I’m having some trouble getting an OpenVPN session going from a Mikrotik (Client) to a Sophos UTM (Server). I’ve tried to regenerate certs on the Sophos, different settings like using blowfish, key sizes, etc and same on the Mikrotik side. Pretty much, I think I’m not able to negotiate TLS. Anyone have any ideas?!?
The Sophos side has AES128, SHA1, Key size 1024bit, Use Cert.pem, Key Lifetime 28800, Compress traffic, TCP Port 443.
Here’s what I have on the Mikrotik side:
/interface ovpn-client
add certificate="Cert.pem_0" cipher=aes128 connect-to=XXX.XXX.XXX.XXX mac-address=02:03:A2:XX:XX:XX mode=ip name=ovpn-out1 password=XXXXXX port=443 user=XXXXXX
Error message from Sophos:
2015:11:19-12:47:26 sophos-fw openvpn[17832]: MULTI: multi_create_instance called
2015:11:19-12:47:26 sophos-fw openvpn[17832]: Re-using SSL/TLS context
2015:11:19-12:47:26 sophos-fw openvpn[17832]: LZO compression initialized
2015:11:19-12:47:26 sophos-fw openvpn[17832]: Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
2015:11:19-12:47:26 sophos-fw openvpn[17832]: Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
2015:11:19-12:47:26 sophos-fw openvpn[17832]: Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2015:11:19-12:47:26 sophos-fw openvpn[17832]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2015:11:19-12:47:26 sophos-fw openvpn[17832]: Local Options hash (VER=V4): 'b695cb4a'
2015:11:19-12:47:26 sophos-fw openvpn[17832]: Expected Remote Options hash (VER=V4): 'bc07730e'
2015:11:19-12:47:26 sophos-fw openvpn[17832]: TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:37765 (via [AF_INET]YYY.YYY.YYY.YYY:443)
2015:11:19-12:47:26 sophos-fw openvpn[17832]: TCPv4_SERVER link local: [undef]
2015:11:19-12:47:26 sophos-fw openvpn[17832]: TCPv4_SERVER link remote: [AF_INET]XXX.XXX.XXX.XXX:37765
2015:11:19-12:47:26 sophos-fw openvpn[17832]: XXX.XXX.XXX.XXX:37765 TCPv4_SERVER READ [14] from [AF_INET]XXX.XXX.XXX.XXX:37765 (via [AF_INET]YYY.YYY.YYY.YYY:443): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
2015:11:19-12:47:26 sophos-fw openvpn[17832]: XXX.XXX.XXX.XXX:37765 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:37765 (via [AF_INET]YYY.YYY.YYY.YYY:443), sid=302fb7a5 f2140b4b
2015:11:19-12:47:26 sophos-fw openvpn[17832]: XXX.XXX.XXX.XXX:37765 TCPv4_SERVER WRITE [26] to [AF_INET]XXX.XXX.XXX.XXX:37765 (via [AF_INET]YYY.YYY.YYY.YYY:443): P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
2015:11:19-12:47:26 sophos-fw openvpn[17832]: XXX.XXX.XXX.XXX:37765 TCPv4_SERVER READ [26] from [AF_INET]XXX.XXX.XXX.XXX:37765 (via [AF_INET]YYY.YYY.YYY.YYY:443): P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 0 ] pid=1 DATA len=0
2015:11:19-12:47:26 sophos-fw openvpn[17832]: XXX.XXX.XXX.XXX:37765 TCPv4_SERVER WRITE [22] to [AF_INET]XXX.XXX.XXX.XXX:37765 (via [AF_INET]YYY.YYY.YYY.YYY:443): P_ACK_V1 kid=0 [ 1 ]
2015:11:19-12:47:26 sophos-fw openvpn[17832]: XXX.XXX.XXX.XXX:37765 Connection reset, restarting [0]
2015:11:19-12:47:26 sophos-fw openvpn[17832]: XXX.XXX.XXX.XXX:37765 SIGUSR1[soft,connection-reset] received, client-instance restarting
2015:11:19-12:47:26 sophos-fw openvpn[17832]: TCP/UDP: Closing socket
Error message from Mikrotik:
12:47:25 ovpn,info ovpn-out1: initializing...
12:47:25 ovpn,info ovpn-out1: connecting...
12:47:25 ovpn,debug,packet sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=302fb7a5f214b4b pid=0 DATA len=0
12:47:26 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=0bb5b4c9a71498a0 [0 sid=302fb7a5f214b4b] pid=0 DATA len=0
12:47:26 ovpn,debug,packet sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=302fb7a5f214b4b [0 sid=0bb5b4c9a71498a0] pid=1 DATA len=0
12:47:26 ovpn,debug ovpn-out1: disconnected <TLS failed>
12:47:26 ovpn,info ovpn-out1: terminating... - TLS failed
12:47:26 ovpn,info ovpn-out1: disconnected