Site to site VPN won't go online

Jelle,

you need to switch to IKE v1 because UTM does not support IKE v2. You can also use RED site to site with UTM:

https://community.sophos.com/kb/en-us/125101

Regards

OK, switched to IKEv1. Now I get

"received IKE message with invalid SPI (E6AA7B1) from other side"

Also tried 96bit truncation but that didn't change anything.

It becomes very strange now. IPsec went online and after 50 seconds it disconnected with error "parsing IKE message from 90.153.xxx.xxx[500] failed (Remote: 90.153.xxx.xxx)".

Now it goes online now and then and after 50 seconds it disconnects with the same error... WTF???

Hi,

same problem here. I have migrated a customer from SG to XG, I have configured the vpn in the same way but it doesn't works.

If I put back online the SG the vpn works, with XG i receive the error:

parsing IKE message from xx.xx.xxx.xxx[500] failed (Remote: xx.xx.xxx.xxx)

XG Strikes Back??

Finally different settings for the remote network on both sides where responsible that the vpn tunnel didn't go online. After fixing it the IPsec connection goes online without issues, even after disconnecting. The new issue is that no traffic passes the connection. I read a lot of articles regarding this but nothing seems to help :(

Hi,

in our case was the password too long, 32 characters. Changing the password up to 20 characters the vpn went up.

I hope this help.

Regards

VPN is online but I can't send data through it. Connection is not with PSK but with RSA key.

Hi Jelle,

Could you check by adding Remote ID and Local ID.

Remote ID and Local ID are set via type DNS. As VPN goes online there shouldn't be an issue with that or what is it you would like to know? Thanks

Hi Jelle,

Could you try with IPaddress such as 1.1.1.1 and 2.2.2.2 instead of DNS.

Changed VPN-ID from DNS to IP-Address and entered the corresponding IP addresses. IPsec connection goes online but data can't be transferred. Same as before.

Jelle,

from XG, are you able to ping the remote site (I mean a remote device)?

Did you run a tcpdump ?

Regards

Jelle,

from XG, are you able to ping the remote site (I mean a remote device)?

Did you run a tcpdump ?

Regards

Well, finally VPN is up and running!

The issue was that due to multiple WAN interfaces the corresponding firewall rule had a primary gateway set. This led to the situation that packets were routed to the interface instead to the ipsec connection inside the XG.

Thanks to dna from Sophos who looked at the configuration and was able to find this tiny but blocking configuration error