VPN über iPad

Question

Guten Morgen, 
 ein Neuling in Sachen Sophos/iOs hat die Anforderung das ein GF mit seinem neuen iPad einen VPN Verbindung zum Firmennetz aufmachen m&ouml;chte. Ich habe mir das einfach vorgestellt, habe einen entsprechenden User angelegt und &uuml;ber das Userportal die VPN-Konfiguration heruntergeladen. Der GF hat die App im Shop geholt und die Konfiguration importiert. So weit so gut . Aber der Versuch sich zu verbinden endet mit einem Fehler. Es scheint ein Zertifikatsfehler zu sein. Hier enden jetzt meine M&ouml;glichkeiten, da ich nicht weis wer welches Zertifikat braucht (ich denke das iPad) und wo man es bekommt und wie man es weitergibt. Bei den Verbindungen &uuml;ber Windows etc. habe ich noch nie ein Zertifikat ausgetauscht (da gibt es ja auch immer den ganzen Client). Unsere FW ist eine SG210 (HA Mode) Firmware Version 9.705-7. Das Log habe ich hier drangeh&auml;ngt. Ein Tipp w&auml;re toll. Wenn es die L&ouml;sung hier im Forum schon gibt dann habe ich sie nicht gefunden.

Fullscreen 
 SophosLog.txt 
 Download 
 
 
2021-06-14 08:06:14 1

2021-06-14 08:06:14 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 08:06:14 OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 08:06:14 Frame=512/2048/512 mssfix-ctrl=1250

2021-06-14 08:06:14 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
12 [route-delay] [4] 
13 [verb] [3] 

2021-06-14 08:06:14 EVENT: RESOLVE

2021-06-14 08:06:14 Contacting [80.153.83.164]:443/TCP via TCPv4

2021-06-14 08:06:14 EVENT: WAIT

2021-06-14 08:06:14 Connecting to [azr.dnsalias.com]:443 (80.153.83.164) via TCPv4

2021-06-14 08:06:15 EVENT: CONNECTING

2021-06-14 08:06:15 Tunnel Options:V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client

2021-06-14 08:06:15 Creds: Username/Password

2021-06-14 08:06:15 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-14 08:06:15 VERIFY OK: depth=1, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=Ambulantes Zentrum VPN CA/emailAddress=info@homaassoft.de

2021-06-14 08:06:15 VERIFY FAIL: depth=0, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=azr.dnsalias.com/emailAddress=info@homaassoft.de [format error in certificate's notAfter field]

2021-06-14 08:06:15 Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2021-06-14 08:06:15 EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [ERR]

2021-06-14 08:06:15 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1

2021-06-14 08:06:15 Performance stats on disconnect:
 CPU usage (microseconds): 31389
 Network bytes per CPU second: 82927
 Tunnel bytes per CPU second: 0

2021-06-14 08:06:15 EVENT: DISCONNECTED

2021-06-14 08:06:15 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1

2021-06-14 08:06:15 Performance stats on disconnect:
 CPU usage (microseconds): 35322
 Network bytes per CPU second: 73693
 Tunnel bytes per CPU second: 0

2021-06-14 08:07:49 1

2021-06-14 08:07:49 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 08:07:49 OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 08:07:49 Frame=512/2048/512 mssfix-ctrl=1250

2021-06-14 08:07:49 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
12 [route-delay] [4] 
13 [verb] [3] 

2021-06-14 08:07:49 EVENT: RESOLVE

2021-06-14 08:07:49 Contacting [80.153.83.164]:443/TCP via TCPv4

2021-06-14 08:07:49 EVENT: WAIT

2021-06-14 08:07:49 Connecting to [azr.dnsalias.com]:443 (80.153.83.164) via TCPv4

2021-06-14 08:07:49 EVENT: CONNECTING

2021-06-14 08:07:49 Tunnel Options:V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client

2021-06-14 08:07:49 Creds: Username/Password

2021-06-14 08:07:49 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-14 08:07:50 VERIFY OK: depth=1, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=Ambulantes Zentrum VPN CA/emailAddress=info@homaassoft.de

2021-06-14 08:07:50 VERIFY FAIL: depth=0, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=azr.dnsalias.com/emailAddress=info@homaassoft.de [format error in certificate's notAfter field]

2021-06-14 08:07:50 Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2021-06-14 08:07:50 EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [ERR]

2021-06-14 08:07:50 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 3
 PACKETS_OUT : 3
 SSL_ERROR : 1

