[Solved] Problem OPNsense und Sophos UTM OpenVPN: TLS Handshake failed

Started by pleibling, June 09, 2023, 11:37:54 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 09, 2023, 11:37:54 AM Last Edit: June 15, 2023, 10:52:46 AM by JeGr
Hallo,

nachdem ein VPN Tunnel mit IPSec nicht möglich ist (Double NAT und Dynamic IP) wollte ich einen Tunnel zwischen einer OPNsense zuhause und der Sophos UTM in der Firma aufbauen (derzeit habe ich noch eine Sophos UTM im Einsatz, möchte aber auf die OPNsense umstellen - zwischen den UTMs klappt das ohne Probleme.

Dazu habe ich mich nach einer Anleitung gerichtet von SysOpsTV auf Youtube - diese ist leider nicht vollständig, damit es verständlicher und auch für mich sowie auch andere besser Verständlich ist, habe ich eine Anleitung erstellt (diese kann gerne auch hier im Forum verwendet oder gar verteilt werden)  und hochgeladen auf meine Site (ist zu groß für den Upload): https://www.leibling.de/wp-content/uploads/2023/06/230608-SSL-Tunnel-zwischen-OPNsense-und-Sophos-UTM.pdf

Doch leider habe ich dennoch Probleme, ich sehe in den Logs das versucht wird die Verbindung aufzubauen - jedoch bekomme ich Fehlermeldungen.

Hier benötige ich eure Hilfe, dazu habe ich mal die Logs von beiden Seiten angehangen (sensitive Bereiche habe ich verändert, ich bitte um Verständnis).

Logs der Sophos:

Code Select
2023:06:09-11:15:28 gw-lfd openvpn[22198]: MULTI: multi_create_instance called
2023:06:09-11:15:28 gw-lfd openvpn[22198]: Re-using SSL/TLS context
2023:06:09-11:15:28 gw-lfd openvpn[22198]: LZO compression initialized
2023:06:09-11:15:28 gw-lfd openvpn[22198]: Control Channel MTU parms [ L:1560 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2023:06:09-11:15:28 gw-lfd openvpn[22198]: Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:143 ET:0 EL:3 AF:3/1 ]
2023:06:09-11:15:28 gw-lfd openvpn[22198]: Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2023:06:09-11:15:28 gw-lfd openvpn[22198]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2023:06:09-11:15:28 gw-lfd openvpn[22198]: Local Options hash (VER=V4): 'xxxxxxx'
2023:06:09-11:15:28 gw-lfd openvpn[22198]: Expected Remote Options hash (VER=V4): 'yyyyyyy'
2023:06:09-11:15:28 gw-lfd openvpn[22198]: TCP connection established with [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444)
2023:06:09-11:15:28 gw-lfd openvpn[22198]: TCPv4_SERVER link local: [undef]
2023:06:09-11:15:28 gw-lfd openvpn[22198]: TCPv4_SERVER link remote: [AF_INET]92.200.246.14:11294
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 TCPv4_SERVER READ [14] from [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 TLS: Initial packet from [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444), sid=b5d194db e18e0a8e
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 TCPv4_SERVER WRITE [26] to [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444): P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 TCPv4_SERVER READ [299] from [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444): P_CONTROL_V1 kid=0 [ 0 ] pid=1 DATA len=273
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 TCPv4_SERVER WRITE [22] to [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444): P_ACK_V1 kid=0 [ 1 ]
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 TCPv4_SERVER WRITE [1184] to [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444): P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=1170
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 TCPv4_SERVER WRITE [1184] to [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444): P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1170
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 TCPv4_SERVER WRITE [816] to [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444): P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=802
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 TCPv4_SERVER READ [26] from [AF_INET]92.200.246.14:11294 (via [AF_INET]185.35.x.x:444): P_ACK_V1 kid=0 [ 1 0 ]
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 Connection reset, restarting [0]
2023:06:09-11:15:28 gw-lfd openvpn[22198]: 92.200.246.14:11294 SIGUSR1[soft,connection-reset] received, client-instance restarting
2023:06:09-11:15:28 gw-lfd openvpn[22198]: TCP/UDP: Closing socket

Und hier die Logs der OPNsense:

