SSL-VPN between UTM and XG fails due to strange certificate error

Hi all,

we experience a strange issue when trying to connect an UTM to a XG via SSL-VPN. Unfortunately, IPSec cannot be used as the UTM stands behind a router and no fixed public IP is available.

We have configured the SSLVPN settings as follows:
- Protocol: UDP
- SSL Server Certificate: WILDCARD.customer.de (the error is the same with a specific certificate for the DNS name vpn.customer.de)
- Port: 443

When importing the SSLVPN configuration file to the UTM, the live protocol gives the following error:

VERIFY X509NAME ERROR: /CN=_.customer.de, must be CN=*.customer.de

I read somewhere that Sophos does not support using wildcard certificates for SSLVPN - strangely it works when connecting to the XG via OpenVPN client (current version 2.5.3). But OK - I bought another certificate for vpn.customer.de and assigned it to the configuration. Then I exported and imported the configuration on the UTM again. The error is somehow the same:

VERIFY X509NAME ERROR: /CN=vpn.customer.de, must be CN=vpn.customer.de

When I look at the certificates uploaded to the XG configuration (hovering over the certificate with the mouse), it tells me that the subject is "/CN=vpn.customer.de". So where does this slash come from? Obviously, the UTM cannot read such certificate correctly but I cannot modify the subject. Either this is a bug in the upload process of the XG or a bug in the OpenVPN client included in the UTM.

If I switch to the ApplianceCertificate, everything works but we want to use public certificates for that. Am I doing something wrong?


Thanks in advance and greetings

Ben

Parents
  • Hallo Ben and welcome to the UTM Community!

    There are several ways to use IPsec when only one side has a public IP.  The easiest is to configure the XG as "Respond only" and the UTM as "Initiate connection."  Will that work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    sounds good - could you please explain how to configure that?
    On the other side, I would like to understand my issue and how to fix that. In my opinion, SSLVPN should work with 3rd party certificates as well or is this not supported between UTM and XG?

    Regards
    Ben

  • I haven't seen the /CN error before, Ben.   It must be an issue with the tool used to generate the cert.  Still, you might want to open a case with Support so that they can get the developers to fix the verification error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks, the IPSec tunnel works fine! However, I have some issue with network connectivity from the XG side to the UTM side - I cannot ping any device on the UTM side. From the UTM side (branch office), I can reach devices in the central office. That is strange because ping is a two-way communication afaik.

    All firewall rules are in place and I can see in the XG logs that my connections are allowed (ping, HTTPS, etc.). However, it seems as if the pings do not reach the UTM as nothing can be seen in the UTM logs.

    Can you advise if there is something I forgot in the configuration?

    Regards 
    Ben

  • It's tricky to do a packet capture inside an IPsec tunnel.  Start by discovering the REF_ of the IPsec Connection.  If the name is Hamburg, enter the following command as root at the command line

         cc get_object_by_name ipsec_connection site_to_site 'Hamburg'|grep \'ref

    The result of that will included something like REF_IpsSitHamburg

    To watch the traffic:

         espdump -n --conn REF_IpsSitHamburg -vv

    If you don't see pings coming through the tunnel, it's a configuration issue in the XG.  Interesting that it will allow ping responses to be sent to the UTM, but not ping requests.  Then again, maybe the device behind the XG that you're pinging has its firewall dropping pings from outside the device's subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • It's tricky to do a packet capture inside an IPsec tunnel.  Start by discovering the REF_ of the IPsec Connection.  If the name is Hamburg, enter the following command as root at the command line

         cc get_object_by_name ipsec_connection site_to_site 'Hamburg'|grep \'ref

    The result of that will included something like REF_IpsSitHamburg

    To watch the traffic:

         espdump -n --conn REF_IpsSitHamburg -vv

    If you don't see pings coming through the tunnel, it's a configuration issue in the XG.  Interesting that it will allow ping responses to be sent to the UTM, but not ping requests.  Then again, maybe the device behind the XG that you're pinging has its firewall dropping pings from outside the device's subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data