2021-06-14 08:07:50 Performance stats on disconnect:
 CPU usage (microseconds): 25687
 Network bytes per CPU second: 101335
 Tunnel bytes per CPU second: 0

2021-06-14 08:07:50 EVENT: DISCONNECTED

2021-06-14 08:07:50 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 3
 PACKETS_OUT : 3
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1

2021-06-14 08:07:50 Performance stats on disconnect:
 CPU usage (microseconds): 30730
 Network bytes per CPU second: 84705
 Tunnel bytes per CPU second: 0

2021-06-14 09:28:45 1

2021-06-14 09:28:45 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 09:28:45 OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 09:28:45 Frame=512/2048/512 mssfix-ctrl=1250

2021-06-14 09:28:45 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
12 [route-delay] [4] 
13 [verb] [3] 

2021-06-14 09:28:45 EVENT: RESOLVE

2021-06-14 09:28:46 Contacting [80.153.83.164]:443/TCP via TCPv4

2021-06-14 09:28:46 EVENT: WAIT

2021-06-14 09:28:46 Connecting to [azr.dnsalias.com]:443 (80.153.83.164) via TCPv4

2021-06-14 09:28:46 EVENT: CONNECTING

2021-06-14 09:28:46 Tunnel Options:V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client

2021-06-14 09:28:46 Creds: Username/Password

2021-06-14 09:28:46 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-14 09:28:46 VERIFY OK: depth=1, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=Ambulantes Zentrum VPN CA/emailAddress=info@homaassoft.de

2021-06-14 09:28:46 VERIFY FAIL: depth=0, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=azr.dnsalias.com/emailAddress=info@homaassoft.de [format error in certificate's notAfter field]

2021-06-14 09:28:46 Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2021-06-14 09:28:46 EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [ERR]

2021-06-14 09:28:46 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1

2021-06-14 09:28:46 Performance stats on disconnect:
 CPU usage (microseconds): 29186
 Network bytes per CPU second: 89186
 Tunnel bytes per CPU second: 0

2021-06-14 09:28:46 EVENT: DISCONNECTED

2021-06-14 09:28:46 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1

2021-06-14 09:28:46 Performance stats on disconnect:
 CPU usage (microseconds): 35258
 Network bytes per CPU second: 73827
 Tunnel bytes per CPU second: 0

2021-06-14 09:34:47 1

2021-06-14 09:34:47 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 09:34:47 OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 09:34:47 Frame=512/2048/512 mssfix-ctrl=1250

2021-06-14 09:34:47 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
12 [route-delay] [4] 
13 [verb] [3] 

2021-06-14 09:34:47 EVENT: RESOLVE

2021-06-14 09:34:47 Contacting [80.153.83.164]:443/TCP via TCPv4

2021-06-14 09:34:47 EVENT: WAIT

2021-06-14 09:34:47 Connecting to [azr.dnsalias.com]:443 (80.153.83.164) via TCPv4

2021-06-14 09:34:48 EVENT: CONNECTING

2021-06-14 09:34:48 Tunnel Options:V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client

2021-06-14 09:34:48 Creds: Username/Password

2021-06-14 09:34:48 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-14 09:34:48 VERIFY OK: depth=1, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=Ambulantes Zentrum VPN CA/emailAddress=info@homaassoft.de

2021-06-14 09:34:48 VERIFY FAIL: depth=0, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=azr.dnsalias.com/emailAddress=info@homaassoft.de [format error in certificate's notAfter field]

2021-06-14 09:34:48 Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2021-06-14 09:34:48 EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [ERR]

2021-06-14 09:34:48 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1

2021-06-14 09:34:48 Performance stats on disconnect:
 CPU usage (microseconds): 28285
 Network bytes per CPU second: 92027
 Tunnel bytes per CPU second: 0

2021-06-14 09:34:48 EVENT: DISCONNECTED

2021-06-14 09:34:48 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1

2021-06-14 09:34:48 Performance stats on disconnect:
 CPU usage (microseconds): 35630
 Network bytes per CPU second: 73056
 Tunnel bytes per CPU second: 0

2021-06-14 14:51:09 1

2021-06-14 14:51:09 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 14:51:09 OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-14 14:51:09 Frame=512/2048/512 mssfix-ctrl=1250

2021-06-14 14:51:09 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
12 [route-delay] [4] 
13 [verb] [3] 

