. g. IPsec REMOTE. Click Add > Generate locally-signed-certificate:

    Scroll down and click Advanced settings. Select DER ASN1 DN (X.509) from list.

    Click Save! You now have two certificates, a local and a remote certificate!

    Go to Profiles > IPsec profiles and create a new Roadwarrior profile.

    Click Save and go to Remote access VPN. Configure the IPsec VPN as shown in the screenshot:

    Don't forget to add a valid user and most important, make sure your authentication source e. g. LDAP is allowed to authenticate through VPN in Authentication > Services:

    And allow the User to use IPsec VPN in Authentication > Users and click on the account of your choice!

    Go back to Remote access VPN > IPsec, then scroll down and click Export connection. Open the .TGB file with a text editor.

    Scroll down to: "Public-Client-Key]"

    Copy and paste the contents below to a new file and save as public.pem on your Desktop!

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

    Scroll down to: "Public-RootCA-Key]"

    Copy and paste the contents below to a new file and save as ca.pem on your Desktop!

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

    Scroll down to" Secret-Client-Key]"

    Copy and paste the contents below to a new file and save as private.key on your Desktop!

    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----

    Now create the PFX file required by iOS using the following command:

    openssl pkcs12 -CAfile Desktop/ca.pem -inkey Desktop/private.key -in Desktop/public.pem -export -out Desktop/vpn.pfx

    Important: you must choose a password for this certificate, otherwise you won't be able to use it on iOS!

    The newly created vpn.pfx and the above created CA.crt are now required on your iPhone / iOS, e. g. using an (interna)l Nextcloud and by emailing it to yourself.

    Click the CA.crt in order to add it to your profile. Go to Settings > VPN and Device Management.

    Click on your CA, enter your PIN and Install the CA to the Trusted Store.

    Go back to your E-Mail or Nextcloud and click the vpn.pfx. Then go back to Settings > VPN and Device Management.

    Click on your imported profile, enter the PFX password and click Install.

    Now Add a new VPN configuration. Choose Type: IPsec

    Description: VPN

    Server: <the static IP address of your WAN / firewall>

    Account: <name of the LDAP account>

    Password: <password of the LDAP account>

    Use certificate: ENABLE

    Choose your newly imported certificate! Click Add / Save.

    You should now be able to connect!