Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 26 subscribers
  • Views 1668 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec with IPv6 only tunnel to UTM with one-sided routing problems

JanZa

Hello Community,

I have a strange problem. I have a successfully established IPsec connection between an UTM and a XG firewall. Both products have the latest firmware: UTM with 9.705-3 and the XG with SFOS 18.0.3 MR-3. The IPsec connection is established exclusively via IPv6.
When I send a ping from the XG to a server in the zone of the UTM, I have 100% packet loss - tested via "Diagnostics" -> "Tools" -> "Ping". If I test the address via "Diagnostics" -> "Tools" -> "Route lookup", it also says correctly: "IPv6 is located on the ipsec0. IPv6 is not behind a router".
If I use a ping from the UTM to a server in the XG network via "Support" -> "Tools" -> "Ping Check", all pings arrive (0% packet loss). Only when the ping from the UTM to the XG was successful can I now also ping successfully from the XG to the UTM. However, this only works for about 5 to 15 minutes (if no other traffic is active via the IPsec tunnel during this time). After that, no connection is possible from the XG to the UTM. Only when I send a ping from the UTM to the XG does it work again temporarily.
I have been trying for days to find out where the error is, with the XG or with the UTM, and have also tried to enter static routes, unfortunately without success. What have I overlooked or where do I have to look to find the error?

Greetings
Jan



This thread was automatically locked due to age.
  • 0

    Hello JanZa,

    Thank you for contacting the Sophos Community!

    Can you try enabling SHA2 with 96-bit truncation on the XG and in the UTM.

    XG go to Configure>> VPN >> IPsec Policies >> your policy >> SHA2 with 96-bit truncation

    UTM go to Site-to-Site VPN >> IPsec >> Policies >> your policy >> IPsec authentication algorithm >> SHA2 with 96-bit truncation

    Regards,

    Regards,

  • 0 in reply to emmosophos

    Hello Emmanuel,

    UTM does not have such an option. Instead, it is now set like this:

     

    Now I can't get any connection at all between the two sites. The log of the UTM shows:

    2020:12:15-23:34:19 zsophos ipsec_starter[11784]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2020:12:15-23:34:19 zsophos pluto[11797]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2020:12:15-23:34:19 zsophos ipsec_starter[11790]: pluto (11797) started after 20 ms
2020:12:15-23:34:20 zsophos pluto[11797]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2020:12:15-23:34:20 zsophos pluto[11797]: including NAT-Traversal patch (Version 0.6c) [disabled]
2020:12:15-23:34:20 zsophos pluto[11797]: Using Linux 2.6 IPsec interface code
2020:12:15-23:34:20 zsophos pluto[11797]: loading ca certificates from '/etc/ipsec.d/cacerts'
2020:12:15-23:34:20 zsophos pluto[11797]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA (Sun Oct 4 21:34:19 2015).pem'
2020:12:15-23:34:20 zsophos pluto[11797]: loading aa certificates from '/etc/ipsec.d/aacerts'
2020:12:15-23:34:20 zsophos pluto[11797]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2020:12:15-23:34:20 zsophos pluto[11797]: Changing to directory '/etc/ipsec.d/crls'
2020:12:15-23:34:20 zsophos pluto[11797]: loading attribute certificates from '/etc/ipsec.d/acerts'
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.14/eth0.14 192.168.14.2:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.76/eth0.76 192.168.76.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.75/eth0.75 192.168.75.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.15/eth0.15 192.168.15.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.65/eth0.65 192.168.65.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth1.55/eth1.55 192.168.55.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth1.25/eth1.25 192.168.25.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.16/eth0.16 192.168.16.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.35/eth0.35 192.168.35.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth3/eth3 192.168.1.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth1/eth1 192.168.179.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface lo/lo 127.0.0.1:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.35/eth0.35 2a02:908:2a40:7bde:203:2dff:fe27:fac3:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth1.25/eth1.25 2a02:908:2a40:7bdd:203:2dff:fe27:fac4:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.75/eth0.75 2a02:908:2a40:7bdc:203:2dff:fe27:fac5:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface eth0.14/eth0.14 2a02:908:2a40:7bc0:203:2dff:fe27:fac2:500
2020:12:15-23:34:20 zsophos pluto[11797]: adding interface lo/lo ::1:500
2020:12:15-23:34:20 zsophos pluto[11797]: loading secrets from "/etc/ipsec.secrets"
2020:12:15-23:34:20 zsophos pluto[11797]: listening for IKE messages
2020:12:15-23:34:20 zsophos pluto[11797]: added connection description "S_Perilex"
2020:12:15-23:34:20 zsophos pluto[11797]: "S_Perilex" #1: initiating Main Mode
2020:12:15-23:34:20 zsophos pluto[11797]: ERROR: "S_Perilex" #1: sendto on eth0.14 to 2a02:908:2a44:8be0:201:2eff:fe78:3368:500 failed in main_outI1. Errno 1: Operation not permitted
2020:12:15-23:34:30 zsophos pluto[11797]: "S_Perilex" #1: received Vendor ID payload [XAUTH]
2020:12:15-23:34:30 zsophos pluto[11797]: "S_Perilex" #1: received Vendor ID payload [Dead Peer Detection]
2020:12:15-23:34:30 zsophos pluto[11797]: "S_Perilex" #1: ignoring Vendor ID payload [Cisco-Unity]
2020:12:15-23:34:30 zsophos pluto[11797]: "S_Perilex" #1: we don't have a cert
2020:12:15-23:34:30 zsophos pluto[11797]: "S_Perilex" #1: Peer ID is ID_IPV6_ADDR: '2a02:908:2a44:8be0:201:2eff:fe78:3368'
2020:12:15-23:34:30 zsophos pluto[11797]: "S_Perilex" #1: Dead Peer Detection (RFC 3706) enabled
2020:12:15-23:34:30 zsophos pluto[11797]: "S_Perilex" #1: ISAKMP SA established
2020:12:15-23:34:30 zsophos pluto[11797]: "S_Perilex" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2020:12:15-23:34:31 zsophos pluto[11797]: "S_Perilex" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2020:12:15-23:35:01 zsophos pluto[11797]: "S_Perilex" #1: ignoring informational payload, type PAYLOAD_MALFORMED

