Hi All,
I am asking this question to see if any of you have come across the same thing, or even whether this setup should work.
I have just moved from UTM to XG at home and have a S2S VPN connection back to my company, my company has a SG310 UTM with the following S2S VPN configuration;
Phase 1:
- AES256/SHA2 256
- 7800s
- IKE DH Group 5
Phase 2:
- AES256/SHA2 256
- 3600s
- PFS Group 5
(the above settings will not change)
I initially configured the S2S VPN (on the XG) as follows;
I chose the Default Policy (this seemed the best fit). I ensured the Activate on Save & the Create Firewall Rule boxes were ticked.
I checked that pre-shared key was the same on both ends.
I clicked save on the XG and after a few seconds the VPN was up and running. It was up and running on both ends. I though great!
I went through the DNS Request route for the domain at the office, all usual stuff.
The problem was that I was getting no DNS resolution from the DNS servers at my office and was not able to ping any devices on my company network. In fact I was getting no traffic on the SG310 at all, this initially pointed me to a firewall issue at work, well it wasn't that!
I ran through a lot of diags and finally went through the VPN config (on the XG) and found the following errors, more of an over-sight really.
Phase 1:
- Keylife: 3600s
- DH Group: (6 Selected) 14, 16, 19, 21, 25, 31 (but not 5)
My issue is although the key life is wrong it will work, but as I understand it DH Group would effectively not allow the VPN to work, but the VPN connection stated on both sides it was up and running.
Maybe I have missing something on the documentation of DH group and S2S VPNs.
why would the VPN say up and running, when it is obviously it is not?
why wasn't there a failure in the key negotiations (phase 1 or phase 2)?
any information is going to be useful.
thanks in advance
This thread was automatically locked due to age.
