Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 494 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Tunnel between Azure-XG to AWS-SG

ciwan

Hi Guys

 

Another issue with IPSec Tunnel now I am facing. I've followed this documantation form sophos community to set up ipsec tunnel on both XG and SG. UTM is not connecting for a strange reason

https://community.sophos.com/kb/en-us/126628

I have enabled DPD on both FWs

2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588084: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588084: starting keying attempt 6 of an unlimited number
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: initiating Main Mode to replace #588084
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: received Vendor ID payload [XAUTH]
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: received Vendor ID payload [Dead Peer Detection]
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: ignoring Vendor ID payload [Cisco-Unity]
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: received Vendor ID payload [RFC 3947]
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: enabling possible NAT-traversal with method 3
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: NAT-Traversal: Result using RFC 3947: both are NATed
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: ignoring informational payload, type AUTHENTICATION_FAILED
2020:03:13-09:44:53 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

Any idea what it might be? I have a several IPSec Tunnels running on UTM with different PSKs. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Are you using "*" in the remote gateway configuration in UTM or XG?

    In UTM, please go to Advanced settings and enable probe PSK option.

    Please also check the PFS configuration in XG and UTM.

  • 0 in reply to Keyur

    Are you using "*" in the remote gateway configuration in UTM or XG?

    No. I use FW's Public IP.

    In UTM, please go to Advanced settings and enable probe PSK option.
    I have it enabled already


    Please also check the PFS configuration in XG and UTM.

    PFS config on both are same. I followed the config settings as per the document

  • 0 in reply to ciwan

    getting this error now (after fixing the LAN IP)

    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: received Vendor ID payload [XAUTH]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: received Vendor ID payload [Dead Peer Detection]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: ignoring Vendor ID payload [Cisco-Unity]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: received Vendor ID payload [RFC 3947]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: enabling possible NAT-traversal with method 3
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: NAT-Traversal: Result using RFC 3947: both are NATed
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: ignoring informational payload, type AUTHENTICATION_FAILED
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: responding to Main Mode
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: NAT-Traversal: Result using RFC 3947: both are NATed
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: Peer ID is ID_IPV4_ADDR: '10.10.254.4'
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: no suitable connection for peer '10.10.254.4'
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: sending encrypted notification INVALID_ID_INFORMATION to 51.107.79.75:4500

     

    10.10.254.4 is the XG's private IP. Should i use this as VPNID on both FWs? What could the the issue? 51.107.79.75 is the XG's public IP.

Reply
  • 0 in reply to ciwan

    getting this error now (after fixing the LAN IP)

    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: received Vendor ID payload [XAUTH]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: received Vendor ID payload [Dead Peer Detection]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: ignoring Vendor ID payload [Cisco-Unity]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: received Vendor ID payload [RFC 3947]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: enabling possible NAT-traversal with method 3
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: NAT-Traversal: Result using RFC 3947: both are NATed
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: ignoring informational payload, type AUTHENTICATION_FAILED
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: responding to Main Mode
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: NAT-Traversal: Result using RFC 3947: both are NATed
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: Peer ID is ID_IPV4_ADDR: '10.10.254.4'
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: no suitable connection for peer '10.10.254.4'
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: sending encrypted notification INVALID_ID_INFORMATION to 51.107.79.75:4500

     

    10.10.254.4 is the XG's private IP. Should i use this as VPNID on both FWs? What could the the issue? 51.107.79.75 is the XG's public IP.

Children
No Data