This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Tunnel with Certificates

Hey there!

I do have a little problem with the IPsec configuration of Sophos XG. I have been trying to do the same thing with Sophos UTM, but never got it working. I basically need a Remote Access IPsec VPN with authentication via certificates (no pre-shared keys). I've been setting up the following configuration on the IPsec section of the VPN configuration pane:

I'm using a self-generated certificate within Sophos signed by the local default CA certificate. When connecting with my Mac using the following preferences:

(Using the generated user certificate two times for Machine and User Authentication)

When connecting I do get an error - server logs below:

2018-04-08 20:20:30 31[IKE] <24> x.x.x.x is initiating a Main Mode IKE_SA

2018-04-08 20:20:30 31[ENC] <24> generating ID_PROT response 0 [ SA V V V V V ]

2018-04-08 20:20:30 31[NET] <24> sending packet: from x.x.x.x[500] to x.x.x.x[500] (176 bytes)

2018-04-08 20:20:30 05[NET] <24> received packet: from x.x.x.x[500] to x.x.x.x[500] (228 bytes)

2018-04-08 20:20:30 05[ENC] <24> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]

2018-04-08 20:20:30 05[IKE] <24> remote host is behind NAT

2018-04-08 20:20:30 05[IKE] <24> no shared key found for 'C=DE, ST=NA, L=NA, O=Lukas Mahl, OU=OU, CN=SophosApplianceCertificate_XXX, E=email@host.com[x.x.x.x] - 'user@host.com[x.x.x.x]

2018-04-08 20:20:30 05[IKE] <24> no shared key found for 'user@host.com[x.x.x.x] - '(null)'[x.x.x.x]

2018-04-08 20:20:30 05[IKE] <24> no shared key found for x.x.x.x - x.x.x.x

2018-04-08 20:20:30 05[ENC] <24> generating INFORMATIONAL_V1 request 2402506184 [ N(INVAL_KE) ]

2018-04-08 20:20:30 05[NET] <24> sending packet: from x.x.x.x[500] to x.x.x.x[500] (56 bytes)

I'm confused right now as Sophos is telling me that it can't find a shared key for the specified user, which is right because I do want it to use certificates. So why doesn't it just use the certificate?

I am completely stuck at this point, I've been trying to setup a working IPsec tunnel with certificates for a few days now but had no success so far. I need to do something very fundamental wrong, but unfortunately I can't find any good documentation or explanation on this topic! I'm unsure which values to use when configuring the server and when connecting with the client.

The only thing I need is a working IPsec tunnel with certificate authentication - I'd be happy if someone could help me to solve my problem or just provide me with a good and detailed documentation. Every help is greatly appreciated!

Thank you!

This thread was automatically locked due to age.

0 sachingurung over 7 years ago

Hi Lukas,

Could you please share the case# with me through PM and I will look into it. Alongside, refer to the pocket guide for configuring site-to-site IPSec using Certificates here and verify that the configurations are properly defined.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel