Hey there!
I do have a little problem with the IPsec configuration of Sophos XG. I have been trying to do the same thing with Sophos UTM, but never got it working. I basically need a Remote Access IPsec VPN with authentication via certificates (no pre-shared keys). I've been setting up the following configuration on the IPsec section of the VPN configuration pane:
I'm using a self-generated certificate within Sophos signed by the local default CA certificate. When connecting with my Mac using the following preferences:
(Using the generated user certificate two times for Machine and User Authentication)
When connecting I do get an error - server logs below:
2018-04-08 20:20:30 31[IKE] <24> x.x.x.x is initiating a Main Mode IKE_SA
2018-04-08 20:20:30 31[ENC] <24> generating ID_PROT response 0 [ SA V V V V V ]
2018-04-08 20:20:30 31[NET] <24> sending packet: from x.x.x.x[500] to x.x.x.x[500] (176 bytes)
2018-04-08 20:20:30 05[NET] <24> received packet: from x.x.x.x[500] to x.x.x.x[500] (228 bytes)
2018-04-08 20:20:30 05[ENC] <24> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2018-04-08 20:20:30 05[IKE] <24> remote host is behind NAT
2018-04-08 20:20:30 05[IKE] <24> no shared key found for 'C=DE, ST=NA, L=NA, O=Lukas Mahl, OU=OU, CN=SophosApplianceCertificate_XXX, E=email@host.com[x.x.x.x] - 'user@host.com[x.x.x.x]
2018-04-08 20:20:30 05[IKE] <24> no shared key found for 'user@host.com[x.x.x.x] - '(null)'[x.x.x.x]
2018-04-08 20:20:30 05[IKE] <24> no shared key found for x.x.x.x - x.x.x.x
2018-04-08 20:20:30 05[ENC] <24> generating INFORMATIONAL_V1 request 2402506184 [ N(INVAL_KE) ]
2018-04-08 20:20:30 05[NET] <24> sending packet: from x.x.x.x[500] to x.x.x.x[500] (56 bytes)
I'm confused right now as Sophos is telling me that it can't find a shared key for the specified user, which is right because I do want it to use certificates. So why doesn't it just use the certificate?
I am completely stuck at this point, I've been trying to setup a working IPsec tunnel with certificates for a few days now but had no success so far. I need to do something very fundamental wrong, but unfortunately I can't find any good documentation or explanation on this topic! I'm unsure which values to use when configuring the server and when connecting with the client.
The only thing I need is a working IPsec tunnel with certificate authentication - I'd be happy if someone could help me to solve my problem or just provide me with a good and detailed documentation. Every help is greatly appreciated!
Thank you!
This thread was automatically locked due to age.
