Establishing Ipsec vpn site to site between Sophos Xg135 and Cyberoam CR25ing

Hi Mahammed,

There should be a policy mismatch between the two IPSec profiles on each end. You can look at the IPSec log in the log viewer and if you see a line that has, "invalid proposal" then you need to match the two policies. 

Thanks

That knowledgebase gets you 80% of the way to a working vpn, depending on your firmware and setup. I tried that over and over and it failed repeatedly because I didn't yet know the following bits.

Once you do that knowledgebase step by step... then I did this

community.sophos.com/.../123600

once you have done all of that, and still can’t connect, you want to do 2 things. First, on the cyberroam go to VPN ->policies (you will see a rundown of all the columns for each ipsec policy, be sure to ADD column to see all, OR you can choose to click on the policy your vpn is using.

on the Sophos go to VPN -->IPSEC Policies and look at the policy the vpn is using

THESE two policies need to be IDENTICAL. What I did was on the sophos, I created a new policy and made it exactly like the Cyberroam, since “branchheadoffice” policy did not match the ‘branch remote office’ policy.

as you’re doing this, you can see which part of the process is failing if you SSH into your sophos, open advanced terminal (option 5, option 3) and look at the log tail -f /log/charon.log (this will tell you where in the negotiation you’re seeing a failure)

So after making the two policies IDENTICAL, and changing the sharedkey to be identical, and all of that, I still couldn’t connect until, on the Sophos, I set the key exchange to IKE V1.

Suddenly the vpn could finally connect and all started working.

Hope that helped.

That knowledgebase gets you 80% of the way to a working vpn, depending on your firmware and setup. I tried that over and over and it failed repeatedly because I didn't yet know the following bits.

Once you do that knowledgebase step by step... then I did this

community.sophos.com/.../123600

once you have done all of that, and still can’t connect, you want to do 2 things. First, on the cyberroam go to VPN ->policies (you will see a rundown of all the columns for each ipsec policy, be sure to ADD column to see all, OR you can choose to click on the policy your vpn is using.

on the Sophos go to VPN -->IPSEC Policies and look at the policy the vpn is using

THESE two policies need to be IDENTICAL. What I did was on the sophos, I created a new policy and made it exactly like the Cyberroam, since “branchheadoffice” policy did not match the ‘branch remote office’ policy.

as you’re doing this, you can see which part of the process is failing if you SSH into your sophos, open advanced terminal (option 5, option 3) and look at the log tail -f /log/charon.log (this will tell you where in the negotiation you’re seeing a failure)

So after making the two policies IDENTICAL, and changing the sharedkey to be identical, and all of that, I still couldn’t connect until, on the Sophos, I set the key exchange to IKE V1.

Suddenly the vpn could finally connect and all started working.

Hope that helped.