Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 6780 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN with ddns

Andrea Cesco

Hi,

I have a sophos xg85 appliance and a connection with static IP. I need to create a site-to-site IPSec VPN with a tplink router with a dynamic IP connection. If I set the dynamic public IP of the router in the "Remote gateway" field of the firewall the VPN brings up and works correctly, if I replace the IP with the dynamic dns  the VPN does not work. Anyone can help me?

Thanks!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Andrea Cesco

    Site to Site implies two sites in this scenario.

    Maybe the other site causes this issue, i dont know. 

    Can you extract the IPsec Log: https://community.sophos.com/kb/en-us/132211

    Maybe you notice some error there. 

  • 0 in reply to LuCar Toni

    Here is the log of the vpn connection:

    2019-09-30 12:21:45 31[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
    2019-09-30 12:21:45 31[CFG] loading secrets from '/_conf/ipsec/connections/VPN_Casa_Genitori.secrets'
    2019-09-30 12:21:45 31[CFG] loaded IKE secret for 192.168.255.253 cescorouter.tplinkdns.com
    2019-09-30 12:21:46 17[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2019-09-30 12:21:47 23[CFG] vici initiate 'VPN_Casa_Genitori-1'
    2019-09-30 12:21:47 13[IKE] <VPN_Casa_Genitori-1|32> initiating Main Mode IKE_SA VPN_Casa_Genitori-1[32] to 95.233.19 2.223
    2019-09-30 12:21:47 13[ENC] <VPN_Casa_Genitori-1|32> generating ID_PROT request 0 [ SA V V V V V V ]
    2019-09-30 12:21:47 13[NET] <VPN_Casa_Genitori-1|32> sending packet: from 192.168.255.253[500] to 95.233.192.223[500] (260 bytes)
    2019-09-30 12:21:47 26[NET] <VPN_Casa_Genitori-1|32> received packet: from 95.233.192.223[500] to 192.168.255.253[500 ] (104 bytes)
    2019-09-30 12:21:47 26[ENC] <VPN_Casa_Genitori-1|32> parsed ID_PROT response 0 [ SA V ]
    2019-09-30 12:21:47 26[IKE] <VPN_Casa_Genitori-1|32> received DPD vendor ID
    2019-09-30 12:21:48 26[ENC] <VPN_Casa_Genitori-1|32> generating ID_PROT request 0 [ KE No ]
    2019-09-30 12:21:48 26[NET] <VPN_Casa_Genitori-1|32> sending packet: from 192.168.255.253[500] to 95.233.192.223[500] (580 bytes)
    2019-09-30 12:21:52 24[IKE] <VPN_Casa_Genitori-1|32> sending retransmit 1 of request message ID 0, seq 2
    2019-09-30 12:21:52 24[NET] <VPN_Casa_Genitori-1|32> sending packet: from 192.168.255.253[500] to 95.233.192.223[500] (580 bytes)
    2019-09-30 12:21:53 16[NET] <VPN_Casa_Genitori-1|32> received packet: from 95.233.192.223[500] to 192.168.255.253[500 ] (564 bytes)
    2019-09-30 12:21:53 16[ENC] <VPN_Casa_Genitori-1|32> parsed ID_PROT response 0 [ KE No ]
    2019-09-30 12:21:53 16[ENC] <VPN_Casa_Genitori-1|32> generating ID_PROT request 0 [ ID HASH ]
    2019-09-30 12:21:53 16[NET] <VPN_Casa_Genitori-1|32> sending packet: from 192.168.255.253[500] to 95.233.192.223[500] (76 bytes)
    2019-09-30 12:21:57 13[IKE] <VPN_Casa_Genitori-1|32> sending retransmit 1 of request message ID 0, seq 3
    2019-09-30 12:21:57 13[NET] <VPN_Casa_Genitori-1|32> sending packet: from 192.168.255.253[500] to 95.233.192.223[500] (76 bytes)
    2019-09-30 12:21:57 10[NET] <VPN_Casa_Genitori-1|32> received packet: from 95.233.192.223[500] to 192.168.255.253[500 ] (564 bytes)
    2019-09-30 12:21:57 10[IKE] <VPN_Casa_Genitori-1|32> received retransmit of response with ID 0, but next request alre ady sent
    2019-09-30 12:21:57 10[NET] <VPN_Casa_Genitori-1|32> received packet: from 95.233.192.223[500] to 192.168.255.253[500 ] (76 bytes)
    2019-09-30 12:21:57 10[ENC] <VPN_Casa_Genitori-1|32> parsed ID_PROT response 0 [ ID HASH ]
    2019-09-30 12:21:57 10[IKE] <VPN_Casa_Genitori-1|32> IDir '95.233.192.223' does not match to 'cescorouter.tplinkdns.c om'
    2019-09-30 12:21:57 10[IKE] <VPN_Casa_Genitori-1|32> deleting IKE_SA VPN_Casa_Genitori-1[32] between 192.168.255.253[ 192.168.255.253]...95.233.192.223[%any]
    2019-09-30 12:21:57 10[IKE] <VPN_Casa_Genitori-1|32> sending DELETE for IKE_SA VPN_Casa_Genitori-1[32]
    2019-09-30 12:21:57 10[ENC] <VPN_Casa_Genitori-1|32> generating INFORMATIONAL_V1 request 1896241384 [ HASH D ]
    2019-09-30 12:21:57 10[NET] <VPN_Casa_Genitori-1|32> sending packet: from 192.168.255.253[500] to 95.233.192.223[500] (92 bytes)
    2019-09-30 12:21:57 07[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (C38C089B) fr om other side

    I see that there is an error in the last line but i don't know how to solve it.

  • 0 in reply to Andrea Cesco

    I would say, there is something wrong with the other side. 

    2019-09-30 12:21:57 07[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (C38C089B) fr om other side

     

     

  • +1 in reply to LuCar Toni

    Actually the problem is here:

    "2019-09-30 12:21:57 10[IKE] <VPN_Casa_Genitori-1|32> IDir '95.233.192.223' does not match to 'cescorouter.tplinkdns.c om'"

    Your TP-Link is sending your public IP, but the XG tries to connect with the configured DDNS and not the public IP resolved by the DDNS, resulting in the error.

    I have a similar case, where i have to explict the routed IP address, elseif, everytime it changes the IP address, I lost the vpn connection (since its a dynamic ip and i have to explicit in XG whats my interface IP), like the example bellow.

     

     

    If you configure the Remote ID Type with the IP "95.233.192.223", the VPN should connect.

  • 0 in reply to rafaelmicrotron

    Yes if I use the public IP It works. I have configured the profile with the remote ID and now It Is working. 

    Thank you so much!!