cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15820
Views
180
Helpful
76
Replies

RV320 OpenVPN MD5

Weber23
Level 1
Level 1

If I connect with the latest Android OpenVPN it tells me, the certificates I created with RV320 are MD5 signed. Also it tells me, that MD5 support will end April 2018.

So how else shall I create certificates for OpenVPN? The root cert uses SHA256 but the Ovpn client/server certs are created with MD5.

76 Replies 76

Cisco is aware of this since i've opened a case for this problem:
--------------------------------------------------------------------
--------------------------------------------------------------------

CSCvf35230

RV32: Request for OpenVPN Certificates to support SHA-1 and SHA-2
Symptom:
- This is a Request for OpenVPN Certificates to support SHA-1 and SHA-2 when generated on the RV32x
- Currently, they are only signed with MD5 when generated on the RV32x

Conditions:
- OpenVPN configured
- Using certificates generated on the RV32x with Certificate Generator

Workaround:
- No known workarounds at this time

Further Problem Description:

-----------------------------------------------------------------------------
-----------------------------------------------------------------------------

As you can see there's no workaround at this time, I use Fedora 27 and it won't even let me connect via OpenVPN because of this problem....
We've since replaced the RV320 with a more modern VPN-appliance.

My suggestion is that you also open a ticket with Cisco so maybe that will help speed things up a little.

Thanks for your reply, but I cannot create a ticket as I don't have a service contract. Well, if they don't want my input, I will go with a different brand.

==>

The Ubiquiti router seem to be a good alternative !

sorry ... support for weak signature is quite to the end and we need to open a ticket to Cisco so someone can look and correct this unpredictable issue?
:'( i hope Cisco Team release a new firmware for rv router BEFORE the end of march.

I've opened a case referring back to refrainfrombeinglame's bug report, and received a beta firmware to test.

I'm waiting to OK to interrupt our Internet connection, I'll report back here after I've reviewed, and (if the OpenVPN certificate is updated) reconfigured and tested the OpenVPN client on iPhone.

Confirming with the Cisco provided beta firmware that generated OpenVPN client and server certs are now signed with SHA256, and that after updating all relevant certs I could connect with my iPhone using a newly exported OVPN file.

Will test with more clients and update as I am able.

Confirming I could connect using Windows and Android OpenVPN clients using certs generated by the beta provided by Cisco, which are (automatically) signed with SHA265 rather than MD5.

Finally! Where can I get this firmware version?

I opened a case and had to sign a participation form for the beta program.

It seemed to help that I mentioned the bug report # above.

Sorry for long delay in replying to the board. Death in the family. (Just don't want to be confused with a poster who only takes but does not give back!)

 

I installed the beta FW today and can connect using OpenVPN 2.4.5 on Windows 10. I can also connect from Android. I have yet to test iPhone but will since that was the device which precipitated my need for SHA over MD5.

 

I am happy to report that none of my configuration settings were deleted or modified during the firmware update. That said, I backed up beforehand!

 

I hope everyone who needs this fix gets it soon.

Did they mention anything about a date/timeframe for general availability?

Quoting the SMB Network Engineer who worked with me:

"I’m told we’re targeting a September release, although that can change. And yes, to get a copy of the beta, they would need to open a case. It would get escalated to me or someone else on my team, and we’d send the release form just like I did with you."

@Folgers, Thank you for your many posts on this subject. I've got three clients with RV320/325 routers whose OpenVPN setups are crippled.

 

None of my clients have support contracts with Cisco. I had sent them links to purchase the routers and then I set them up at their sites. Do I need (Do you have) a formal (paid) service contract to get support and open a case?

 

If a special support contract is not needed, could you include the link to the web page where you initiated your support case? I've spent 45 minutes in a cisco.com web page loop, even signing up for the beta program, but I'm not able to find a place to enter a case.

 

Last, when you mentioned "It seemed to help that I mentioned the bug report # above," I can't seem to find "refrainfrombeinglame's bug report." Got a link or a bug report #.

 

I realize that this is likely a case of PEBCAK -- problem exists between chair and keyboard -- but if you could help me help myself despite myself, I'd really appreciate it.

 

Thank you in advance.

I do have an active support contract, and I think (but not certain) in this circumstance one is needed to open a new case. I think it's worth a try to start the process at https://mycase.cloudapps.cisco.com/case?referring_site=support_mm and see what result you get.

The bug report mentioned is CSCvf35230

Do you have a Cisco Small Business partner that you've worked with? They may be able to open a case on your behalf...

 

@Folgers

 

Thanks. I don't work with a Cisco Small Business partner. I'll see how far I get on my own with the link you provided.

 

Otherwise, I'll watch from the sidelines until a public release. (Been using PiVPN as a cheap substitute. Highly recommend it.)

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: