Re: Issues with SecureClients and R80.40

Teddy_Brewski · ‎2023-03-28

Hello,

Appreciate any assistance.

VSX R80.40 Take 154 VPN gateway with very old legacy SecureClients (R56) connecting (no office mode).

Everything was working fine until the SSL certificate under IPSec VPN section expired and had to be renewed. After renewal and policy installation, SecureClients failed to connect with "Phase1 Received Notification from Peer: invalid certificate" error message.

Recreating the profile and the site on the clients side didn't help. The error about invalid certificate disappeared, but the site couldn't be created -- no errors on the gateway side, and the client times out. We do get the thumbprint of the new certificate, there is 443/tcp and 500/udp traffic. The client is authenticated (we see successful Radius logs), so Phase 1 is fine. Then we see 264/tcp (FW1_topo) and I think this is where the clients fail, but no errors whatsoever. It looks like they timeout getting the topology, although nothing is blocked on the gateway side.

There were no changes in the configuration of the VPN settings -- only the certificate was renewed.

Thank you.

PhoneBoy · ‎2023-03-28

If I had to guess, your renewed certificate is signed with a SHA-256 hash.
Windows didn’t support SHA-256 until XP SP3.
That means SecureClient R56 probably doesn’t, either.

Teddy_Brewski · ‎2023-03-28

Hi @PhoneBoy

Checked -- SHA1 is used:

From the management:

cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: | cpopenssl x509 -noout -text | grep "Signature Algorithm"
Error outputting keys and certificates
4146366848:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:615:
4146366848:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:63:
4146366848:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:crypto/pkcs12/p12_decr.c:94:
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption

PhoneBoy · ‎2023-03-28

That's the ICA, what about the actual gateway certificate?
In any case, SecureClient R56 is very much out of support at this point.
What are you running it on, exactly?

Teddy_Brewski · ‎2023-03-28

From the GUI it says:

Public Key: RSA (1024 bits)
Signature: RSA with SHA1

Not sure how to check it from the console.

We had to use R56 due to the old software that runs on Windows 2003.

PhoneBoy · ‎2023-03-29

Unless you can find something useful in the client logs as @JozkoMrkvicka suggested, not sure what else we can suggest here.

the_rock · ‎2023-03-28

Well, thats a tricky one. R56 client is probably long time unsupported. Can it still work? I have no clue, but here are some things I would check. Btw, excellent job in verifying what you already described 👍

-does zdebug show anything if you grep for say public IP of the user trying to create a site?

-can you do fw monitor or tcpdump for their public IP to see if anything is even trying to hit the firewall?

Andy

Best,
Andy

Teddy_Brewski · ‎2023-03-28

I did collect vpnd debug logs -- everything looks fine for the Phase 1, it just never progresses into Phase 2.

It used to work one day ago, the only difference now is that in order to recreate the site clients have to access 264/tcp (FW1_topo)? I checked that the port is listening on the gateway, and I can telnet to it remotely (Accept Remote Access connections implied rule is triggered) .

Tried tcpdump too -- 443/tcp, 500/udp and 264/tcp, nothing else is requested.

JozkoMrkvicka · ‎2023-03-28

Try to enable logs on SecureClient itself (on Windows 2003 workstation). There you should be able to see what is going on.

Kind regards,
Jozko Mrkvicka

Are you a member of CheckMates?

Issues with SecureClients and R80.40