Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 74475 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to site VPN won't go online

Jelle

Hi,

I'm currently facing a problem setting up a site to site VPN. It worked with our Sonicwall NSA 2400. With the new XG210-HA it doesn't go online.

Unfortunately the settings were changed as the old settings weren't secure enough after 6 years, so everything was set up from scratch.

Our XG connects to a UTM. We use IKEv2 and MainMode. AES256 with SHA512 and Group 16 MODP 4096 in phase 1. Same for phase 2. Encryption is done by RSA key. Settings on both sides have been double-checked.

 

All I ever see is

 

Any ideas? Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Jelle,

    you need to switch to IKE v1 because UTM does not support IKE v2. You can also use RED site to site with UTM:

    https://community.sophos.com/kb/en-us/125101

    Regards

  • 0 in reply to lferrara

    OK, switched to IKEv1. Now I get

    "received IKE message with invalid SPI (E6AA7B1) from other side"

    Also tried 96bit truncation but that didn't change anything.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    I also get

    parsing IKE message from xxx.xxx.xxx.xxx[500] failed

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Jelle,

    what Firmware version are you using?

    Thanks

  • 0 in reply to lferrara

    SFOS 17.0.5 MR-5 as mentioned in my signature ;-)

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Strange. There is an issue with ipsec site to site but the error message is different. Make sure both ends match phase 1 and 2 (only networks must be reversed). IF all things match, open a ticket. VPN fix is available on MR6 which is still not available.

    Let us know.

    Thanks

  • 0 in reply to lferrara

    IP Version: IPv4

    Connection Type: Site-to-site

    Gateway Type: Initiate the connection

    Authentication Type: RSA key

    Local ID type: DNS

    Remote ID type DNS

    Network Address Translation (NAT): False

    User Authentication Mode: None

     

    Key exchange: IKEv1 (as UTM does not support IKEv2)

    Authentication Mode: MainMode

    Key Negotiation Tries: 5

    Allow Re-keying: True

    Pass Data in Compressed Format: False -> on both sides

    SHA2 with 96-bit truncation: False (tried True but didn't change anything)

     

    Phase 1

    Key Life: 7200 -> on both sides

    Re-key Margin: 360

    Randomize Re-Keying Margin by: 100

    DH Group (Key Group): 16 (DH4096) -> on both sides

    Encryption: AES256 -> on both sides

    Authentication: SHA 512 -> on both sides

     

    Phase 2

    PFS Group (DH Group): 16 (DH4096) -> on both sides

    Key Life: 3600 -> on both sides

    Encryption: AES256 -> on both sides

    Authentication: SHA 512 -> on both sides

     

    Dead Peer Detection: True

    Check Peer After Every: 30 seconds

    Wait for Response Up to: 120 seconds

    When Peer Unreachable: Re-initiate

     

    "Strict policy" is set to false on UTM

     

    Check everythin again. Can't find a mistake...

    Re-created RSA key which is going to be inserted tomorrow on UTM.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to lferrara

    OK, here is the current log output on the other side. I masked public IPs and domain names (vpn.xxx.de).

     

    find_client_connection starting with S_VPN Test

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | looking for 172.16.15.1/32:0/0 -> 192.168.103.0/24:0/0

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | concrete checking against sr#0 172.16.0.0/20 -> 192.168.103.0/24

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try trying S_VPN Test:172.16.15.1/32:0/0 -> 192.168.103.0/24:0/0 vs S_VPN Test:172.16.0.0/20:0/0 -> 192.168.103.0/24:0/0

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try concluding with none [0]

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try S_VPN Test gives none

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | checking hostpair 172.16.0.0/20 -> 192.168.103.0/24 is found

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | fc_try concluding with none [0]

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | concluding with d = none

    2018:02:09-14:03:26 astaro-1 pluto[9739]: "S_VPN Test" #3963: cannot respond to IPsec SA request because no connection is known for 172.16.15.1/32===90.153.xxx.xxx[vpn.site1.de]...217.91.xxx.xxx[vpn.site2.de]===192.168.103.0/24

    2018:02:09-14:03:26 astaro-1 pluto[9739]: "S_VPN Test" #3963: sending encrypted notification INVALID_ID_INFORMATION to 217.91.175.146:500

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION

    2018:02:09-14:03:26 astaro-1 pluto[9739]: | next event EVENT_DPD in 3 seconds for #3961

     

    The VPN IDs definitly match, so I don't know why it gives me INVALID_ID_INFORMATION???

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    It becomes very strange now. IPsec went online and after 50 seconds it disconnected with error "parsing IKE message from 90.153.xxx.xxx[500] failed (Remote: 90.153.xxx.xxx)".

    Now it goes online now and then and after 50 seconds it disconnects with the same error... WTF???

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Hi,

     

    same problem here. I have migrated a customer from SG to XG, I have configured the vpn in the same way but it doesn't works.

    If I put back online the SG the vpn works, with XG i receive the error:

     

    parsing IKE message from xx.xx.xxx.xxx[500] failed (Remote: xx.xx.xxx.xxx)

     

    XG Strikes Back??

  • 0 in reply to lferrara

    Finally different settings for the remote network on both sides where responsible that the vpn tunnel didn't go online. After fixing it the IPsec connection goes online without issues, even after disconnecting. The new issue is that no traffic passes the connection. I read a lot of articles regarding this but nothing seems to help :(

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Hi,

     

    in our case was the password too long, 32 characters. Changing the password up to 20 characters the vpn went up.

     

    I hope this help.

     

    Regards

Reply Children
  • 0 in reply to ItalySam

    VPN is online but I can't send data through it. Connection is not with PSK but with RSA key.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Hi Jelle,

    Could you check by adding Remote ID and Local ID.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    Remote ID and Local ID are set via type DNS. As VPN goes online there shouldn't be an issue with that or what is it you would like to know? Thanks

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Hi Jelle,

    Could you try with IPaddress such as 1.1.1.1 and 2.2.2.2 instead of DNS.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    Changed VPN-ID from DNS to IP-Address and entered the corresponding IP addresses. IPsec connection goes online but data can't be transferred. Same as before.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Jelle,

    from XG, are you able to ping the remote site (I mean a remote device)?

    Did you run a tcpdump ?

    Regards

  • +1 in reply to lferrara

    Well, finally VPN is up and running!

    The issue was that due to multiple WAN interfaces the corresponding firewall rule had a primary gateway set. This led to the situation that packets were routed to the interface instead to the ipsec connection inside the XG.

    Thanks to dna from Sophos who looked at the configuration and was able to find this tiny but blocking configuration error

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

Cookie Information Banner