Code Select
2023-06-09T11:14:39 Error openvpn_client1 Fatal TLS error (check_tls_errors_co), restarting
2023-06-09T11:14:39 Error openvpn_client1 TLS Error: TLS handshake failed
2023-06-09T11:14:39 Error openvpn_client1 TLS Error: TLS object -> incoming plaintext read error
2023-06-09T11:14:39 Error openvpn_client1 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-09T11:14:39 Error openvpn_client1 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-06-09T11:14:39 Error openvpn_client1 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=de, L=Duesseldorf, O=Company, CN=Company VPN CA, emailAddress=p.leibling@company.de, serial=1735613419994xxxxxx
2023-06-09T11:14:39 Warning openvpn_client1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-06-09T11:14:39 Warning openvpn_client1 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-06-09T11:14:31 Error openvpn_client1 Fatal TLS error (check_tls_errors_co), restarting
2023-06-09T11:14:31 Error openvpn_client1 TLS Error: TLS handshake failed
2023-06-09T11:14:31 Error openvpn_client1 TLS Error: TLS object -> incoming plaintext read error
2023-06-09T11:14:31 Error openvpn_client1 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-09T11:14:31 Error openvpn_client1 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-06-09T11:14:31 Error openvpn_client1 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=de, L=Duesseldorf, O=Company, CN=Company VPN CA, emailAddress=p.leibling@company.de, serial=1735613419994xxxxxx
2023-06-09T11:14:30 Warning openvpn_client1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-06-09T11:14:30 Warning openvpn_client1 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-06-09T11:14:26 Error openvpn_client1 Fatal TLS error (check_tls_errors_co), restarting
2023-06-09T11:14:26 Error openvpn_client1 TLS Error: TLS handshake failed
2023-06-09T11:14:26 Error openvpn_client1 TLS Error: TLS object -> incoming plaintext read error
2023-06-09T11:14:26 Error openvpn_client1 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-09T11:14:26 Error openvpn_client1 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-06-09T11:14:26 Error openvpn_client1 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=de, L=Duesseldorf, O=Company, CN=Company VPN CA, emailAddress=p.leibling@company.de, serial=1735613419994xxxxxx
2023-06-09T11:14:26 Warning openvpn_client1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-06-09T11:14:26 Warning openvpn_client1 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-06-09T11:14:24 Error openvpn_client1 Fatal TLS error (check_tls_errors_co), restarting
2023-06-09T11:14:24 Error openvpn_client1 TLS Error: TLS handshake failed
2023-06-09T11:14:24 Error openvpn_client1 TLS Error: TLS object -> incoming plaintext read error
2023-06-09T11:14:24 Error openvpn_client1 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-09T11:14:24 Error openvpn_client1 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-06-09T11:14:24 Error openvpn_client1 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=de, L=Duesseldorf, O=Company, CN=Company VPN CA, emailAddress=p.leibling@company.de, serial=1735613419994xxxxxx
2023-06-09T11:14:24 Warning openvpn_client1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-06-09T11:14:24 Warning openvpn_client1 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-06-09T11:14:23 Error openvpn_client1 TLS Error: TLS handshake failed
2023-06-09T11:14:23 Error openvpn_client1 TLS Error: TLS object -> incoming plaintext read error
2023-06-09T11:14:23 Error openvpn_client1 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-09T11:14:23 Error openvpn_client1 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-06-09T11:14:23 Error openvpn_client1 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=de, L=Duesseldorf, O=Company, CN=Company VPN CA, emailAddress=p.leibling@company.de, serial=1735613419994xxxxxx
2023-06-09T11:14:23 Warning openvpn_client1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-06-09T11:14:23 Warning openvpn_client1 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-06-09T11:14:22 Error openvpn_client1 Fatal TLS error (check_tls_errors_co), restarting
2023-06-09T11:14:22 Error openvpn_client1 TLS Error: TLS handshake failed
2023-06-09T11:14:22 Error openvpn_client1 TLS Error: TLS object -> incoming plaintext read error
2023-06-09T11:14:22 Error openvpn_client1 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-09T11:14:22 Error openvpn_client1 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-06-09T11:14:22 Error openvpn_client1 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=de, L=Duesseldorf, O=Company, CN=Company VPN CA, emailAddress=p.leibling@company.de, serial=1735613419994xxxxxx
2023-06-09T11:14:21 Warning openvpn_client1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-06-09T11:14:21 Warning openvpn_client1 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-06-09T11:14:20 Error openvpn_client1 Fatal TLS error (check_tls_errors_co), restarting
2023-06-09T11:14:20 Error openvpn_client1 TLS Error: TLS handshake failed
2023-06-09T11:14:20 Error openvpn_client1 TLS Error: TLS object -> incoming plaintext read error
2023-06-09T11:14:20 Error openvpn_client1 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-09T11:14:20 Error openvpn_client1 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-06-09T11:14:20 Error openvpn_client1 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=de, L=Duesseldorf, O=Company, CN=Company VPN CA, emailAddress=p.leibling@company.de, serial=1735613419994xxxxxx
2023-06-09T11:14:20 Warning openvpn_client1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-06-09T11:14:20 Warning openvpn_client1 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-06-09T11:14:19 Error openvpn_client1 TLS Error: TLS handshake failed
2023-06-09T11:14:19 Error openvpn_client1 TLS Error: TLS object -> incoming plaintext read error
2023-06-09T11:14:19 Error openvpn_client1 TLS_ERROR: BIO read tls_read_plaintext error
2023-06-09T11:14:19 Error openvpn_client1 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-06-09T11:14:19 Error openvpn_client1 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=de, L=Duesseldorf, O=Company, CN=Company VPN CA, emailAddress=p.leibling@company.de, serial=1735613419994xxxxxx
2023-06-09T11:14:19 Warning openvpn_client1 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-06-09T11:14:19 Warning openvpn_client1 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-06-09T11:14:19 Warning openvpn_client1 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-06-09T11:14:19 Warning openvpn_client1 WARNING: using --pull/--client and --ifconfig together is probably not what you want
2023-06-09T11:14:19 Warning openvpn_client1 WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
2023-06-09T11:14:19 Warning openvpn_client1 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.


Die Zertifikate sehen jedoch für mich gut aus, wenn ich die Zeichenketten als CRT speichere (Ca und das eigene Cert), dann kann ich die anzeigen lassen - es werden die Informationen usw. angezeigt und kein Lesefehler. Den privaten Schlüssel weiß ich nicht, wie ich den prüfen könnte.

Seht ihr welche Probleme, oder habt ihr Ideen wie man weiter prüfen könnte?

Danke für eure Unterstützung.
June 15, 2023, 10:52:17 AM #1
Edit by OP: Problem wurde mit zweiter OPNsense gelöst
"It doesn't work!" is no valid error description! - Don't forget to [applaud] those offering time & brainpower to help you!
Better have some *sense as no(n)sense! ;)

If you're interested in german-speaking business support, feel free to reach out via PM.
Print
Go Up Pages1
User actions