This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup Site-to-Site VPN Connection

Greetings,

I am trying to setup a site-to-site VPN connection and followed the guides from Sophos. But, it keep failing. First, I have created an IPSec policy using the following configurations:

IKEv2 (Phase 1)
Key Negotiation Encryption Algorithm                    AES-256
Hashing Algorithm                                                  HMAC-SHA-512
Diffie-Hellman group                                              GR14 (2048-bit) or GR20 (384-bit EC)
Negotiation Mode                                                   Main
Lifetime Measurement                                           86400 seconds
IKE Compression                                                  Disabled
Vendor ID                                                               Disabled
Dead Peer Detection (DPD) / IKE Keepalive         Disabled

IPSec (Phase 2)
Transform Encryption + Data Integrity                   esp
Encryption Algorithm                                              AES-256
Data Integrity Hashing Algorithm                           HMAC-SHA-512
Perfect Forward Secrecy (PFS)                             Enabled (GR20)
Encapsulation Mode                                              Tunnel
Lifetime Measurement                                          7200 second

My policy as following:

To be more clear, the remote site information:

And my site information:

The IP 41.202.232.XXX is a public IP for my host who is going to use that IPSec connection. So, I had configured the IPSec connection as following:

Where:

Local subnet is the local IP address of my host.
Remote subnet which is 194.117.106.128/30
And I am doing NATing from the local host IP address to 41.202.232.XXX

This thread was automatically locked due to age.

Parents

0 Keyur over 6 years ago

Hi dbachour

Do you have Sophos XG device at Local and Remote end?

Please try to use default policy such as Head office and Branch office and for custom policy make sure Phase 1 and Phase 2 parameters should be the same at both the device end.

Please make sure IKE versions should be the same, please refer to the article and try to configure accordingly- https://community.sophos.com/kb/en-us/123140
Cancel
Vote Up 0 Vote Down

Cancel
0 dbachour over 6 years ago in reply to Keyur

Greetings,

At the remote end they are using Cisco with the share details above.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 dbachour over 6 years ago in reply to Keyur

Greetings,

At the remote end they are using Cisco with the share details above.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Keyur over 6 years ago in reply to dbachour

Hi dbachour

Thank you for sharing details, please refer to the article- https://community.sophos.com/kb/en-us/127731
Cancel
Vote Up 0 Vote Down

Cancel
0 dbachour over 6 years ago in reply to Keyur

Hey,

Even those steps I have done, but at the remote site they are using in the Phase (2):

Perfect Forward Secrecy (PFS) Enabled (GR20)

So, I have set it up as above also in the OP.
Cancel
Vote Up 0 Vote Down

Cancel