2021-06-14 14:51:09 EVENT: RESOLVE

2021-06-14 14:51:09 Contacting [80.153.83.164]:443/TCP via TCPv4

2021-06-14 14:51:09 EVENT: WAIT

2021-06-14 14:51:09 Connecting to [azr.dnsalias.com]:443 (80.153.83.164) via TCPv4

2021-06-14 14:51:09 EVENT: CONNECTING

2021-06-14 14:51:09 Tunnel Options:V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client

2021-06-14 14:51:09 Creds: Username/Password

2021-06-14 14:51:09 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-14 14:51:10 VERIFY OK: depth=1, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=Ambulantes Zentrum VPN CA/emailAddress=info@homaassoft.de

2021-06-14 14:51:10 VERIFY FAIL: depth=0, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=azr.dnsalias.com/emailAddress=info@homaassoft.de [format error in certificate's notAfter field]

2021-06-14 14:51:10 Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2021-06-14 14:51:10 EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [ERR]

2021-06-14 14:51:10 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1

2021-06-14 14:51:10 Performance stats on disconnect:
 CPU usage (microseconds): 25303
 Network bytes per CPU second: 102873
 Tunnel bytes per CPU second: 0

2021-06-14 14:51:10 EVENT: DISCONNECTED

2021-06-14 14:51:10 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 345
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1

2021-06-14 14:51:10 Performance stats on disconnect:
 CPU usage (microseconds): 29911
 Network bytes per CPU second: 87024
 Tunnel bytes per CPU second: 0


2021-06-15 17:50:26 1

2021-06-15 17:50:26 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-15 17:50:26 OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-06-15 17:50:26 Frame=512/2048/512 mssfix-ctrl=1250

2021-06-15 17:50:26 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
12 [route-delay] [4] 
13 [verb] [3] 

2021-06-15 17:50:26 EVENT: RESOLVE

2021-06-15 17:50:27 Contacting [80.153.83.164]:443/TCP via TCPv4

2021-06-15 17:50:27 EVENT: WAIT

2021-06-15 17:50:27 Connecting to [azr.dnsalias.com]:443 (80.153.83.164) via TCPv4

2021-06-15 17:50:27 EVENT: CONNECTING

2021-06-15 17:50:27 Tunnel Options:V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client

2021-06-15 17:50:27 Creds: Username/Password

2021-06-15 17:50:27 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl


2021-06-15 17:50:27 VERIFY OK: depth=1, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=Ambulantes Zentrum VPN CA/emailAddress=info@homaassoft.de

2021-06-15 17:50:27 VERIFY FAIL: depth=0, /C=de/L=Karlsruhe/O=Ambulantes Zentrum/CN=azr.dnsalias.com/emailAddress=info@homaassoft.de [format error in certificate's notAfter field]

2021-06-15 17:50:27 Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2021-06-15 17:50:27 EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [ERR]

2021-06-15 17:50:27 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 343
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1

2021-06-15 17:50:27 Performance stats on disconnect:
 CPU usage (microseconds): 21776
 Network bytes per CPU second: 119443
 Tunnel bytes per CPU second: 0

2021-06-15 17:50:27 EVENT: DISCONNECTED

2021-06-15 17:50:27 Raw stats on disconnect:
 BYTES_IN : 2258
 BYTES_OUT : 343
 PACKETS_IN : 4
 PACKETS_OUT : 3
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1

2021-06-15 17:50:27 Performance stats on disconnect:
 CPU usage (microseconds): 26495
 Network bytes per CPU second: 98169
 Tunnel bytes per CPU second: 0

PhilippRusch · Answer

Hallo Udo, 
 das wird so nicht funktionieren:

In den SSL-Zertifikaten f&uuml;r die VPN-Verbindungen muss ein &ouml;ffentlich aufl&ouml;sbarer DNS Name drin stehen. 
 Das hat &uuml;berhaupt nichts mit der verewendeten CA zu tun, sondern mit dem Ziel des VPN-Tunnels, an dem der Client terminiert werden soll. 
 Mit einer private IP als Hostname kann das daher nicht funktionieren. Als Hostname sollte der dynamische DNS-Name "azr.dnsalias.com" verwendet werden. 
 Weitere Info dazu: 
 https://community.sophos.com/utm-firewall/f/recommended-reads/22065/rulz 
 Insbesondere den Absatz: 
 The Zeroeth Rule: 
 Start with a hostname that is a unique (not used for anything else) FQDN resolvable in public DNS to your public IP. If you didn't do that, use slickone27's trick to get CAs, certificates, hostname entries, etc. all aligned; it will save you hours and frustration.

VPN über iPad

Top Replies