Der Sophos VPN Client wird auf der Downloadseite von der SG Firewall nicht mehr angeboten.
Beim Verbindungsversuch (SSL VPN) mit Sophos Client, mit importierter Config-Datei erscheint beim Verbindungsversuch diese Meldung:
"Fehler wegen Richtlinienabweichung. Importieren Sie eine neue Richtlinie für diese Verbindung."
Die Firewallregeln stehen auf automatisch, wie in der Anleitung beschrieben. KA was hier falsch läuft.
Die Lösung habe ich hier gefunden:
https://community.sophos.com/utm-firewall/f/vpn-site-to-site-and-remote-access/128837/zertifikatefehler-bei-ssl-vpn-mit-mac
Die Zertifikate werden neu generiert…
Logfile from Sophos Connect (xxxxx entry = I deleted them):
2022-08-06 14:45:50 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.2022-08-06 14:45:50 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.2022-08-06 14:45:50 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 22 20222022-08-06 14:45:50 Windows version 10.0 (Windows 10 or greater) 64bit2022-08-06 14:45:50 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.102022-08-06 14:45:50 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:253402022-08-06 14:45:50 Need hold release from management interface, waiting...2022-08-06 14:45:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:253402022-08-06 14:45:51 MANAGEMENT: CMD 'state on'2022-08-06 14:45:51 MANAGEMENT: CMD 'log all on'2022-08-06 14:45:51 MANAGEMENT: CMD 'echo all on'2022-08-06 14:45:51 MANAGEMENT: CMD 'bytecount 5'2022-08-06 14:45:51 MANAGEMENT: CMD 'hold off'2022-08-06 14:45:51 MANAGEMENT: CMD 'hold release'2022-08-06 14:45:51 MANAGEMENT: CMD 'username "Auth" bhierl'2022-08-06 14:45:51 MANAGEMENT: CMD 'password [...]'2022-08-06 14:45:51 MANAGEMENT: >STATE:1659789951,RESOLVE,,,,,,2022-08-06 14:45:51 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194 // xxxxx deleted from me2022-08-06 14:45:51 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-08-06 14:45:51 Attempting to establish TCP connection with [AF_INET] xxx.xxx.xxx.xxx:1194 [nonblock]2022-08-06 14:45:51 MANAGEMENT: >STATE:1659789951,TCP_CONNECT,,,,,,2022-08-06 14:45:51 TCP connection established with [AF_INET] xxx.xxx.xxx.xxx:11942022-08-06 14:45:51 TCP_CLIENT link local: (not bound)2022-08-06 14:45:51 TCP_CLIENT link remote: [AF_INET] xxx.xxx.xxx.xxx:11942022-08-06 14:45:51 MANAGEMENT: >STATE:1659789951,WAIT,,,,,,2022-08-06 14:45:51 MANAGEMENT: >STATE:1659789951,AUTH,,,,,,2022-08-06 14:45:51 TLS: Initial packet from [AF_INET] xxx.xxx.xxx.xxx:1194, sid= xxxxx xxxxx2022-08-06 14:45:51 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=de, L=xxxxx, O= xxxxx,CN= xxxxx, emailAddress= xxxxx, serial= xxxxx2022-08-06 14:45:51 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed2022-08-06 14:45:51 TLS_ERROR: BIO read tls_read_plaintext error2022-08-06 14:45:51 TLS Error: TLS object -> incoming plaintext read error2022-08-06 14:45:51 TLS Error: TLS handshake failed2022-08-06 14:45:51 Fatal TLS error (check_tls_errors_co), restarting2022-08-06 14:45:51 SIGUSR1[soft,tls-error] received, process restarting2022-08-06 14:45:51 MANAGEMENT: >STATE:1659789951,RECONNECTING,tls-error,,,,,2022-08-06 14:45:51 Restart pause, 5 second(s)2022-08-06 14:45:52 SIGTERM[hard,init_instance] received, process exiting2022-08-06 14:45:52 MANAGEMENT: >STATE:1659789952,EXITING,init_instance,,,,,