This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN username/password?

Hi

I'm trying to connect a RouterOS device as an OpenVPN client to a UTM9 server. Having worked out how to get the UTM's certificates into a more standard format (this thread), the RouterOS device is now attempting to connect to the UTM server.

However, I'm getting a username/password auth failure. The RouterOS device requires me to enter a username and password, yet there's nowhere that I can find in the UTM's configuration to get it.

Here's the output of an attempt to connect. As you can see, the certificate exchange seems to work, it's only the username/password credentials that fail.

2012:12:08-08:41:41 dev-gw-a openvpn[25474]: MULTI: multi_create_instance called
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: Re-using SSL/TLS context
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: LZO compression initialized
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: Control Channel MTU parms [ L:1556 D:140 EF:40 EB:0 ET:0 EL:0 ]
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: Local Options hash (VER=V4): 'a4f12474'
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: Expected Remote Options hash (VER=V4): '619088b2'
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: TCP connection established with my.ip.addr.here:36977
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: Socket Buffers: R=[131072->131072] S=[131072->131072]
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: TCPv4_SERVER link local: [undef]
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: TCPv4_SERVER link remote: my.ip.addr.here:36977
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 TLS: Initial packet from my.ip.addr.here:36977, sid=fc07641e f7a6a9c2
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 VERIFY OK: depth=1, C=gb, L=MyLocation, O=MyName, CN=MyName VPN CA, emailAddress=***@***.***.***
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 VERIFY OK: depth=0, C=gb, L=MyLocation, O=MyName, CN=REF_SslSerProdsite1
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 PLUGIN_CALL: POST /usr/lib/openvpn-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn-utm.so
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 TLS Auth Error: Auth Username/Password verification failed for peer
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1556', remote='link-mtu 1555'
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 [REF_SslSerProdsite1] Peer Connection Initiated with my.ip.addr.here:36977
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 PUSH: Received control message: 'PUSH_REQUEST'
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 Delayed exit in 5 seconds
2012:12:08-08:41:41 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 SENT CONTROL [REF_SslSerProdsite1]: 'AUTH_FAILED' (status=1)
2012:12:08-08:41:45 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 Connection reset, restarting [0]
2012:12:08-08:41:45 dev-gw-a openvpn[25474]: my.ip.addr.here:36977 SIGUSR1[soft,connection-reset] received, client-instance restarting
2012:12:08-08:41:45 dev-gw-a openvpn[25474]: TCP/UDP: Closing socket 


I tried creating a user on the UTM system and entering those credentials into the RouterOS device, but that made no difference.

How do I tell UTM what username/password to accept for this connection?

Thanks
Giles.


This thread was automatically locked due to age.
  • At the end of the .apc file (after the private key) there are two strings, each beginning with "REF_".

    The first one is the username, the second one the password... [:)]

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • Thanks - how simple!

    I first thought I needed to strip of the "REF_" parts, but evidentially they're required.

    I've got my devices connected successfully now.

    Cheers
    Giles.