VPN: Site to Site and Remote Access Sophos Connect - CA not accepted - how to migrate this?!?

UTM Firewall requires membership for participation - click to join

Thread Info

State Suggested Answer
Locked Locked
Replies 6 replies
Answers 1 answer
Subscribers 4 subscribers
Views 3139 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect - CA not accepted - how to migrate this?!?

StephanG over 2 years ago

Hi,

we need to update to Sophos Connect due to the security flaw in Sophos VPN.

As we update - we get the error afterwards:
cannot load inline certificate file

So i need to update my CA - if i update my CA every user (1000+) needs a new config file. 80% are still remote.

And now Sophos? How shall i update?

I already tried adding tls-cipher "DEFAULT:@SECLEVEL=0" to my config file. No change.

BR

Stephan

This thread was automatically locked due to age.

Parents

0 emmosophos over 2 years ago

Hello there,

May know what security flaw are you referring to?

Also is this a 3rd party CA or the device CA?

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Amodin over 2 years ago in reply to emmosophos

I believe they are referring to the 9.710 update that gets rid of SSLVPN client because of the vulnerabilities that are laid out in the patch notes.

OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
(Former Sophos UTM Veteran, Former XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Amodin over 2 years ago in reply to emmosophos

I believe they are referring to the 9.710 update that gets rid of SSLVPN client because of the vulnerabilities that are laid out in the patch notes.

OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
(Former Sophos UTM Veteran, Former XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 StephanG over 2 years ago in reply to Amodin

Yes. You are right.

We might use a workaround and deploy the newest OpenVPN community client. It works there.

Updating the old Sophos SSL VPN could not be that difficult for Sophos - but UTM is dead. We are forced to migrate to XG. But we won't.
Cancel
Vote Up 0 Vote Down

Cancel
0 StephanG over 2 years ago in reply to StephanG

Ok. There seems to be no more help here.

We will go with OpenVPN until Palo or Fortinet takes our money. Thank you for a long time (Astaro Customer) and no thanks for the recent time.
Cancel
Vote Up 0 Vote Down

Cancel
0 Amodin over 2 years ago in reply to StephanG

Does this work for you? Sophos Connect Migration script from UTM SSLVPN - Recommended Reads - Sophos Firewall - Sophos Community

OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
(Former Sophos UTM Veteran, Former XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel
0 StephanG over 2 years ago in reply to Amodin

No because my CA is not accepted by the new Sophos Connect client. And it does not accept my line in the conf file
Cancel
Vote Up 0 Vote Down

Cancel