This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN Client Setup, error connecting

I set up the IPSec VPN in UTM manager.

 

Installed Sophos IPsec client by downloading from User Portal. Downloaded ini and cert from User Portal. Imported ini and cert and pointed profile to cert. When trying to connect, get error. This is the log:

/1/2019 11:04:51 AM - System: DNSHandling=0
5/1/2019 11:04:51 AM - IPSec: Start building connection
5/1/2019 11:04:51 AM - IPSec: Connecting and Pin is not entered
5/1/2019 11:04:59 AM - System: DNSHandling=0
5/1/2019 11:04:59 AM - IPSec: Start building connection
5/1/2019 11:04:59 AM - System: ikeusesocket=0
5/1/2019 11:04:59 AM - IpsDial: connection time interface choice,LocIpa=192.168.1.62,AdapterIndex=206
5/1/2019 11:04:59 AM - Ike: Outgoing connect request MAIN mode - gateway=74.142.150.90 : bberger
5/1/2019 11:04:59 AM - Ike: ConRef=11, XMIT_MSG1_MAIN, name=bberger, vpngw=74.142.150.90:500
5/1/2019 11:04:59 AM - Ike: ConRef=11, Send NAT-D vendor ID,remprt=500
5/1/2019 11:04:59 AM - Ike: ConRef=11, RECV_MSG2_MAIN, name=bberger, vpngw=74.142.150.90:500
5/1/2019 11:04:59 AM - Ike: IKE phase I: Setting LifeTime to 28800 seconds
5/1/2019 11:04:59 AM - Ike: IkeSa1 negotiated with the following properties -
5/1/2019 11:04:59 AM - Authentication=RSA_SIGNATURES,Encryption=DES3,Hash=SHA,DHGroup=14,KeyLen=0
5/1/2019 11:04:59 AM - IPSec: Final Tunnel EndPoint is=74.142.150.90
5/1/2019 11:04:59 AM - Ike: bberger ->Support for NAT-T version - 9
5/1/2019 11:04:59 AM - Ike: ConRef=11, XMIT_MSG3_MAIN, name=bberger, vpngw=74.142.150.90:500
5/1/2019 11:04:59 AM - Ike: ConRef=11, RECV_MSG4_MAIN, name=bberger, vpngw=74.142.150.90:500
5/1/2019 11:04:59 AM - Ike: ConRef=11, RECV_MSG4_MAIN_RESUME, name=bberger, vpngw=74.142.150.90:500
5/1/2019 11:04:59 AM - Ike: ConRef=11, XMIT_MSG5_MAIN, name=bberger, vpngw=74.142.150.90:500
5/1/2019 11:04:59 AM - ike_phase1:send_id:ID_USER_FQDN:pid=0,port=0,bberger@knoxhealth.com
5/1/2019 11:04:59 AM - Ike: ConRef=11, XMIT_MSG5_MAIN_RESUME, name=bberger, vpngw=74.142.150.90:500
5/1/2019 11:04:59 AM - Ike: ConRef=11, RECV_MSG6_MAIN, name=bberger, vpngw=74.142.150.90:500
5/1/2019 11:04:59 AM - Ike: ike_phase1:recv_id:ID_FQDN:pid=0,port=0,sophos.knoxhealth.com
5/1/2019 11:04:59 AM - ERROR - 4036: IKE(phase1)- PKI ERROR: - <bberger> Client Error: Verify Server Certificate with error 2002 ! (unable to get issuer certificate).
5/1/2019 11:04:59 AM - Ike: phase1:name(bberger) - ERROR - PKI ERROR: - <bberger> Client Error: Verify Server Certificate with error 2002 ! (unable to get issuer certificate).
5/1/2019 11:04:59 AM - IPSec: Disconnected from bberger on channel 1.

 

Can't find anything useful on how to resolve this error...

 

Thanks.



This thread was automatically locked due to age.
  • What do you see in the UTM's IPsec log, Brent?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: ignoring Vendor ID payload [da8e937880010000]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: received Vendor ID payload [XAUTH]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: received Vendor ID payload [RFC 3947]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: received Vendor ID payload [Dead Peer Detection]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: ignoring Vendor ID payload [101fb0b35c5a4f4c08b919f1cf53c96a]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: ignoring Vendor ID payload [c61baca1f1a60cc11400000000000000]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: ignoring Vendor ID payload [cbe79444a0870de4224a2c151fbfe099]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: ignoring Vendor ID payload [FRAGMENTATION c0000000]
    2019:05:02-14:25:54 sophos pluto[13282]: packet from 192.168.1.62:10952: ignoring Vendor ID payload [Cisco-Unity]
    2019:05:02-14:25:54 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[6]192.168.1.62:10952 #6: responding to Main Mode from unknown peer 192.168.1.62:10952
    2019:05:02-14:25:54 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[6]192.168.1.62:10952 #6: NAT-Traversal: Result using RFC 3947: no NAT detected
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[6]192.168.1.62:10952 #6: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[6]192.168.1.62:10952 #6: Peer ID is ID_USER_FQDN: 'bberger@knoxhealth.com'
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[6]192.168.1.62:10952 #6: crl not found
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[6]192.168.1.62:10952 #6: certificate status unknown
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[5] 192.168.1.62:10952 #6: deleting connection "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[6]instance with peer 192.168.1.62 {isakmp=#0/ipsec=#0}
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[5] 192.168.1.62:10952 #6: we have a cert and are sending it
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[5] 192.168.1.62:10952 #6: Dead Peer Detection (RFC 3706) enabled
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[5] 192.168.1.62:10952 #6: sent MR3, ISAKMP SA established
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[5] 192.168.1.62:10952 #6: received Delete SA payload: deleting ISAKMP State #6
    2019:05:02-14:25:55 sophos pluto[13282]: "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[5] 192.168.1.62:10952: deleting connection "D_for Active Directory VPN Users to Dan VLAN 01 (Network)-5"[5] instance with peer 192.168.1.62 {isakmp=#0/ipsec=#0}

  • I've not tried it, but I'm fairly certain that you can't connect with an IPsec client from inside the LAN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Get same errors just with different IPs in the logs when off the LAN.

  • I just took a closer look at the picture in the first post in this thread.  The Policy is "L2TP-over-IPsec" - is that the client that you're trying to connect with?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I changed that to AES-256 and still get same errors in the log. I am using the Sophos IPSec VPN client.

  • Did you follow The Zeroeth Rule in Rulz (last updated 2019-04-17)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA