I created a certificate based IPSec/IKEv2 Site-to-Site-VPN using the Sophos guides between two Sophos SG135 firewalls. One firewall runs on home edition (SFVH with firmware SFOS 21.0.0 GA-Build169) one runs on trial (SG135 with firmware SFOS 20.0.2 MR-2-Build378). The certificates used are coming from a Windows enterprise PKI. Both peers have all four certificates involved installed. The peer certificates are uploaded under Certificates > Certificates. The IssuingCA and RootCA certificates were uploaded under Certificates > Certificate Authority (CA).
The connection uses cloned versions of the provided IPSec profiles "Head Office (IKEv2)" and "Branch Office (IKEv2)" with no changes made. The head office is set to "only respond" where the branch office is set to "initiate connection".
The connection generally works fine!
Every so often (several hours apart) I get Sophos Central alerts that the connection terminated. I have tried to research this and some people seem to say this is related to the re-keying and the lifetime of the keys of the IPSec SA.
On my mission to debug this, I looked up the VPN logs of both firewalls and was very surprised that both peers report that they don't trust the presented Root CA certificate of their peer. This has me very confused. I triple checked that all certificates involved are: current, not out of date, have the right thumbprint and correct data overall. The very fact that the connection establishes and works well is proof that the certificates themselves are fine.
Question
Why would an appliance first report that a presented certificate comes from an "untrusted" Root CA, even though that very Root CA is installed in the CA certificate store of that appliance (and triple checked for validity and integrity), and then go on to establish that connection successfully?
messageid="18072" log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" user="" con_name="VPN_CON_NAME-1" con_type="0" src_ip="x.x.x.x" gw_ip="" local_network="" dst_ip="y.y.y.y" remote_network="" additional_information="" message="VPN_CON_NAME-1 - Certificate isn't from a trusted authority: 'DC=tld, DC=domain, CN=Domain Root CA' (Remote: y.y.y.y)"
Edited TAGs
[edited by: Erick Jan at 1:23 AM (GMT -8) on 2 Dec 2024]
