Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 74466 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to site VPN won't go online

Jelle

Hi,

I'm currently facing a problem setting up a site to site VPN. It worked with our Sonicwall NSA 2400. With the new XG210-HA it doesn't go online.

Unfortunately the settings were changed as the old settings weren't secure enough after 6 years, so everything was set up from scratch.

Our XG connects to a UTM. We use IKEv2 and MainMode. AES256 with SHA512 and Group 16 MODP 4096 in phase 1. Same for phase 2. Encryption is done by RSA key. Settings on both sides have been double-checked.

 

All I ever see is

 

Any ideas? Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Jelle,

    you need to switch to IKE v1 because UTM does not support IKE v2. You can also use RED site to site with UTM:

    https://community.sophos.com/kb/en-us/125101

    Regards

  • 0 in reply to lferrara

    OK, switched to IKEv1. Now I get

    "received IKE message with invalid SPI (E6AA7B1) from other side"

    Also tried 96bit truncation but that didn't change anything.

  • 0 in reply to Jelle

    I also get

    parsing IKE message from xxx.xxx.xxx.xxx[500] failed

  • 0 in reply to Jelle

    Jelle,

    what Firmware version are you using?

    Thanks

  • 0 in reply to lferrara

    SFOS 17.0.5 MR-5 as mentioned in my signature ;-)

  • 0 in reply to Jelle

    Strange. There is an issue with ipsec site to site but the error message is different. Make sure both ends match phase 1 and 2 (only networks must be reversed). IF all things match, open a ticket. VPN fix is available on MR6 which is still not available.

    Let us know.

    Thanks

  • 0 in reply to lferrara

    IP Version: IPv4

    Connection Type: Site-to-site

    Gateway Type: Initiate the connection

    Authentication Type: RSA key

    Local ID type: DNS

    Remote ID type DNS

    Network Address Translation (NAT): False

    User Authentication Mode: None

     

    Key exchange: IKEv1 (as UTM does not support IKEv2)

    Authentication Mode: MainMode

    Key Negotiation Tries: 5

    Allow Re-keying: True

    Pass Data in Compressed Format: False -> on both sides

    SHA2 with 96-bit truncation: False (tried True but didn't change anything)

     

    Phase 1

    Key Life: 7200 -> on both sides

    Re-key Margin: 360

    Randomize Re-Keying Margin by: 100

    DH Group (Key Group): 16 (DH4096) -> on both sides

    Encryption: AES256 -> on both sides

    Authentication: SHA 512 -> on both sides

     

    Phase 2

    PFS Group (DH Group): 16 (DH4096) -> on both sides

    Key Life: 3600 -> on both sides

    Encryption: AES256 -> on both sides

    Authentication: SHA 512 -> on both sides

     

    Dead Peer Detection: True

    Check Peer After Every: 30 seconds

    Wait for Response Up to: 120 seconds

    When Peer Unreachable: Re-initiate

     

    "Strict policy" is set to false on UTM

     

    Check everythin again. Can't find a mistake...

    Re-created RSA key which is going to be inserted tomorrow on UTM.

  • 0 in reply to lferrara

    OK, here is the current log output on the other side. I masked public IPs and domain names (vpn.xxx.de).

     

    find_client_connection starting with S_VPN Test

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | looking for 172.16.15.1/32:0/0 -> 192.168.103.0/24:0/0

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | concrete checking against sr#0 172.16.0.0/20 -> 192.168.103.0/24

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try trying S_VPN Test:172.16.15.1/32:0/0 -> 192.168.103.0/24:0/0 vs S_VPN Test:172.16.0.0/20:0/0 -> 192.168.103.0/24:0/0

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try concluding with none [0]

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try S_VPN Test gives none

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | checking hostpair 172.16.0.0/20 -> 192.168.103.0/24 is found

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try concluding with none [0]

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | concluding with d = none

    2018:02:09-14:03:26 astaro-1 pluto[9739]: "S_VPN Test" #3963: cannot respond to IPsec SA request because no connection is known for 172.16.15.1/32===90.153.xxx.xxx[vpn.site1.de]...217.91.xxx.xxx[vpn.site2.de]===192.168.103.0/24

    2018:02:09-14:03:26 astaro-1 pluto[9739]: "S_VPN Test" #3963: sending encrypted notification INVALID_ID_INFORMATION to 217.91.175.146:500

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | next event EVENT_DPD in 3 seconds for #3961

     

    The VPN IDs definitly match, so I don't know why it gives me INVALID_ID_INFORMATION???

Reply
  • 0 in reply to lferrara

    OK, here is the current log output on the other side. I masked public IPs and domain names (vpn.xxx.de).

     

    find_client_connection starting with S_VPN Test

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | looking for 172.16.15.1/32:0/0 -> 192.168.103.0/24:0/0

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | concrete checking against sr#0 172.16.0.0/20 -> 192.168.103.0/24

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try trying S_VPN Test:172.16.15.1/32:0/0 -> 192.168.103.0/24:0/0 vs S_VPN Test:172.16.0.0/20:0/0 -> 192.168.103.0/24:0/0

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try concluding with none [0]

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try S_VPN Test gives none

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | checking hostpair 172.16.0.0/20 -> 192.168.103.0/24 is found

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try concluding with none [0]

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | concluding with d = none

    2018:02:09-14:03:26 astaro-1 pluto[9739]: "S_VPN Test" #3963: cannot respond to IPsec SA request because no connection is known for 172.16.15.1/32===90.153.xxx.xxx[vpn.site1.de]...217.91.xxx.xxx[vpn.site2.de]===192.168.103.0/24

    2018:02:09-14:03:26 astaro-1 pluto[9739]: "S_VPN Test" #3963: sending encrypted notification INVALID_ID_INFORMATION to 217.91.175.146:500

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | next event EVENT_DPD in 3 seconds for #3961

     

    The VPN IDs definitly match, so I don't know why it gives me INVALID_ID_INFORMATION???

Children
  • 0 in reply to Jelle

    It becomes very strange now. IPsec went online and after 50 seconds it disconnected with error "parsing IKE message from 90.153.xxx.xxx[500] failed (Remote: 90.153.xxx.xxx)".

    Now it goes online now and then and after 50 seconds it disconnects with the same error... WTF???

  • 0 in reply to Jelle

    Hi,

     

    same problem here. I have migrated a customer from SG to XG, I have configured the vpn in the same way but it doesn't works.

    If I put back online the SG the vpn works, with XG i receive the error:

     

    parsing IKE message from xx.xx.xxx.xxx[500] failed (Remote: xx.xx.xxx.xxx)

     

    XG Strikes Back??