Use with Watchguard Firebox

Got a problem with Viscosity or need help? Ask here!

centit

Posts: 3
Joined: Fri Oct 02, 2009 12:19 am

Post by centit » Fri Oct 02, 2009 12:24 am
has anyone used Viscosity to connect to a Watchguard Firebox instead of their SSL VPN client :?:

I know they use OPenVPN and I can import the .ovpn into Visocsity but I can't seem to connect. getting a TLS error.

would love to use this a replacement so I can have easy access to multiple locations..if you have it working let me know..

Cheers!

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Oct 11, 2009 6:16 am
Hi centit,

As far as I can tell you should be able to get Viscosity to connect to a Watchguard Firebox VPN server. Try editing your connection in Viscosity, clicking on the Certificates tab, and make sure that Viscosity was able to successfully import the CA, Cert, and Key files for your connection. If not, click the Clear/Select button and specify these files manually.

From what I can gather online, the .openvpn file may have a custom command or two you'll need to remove (such as remote-cert-eku), and one you might need to add (such as tls-remote "/O=WatchGuard_Technologies/OU=Fireware/CN=Fireware_SSLVPN_Server"). Edit your connection in Viscosity, click the Advanced tab, and add/edit/delete these commands there.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

centit

Posts: 3
Joined: Fri Oct 02, 2009 12:19 am

Post by centit » Thu Oct 15, 2009 8:12 am
Hey James,

I removed the remote-cert-eku and the TLS-remote line was already in the .ovpn file.

I have made it a lot further on the connection and now starts to init the tap with the assigned ip from the correct dhcp scope but errors out see below:
Wed Oct 14 16:30:26 2009: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Wed Oct 14 16:30:26 2009: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Oct 14 16:30:26 2009: Attempting to establish TCP connection with x.x.x.x:443 [nonblock]
Wed Oct 14 16:30:27 2009: TCP connection established with x.x.x.x:443
Wed Oct 14 16:30:27 2009: TCPv4_CLIENT link local: [undef]
Wed Oct 14 16:30:27 2009: TCPv4_CLIENT link remote: x.x.x.x
Wed Oct 14 16:30:27 2009: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Oct 14 16:30:31 2009: [Fireware_SSLVPN_Server] Peer Connection Initiated with x.x.x.x
Wed Oct 14 16:30:32 2009: TUN/TAP device /dev/tap0 opened
Wed Oct 14 16:30:32 2009: /sbin/ifconfig tap0 delete
Wed Oct 14 16:30:32 2009: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Wed Oct 14 16:30:32 2009: /sbin/ifconfig tap0 192.168.x.x netmask 255.255.255.0 mtu 1500 up
Wed Oct 14 16:30:32 2009: /Applications/Viscosity.app/Contents/Resources/dnsup.py tap0 1500 1591 192.168.x.x 255.255.255.0 init
Wed Oct 14 16:30:33 2009: script failed: external program exited with error status: 1
Not sure if that means it was a script on Viscosity side or firebox..

If you want me to post my .ovpn file let me know if that helps..

Cheers

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Oct 15, 2009 9:56 am
Hi centit,

It looks like Viscosity's DNS support script was unable to run. Are you using the latest version of Viscosity (1.0.6)? Older versions may have issues when running under Snow Leopard.

You can also try turning off DNS support by Editing your connection in Viscosity, and unticking the "Enable DNS Support" checkbox. Or you could enable Alternate DNS Support by opening Viscosity's Preferences window, going to the Advanced area, and ticking "Use alternate DNS support".

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

centit

Posts: 3
Joined: Fri Oct 02, 2009 12:19 am

Post by centit » Sat Oct 31, 2009 4:56 am
James,

just wanted to let ya know that by unchecking "Enable DNS Support" , I was finally able to connect.

Everything works great except after a few connections with Viscosity the Firebox stops connecting SSL users, even the ones using the Watchguard SSL Client. Once I reboot the Firebox everything works again.

I think this is a bug on the Watchguard side and hopefully there will be a fix soon.

FYI incase anyone else finds this post interesting. I was testing this on a Firebox 10e-W with XTM 11.0.1.

Cheers!
5 posts Page 1 of 1