Hello Everyone,
until now I happily used my Mikrotik CRS328 (RouterOS 7.12 then, ROS 7.13.1 now) to connect as client to the network of my company. It worked absolutely flawless, I never had any problems with it.
Now my company changed their firewall (which is their VPN endpoint) from a Sophos SG to Sophos XGS (not exactly sure about the names). Thus I changed the settings on my Router accordingly but I still cannot get it working properly. I have (at least) one minor and one major problem.
For reference, I can take a look into the logs on my mac, Tunnelblick is just working as expected there.
1) (Major Problem) after the connection seems to be successfully established, my Router does not receive any configuration. It has no routes and not even a address. Current working hypothesis: The XGS on the other side uses TLS 1.3 on the control channel and RouterOS just does not understand and silently ignores it. I believe in TLS 1.3 on the control channel, because Tunnelblick on my macs says so:
In the OpenVPN section of the docs, there is no list of supported ciphers, so it is only guesswork.
The Logs on RouterOS are not any helpful, it does not say anything about the control channel or its ciphers. It also does not thow any errors.
So my questions are:
2) (Minor Problem): My OVPN config file says
When I configure the "auth" parameter in the ovpn-interface to sha512, there is an error in the log which says:
Help is much appreciated, thanks in advance!
BRs,
Powersmurf
until now I happily used my Mikrotik CRS328 (RouterOS 7.12 then, ROS 7.13.1 now) to connect as client to the network of my company. It worked absolutely flawless, I never had any problems with it.
Now my company changed their firewall (which is their VPN endpoint) from a Sophos SG to Sophos XGS (not exactly sure about the names). Thus I changed the settings on my Router accordingly but I still cannot get it working properly. I have (at least) one minor and one major problem.
For reference, I can take a look into the logs on my mac, Tunnelblick is just working as expected there.
1) (Major Problem) after the connection seems to be successfully established, my Router does not receive any configuration. It has no routes and not even a address. Current working hypothesis: The XGS on the other side uses TLS 1.3 on the control channel and RouterOS just does not understand and silently ignores it. I believe in TLS 1.3 on the control channel, because Tunnelblick on my macs says so:
Code:
2024-01-08 09:47:51.290980 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: RSA-SHA256The Logs on RouterOS are not any helpful, it does not say anything about the control channel or its ciphers. It also does not thow any errors.
So my questions are:
- Is this a known error pattern? Is there anything I can do about it?
- Is TLS 1.3 for the openVPN control channel supported? If not: is it planned or is there even a expected release date?
2) (Minor Problem): My OVPN config file says
Code:
auth SHA512Thus I change the auth-parameter in my ovpn interface to "null", then it connects (and then hits the mentioned major problem). That should not be, right? How does the negotiation work? Is it a known issue? Is thee issue more likely on my side or on the other side?<iface-name>: disconnected <unsupported auth digest [null-digest]>
Help is much appreciated, thanks in advance!
BRs,
Powersmurf
Statistics: Posted by powersmurf — Mon Jan 08, 2024 1:15 pm