After SSL VPN Is Configured on the USG6620, Windows XP SP3 Can Access the Virtual Gateway Web Page But SP2 Cannot

Publication Date:  2015-10-13 Views:  539 Downloads:  0
Issue Description
The SSL VPN function is configured on the USG6620, on which there are 1000 concurrent users. The Windows XP SP3 client can access the virtual gateway web page, but the Windows XP SP2 client cannot. When the SP2 client is used for access, a message is displayed, indicating that the virtual gateway connection failed.

  The Windows XP SP2 client can ping through the USG6620 and log in to its web UI using the Internet Explorer 8 browser.
Handling Process
Step 1 Check the operating systems and browsers supported by the SSL VPN.

Step 2 When the Windows XP operating system is used, the USG must support the des-cbc3-sha or des-cbc-sha algorithm. Otherwise, users cannot log in to the virtual gateway. Add the following configurations. The Windows XP client that has SP2 installed still cannot log in to the virtual gateway.

[sysname] v-gateway abc
[sysname-abc] basic
[sysname-abc-basic]ssl ciphersuit allciphersuit des-cbc3-sha

The information indicating a connection failure to the virtual gateway is displayed.

0x80096004: TRUST_E_CERT_SIGNATURE, the signature of the certificate cannot be verified.

It is suspect that the terminal (browser or client) cannot identify the certificate signature of the virtual gateway and therefore terminates the access.

Step 3 Import the device certificate using the sha1WithRSAEncryption signature algorithm (the certificate can be made using the XCA software), the PC that has Windows XP SP2 installed can use the Internet Explorer browser to access the virtual gateway web page and start the network extension function.
Root Cause
The SSL VPN certificate is not correct on the USG6620.
Use the sha1WithRSAEncryption signature algorithm to make a device certificate and import the certificate to the USG6620.

Install SP3 on the Windows XP client.
Secure Hash Algorithms (SHAs) include SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. Among them, SHA-1, SHA-224, and SHA-256 apply to messages whose length does not exceed 2^64 bits; SHA-384 and SHA-512 apply to messages whose length does not exceed 2^128 bits.