XGS <=> UTM Site 2 Site SSL VPN

Hallo,

ein neu eingerichteter SSL VPN Site to Site Tunnel verbindet sich nicht. XGS ist der Server, UTM ist der Client.

In den globalen SSL-VPN-Einstellungen wurden die gleichen Kryptografische Einstellungen gewählt (AES-128 CBC, SHA-1. 1024).

Die XGS meldet alle paar Sekunden "SSL VPN Site to site connection 'Zentrale_GT' established".

Im UTM LOG sieht man die Meldung "AUTH: Received control message: AUTH_FAILED".


2024:08:23-11:45:03 gate openvpn[11007]: Attempting to establish TCP connection with [AF_INET]11.22.33.44:8443 [nonblock]
2024:08:23-11:45:04 gate openvpn[11007]: TCP connection established with [AF_INET]11.22.33.44:8443 (via [AF_INET]55.66.77.88:45711)
2024:08:23-11:45:04 gate openvpn[11007]: TCPv4_CLIENT link local: [undef]
2024:08:23-11:45:04 gate openvpn[11007]: TCPv4_CLIENT link remote: [AF_INET]11.22.33.44:8443
2024:08:23-11:45:04 gate openvpn[11007]: TLS: Initial packet from [AF_INET]11.22.33.44:8443 (via [AF_INET]55.66.77.88:45711), sid=0b5b6fc7 18a49102
2024:08:23-11:45:04 gate openvpn[11007]: VERIFY OK: depth=1, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Default_CA_5iDhUpJ6wZYOYyM, emailAddress=na@example.com
2024:08:23-11:45:04 gate openvpn[11007]: VERIFY X509NAME OK: C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_5iDhUpJ6wZYOYyM, emailAddress=na@example.com
2024:08:23-11:45:04 gate openvpn[11007]: VERIFY OK: depth=0, C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_5iDhUpJ6wZYOYyM, emailAddress=na@example.com
2024:08:23-11:45:05 gate openvpn[11007]: WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-128-CBC'
2024:08:23-11:45:05 gate openvpn[11007]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2024:08:23-11:45:05 gate openvpn[11007]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2024:08:23-11:45:05 gate openvpn[11007]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
2024:08:23-11:45:05 gate openvpn[11007]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2024:08:23-11:45:05 gate openvpn[11007]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2024:08:23-11:45:05 gate openvpn[11007]: [Appliance_Certificate_5iDhUpJ6wZYOYyM] Peer Connection Initiated with [AF_INET]11.22.33.44:8443 (via [AF_INET]55.66.77.88:45711)
2024:08:23-11:45:07 gate openvpn[11007]: SENT CONTROL [Appliance_Certificate_5iDhUpJ6wZYOYyM]: 'PUSH_REQUEST' (status=1)
2024:08:23-11:45:07 gate openvpn[11007]: AUTH: Received control message: AUTH_FAILED
2024:08:23-11:45:07 gate openvpn[11007]: PLUGIN_CLOSE: /usr/lib/openvpn/plugins/openvpn-plugin-utm.so
2024:08:23-11:45:07 gate openvpn[11007]: SIGHUP[soft,auth-failure] received, process restarting
2024:08:23-11:45:07 gate openvpn[11007]: DEPRECATED OPTION: --tls-remote, please update your configuration

  • PS:

    - Datum und Uhrzeit sind auf beiden Firewalls identisch
    - Via AES-128-CBC / SHA2 / 2028 geht es auch nicht
    - Das Default CA Cert enthält keine Sonderzeichen
    - Reboot hilft nicht
    - Von einer anderen UTM gibt es die gleiche Fehlermeldung

    XGS = 20.0.2 MR-2 Build 378
    UTM = 9.719-3

  • Hallo Tom,

    kurze Zusammenfassung zum folgenden Text: "SSL-VPN geht nicht, nimm IPSec oder RED"

    In meiner Foren-Seite prangt oben ein gelber Banner:

    "Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes. "

    In den release-Notes
    https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=20.0

    unter "Upgrade information" ist folgendes zu finden:

    Important points to know before you upgrade to 20.0 MR1 and later versions

    SSL VPN

    Firewalls upgraded to 20.0 MR1 and later versions won't establish SSL VPN tunnels with the following clients and firewall versions:

    • SFOS 18.5 and earlier versions (end-of-life): Site-to-site SSL VPNs won't be established between SFOS 18.5 or earlier versions and SFOS 20.0 MR1 and later versions. We recommend that you upgrade both firewalls to 20.0 MR1 and later versions at the same time. Alternatively, you can use site-to-site IPsec or RED tunnels.
    • Legacy SSL VPN client (end-of-life): Remote access SSL VPN tunnels won't be established with the legacy SSL VPN client, which is already end-of-life. You can use the Sophos Connect client or third-party clients, such as OpenVPN client, or use remote access IPsec tunnels.
    • UTM9 OS: Site-to-site SSL VPNs won't be established between UTM9 OS and SFOS 20.0 MR1 and later versions. We recommend that you migrate these to 20.0 MR1 and later versions. Alternatively, you can use site-to-site IPsec or RED tunnels.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.