Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 74473 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to site VPN won't go online

Jelle

Hi,

I'm currently facing a problem setting up a site to site VPN. It worked with our Sonicwall NSA 2400. With the new XG210-HA it doesn't go online.

Unfortunately the settings were changed as the old settings weren't secure enough after 6 years, so everything was set up from scratch.

Our XG connects to a UTM. We use IKEv2 and MainMode. AES256 with SHA512 and Group 16 MODP 4096 in phase 1. Same for phase 2. Encryption is done by RSA key. Settings on both sides have been double-checked.

 

All I ever see is

 

Any ideas? Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Jelle,

    you need to switch to IKE v1 because UTM does not support IKE v2. You can also use RED site to site with UTM:

    https://community.sophos.com/kb/en-us/125101

    Regards

  • 0 in reply to lferrara

    OK, switched to IKEv1. Now I get

    "received IKE message with invalid SPI (E6AA7B1) from other side"

    Also tried 96bit truncation but that didn't change anything.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Hi,

     

    same problem here. I have migrated a customer from SG to XG, I have configured the vpn in the same way but it doesn't works.

    If I put back online the SG the vpn works, with XG i receive the error:

     

    parsing IKE message from xx.xx.xxx.xxx[500] failed (Remote: xx.xx.xxx.xxx)

     

    XG Strikes Back??

  • 0 in reply to lferrara

    Finally different settings for the remote network on both sides where responsible that the vpn tunnel didn't go online. After fixing it the IPsec connection goes online without issues, even after disconnecting. The new issue is that no traffic passes the connection. I read a lot of articles regarding this but nothing seems to help :(

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Hi,

     

    in our case was the password too long, 32 characters. Changing the password up to 20 characters the vpn went up.

     

    I hope this help.

     

    Regards

  • 0 in reply to ItalySam

    VPN is online but I can't send data through it. Connection is not with PSK but with RSA key.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Hi Jelle,

    Could you check by adding Remote ID and Local ID.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    Remote ID and Local ID are set via type DNS. As VPN goes online there shouldn't be an issue with that or what is it you would like to know? Thanks

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Hi Jelle,

    Could you try with IPaddress such as 1.1.1.1 and 2.2.2.2 instead of DNS.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    Changed VPN-ID from DNS to IP-Address and entered the corresponding IP addresses. IPsec connection goes online but data can't be transferred. Same as before.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Jelle

    Jelle,

    from XG, are you able to ping the remote site (I mean a remote device)?

    Did you run a tcpdump ?

    Regards

  • +1 in reply to lferrara

    Well, finally VPN is up and running!

    The issue was that due to multiple WAN interfaces the corresponding firewall rule had a primary gateway set. This led to the situation that packets were routed to the interface instead to the ipsec connection inside the XG.

    Thanks to dna from Sophos who looked at the configuration and was able to find this tiny but blocking configuration error

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

Reply
  • +1 in reply to lferrara

    Well, finally VPN is up and running!

    The issue was that due to multiple WAN interfaces the corresponding firewall rule had a primary gateway set. This led to the situation that packets were routed to the interface instead to the ipsec connection inside the XG.

    Thanks to dna from Sophos who looked at the configuration and was able to find this tiny but blocking configuration error

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

Children
No Data
Cookie Information Banner