    The log on XG only shows this:

    • parsing IKE message from 2a02:908:2a40:7bc0:203:2dff:fe27:fac2[500] failed
    • received IKE message with invalid SPI (E42431E0) from other side

    Any ideas?



    Personal information deleted
    [edited by: JanZa at 10:40 PM (GMT -8) on 15 Dec 2020]
  • 0 in reply to emmosophos

    With this UTM config the connection is established but the same error on ping:

    Log entry:

    2020:12:15-23:46:12 zsophos ipsec_starter[13688]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2020:12:15-23:46:12 zsophos pluto[13701]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2020:12:15-23:46:12 zsophos ipsec_starter[13694]: pluto (13701) started after 20 ms
2020:12:15-23:46:12 zsophos pluto[13701]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2020:12:15-23:46:12 zsophos pluto[13701]: including NAT-Traversal patch (Version 0.6c) [disabled]
2020:12:15-23:46:12 zsophos pluto[13701]: Using Linux 2.6 IPsec interface code
2020:12:15-23:46:13 zsophos pluto[13701]: loading ca certificates from '/etc/ipsec.d/cacerts'
2020:12:15-23:46:13 zsophos pluto[13701]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA (Sun Oct 4 21:34:19 2015).pem'
2020:12:15-23:46:13 zsophos pluto[13701]: loading aa certificates from '/etc/ipsec.d/aacerts'
2020:12:15-23:46:13 zsophos pluto[13701]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2020:12:15-23:46:13 zsophos pluto[13701]: Changing to directory '/etc/ipsec.d/crls'
2020:12:15-23:46:13 zsophos pluto[13701]: loading attribute certificates from '/etc/ipsec.d/acerts'
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.14/eth0.14 192.168.14.2:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.76/eth0.76 192.168.76.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.75/eth0.75 192.168.75.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.15/eth0.15 192.168.15.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.65/eth0.65 192.168.65.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth1.55/eth1.55 192.168.55.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth1.25/eth1.25 192.168.25.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.16/eth0.16 192.168.16.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.35/eth0.35 192.168.35.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth3/eth3 192.168.1.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth1/eth1 192.168.179.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface lo/lo 127.0.0.1:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.35/eth0.35 2a02:908:2a40:7bde:203:2dff:fe27:fac3:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth1.25/eth1.25 2a02:908:2a40:7bdd:203:2dff:fe27:fac4:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.75/eth0.75 2a02:908:2a40:7bdc:203:2dff:fe27:fac5:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface eth0.14/eth0.14 2a02:908:2a40:7bc0:203:2dff:fe27:fac2:500
2020:12:15-23:46:13 zsophos pluto[13701]: adding interface lo/lo ::1:500
2020:12:15-23:46:13 zsophos pluto[13701]: loading secrets from "/etc/ipsec.secrets"
2020:12:15-23:46:13 zsophos pluto[13701]: listening for IKE messages
2020:12:15-23:46:13 zsophos pluto[13701]: added connection description "S_Perilex"
2020:12:15-23:46:13 zsophos pluto[13701]: "S_Perilex" #1: initiating Main Mode
2020:12:15-23:46:13 zsophos pluto[13701]: ERROR: "S_Perilex" #1: sendto on eth0.14 to 2a02:908:2a44:8be0:201:2eff:fe78:3368:500 failed in main_outI1. Errno 1: Operation not permitted
2020:12:15-23:46:23 zsophos pluto[13701]: "S_Perilex" #1: received Vendor ID payload [XAUTH]
2020:12:15-23:46:23 zsophos pluto[13701]: "S_Perilex" #1: received Vendor ID payload [Dead Peer Detection]
2020:12:15-23:46:23 zsophos pluto[13701]: "S_Perilex" #1: ignoring Vendor ID payload [Cisco-Unity]
2020:12:15-23:46:23 zsophos pluto[13701]: "S_Perilex" #1: we don't have a cert
2020:12:15-23:46:23 zsophos pluto[13701]: "S_Perilex" #1: Peer ID is ID_IPV6_ADDR: '2a02:908:2a44:8be0:201:2eff:fe78:3368'
2020:12:15-23:46:23 zsophos pluto[13701]: "S_Perilex" #1: Dead Peer Detection (RFC 3706) enabled
2020:12:15-23:46:23 zsophos pluto[13701]: "S_Perilex" #1: ISAKMP SA established
2020:12:15-23:46:23 zsophos pluto[13701]: "S_Perilex" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2020:12:15-23:46:23 zsophos pluto[13701]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Perilex" address="2a02:908:2a40:7bc0:203:2dff:fe27:fac2" local_net="2a02:908:2a40:7bdd::/64" remote_net="2a02:908:2a44:8be2::/64"
2020:12:15-23:46:24 zsophos pluto[13701]: "S_Perilex" #2: route-client-v6 output: Failed to send flush request: No such process
2020:12:15-23:46:24 zsophos pluto[13701]: "S_Perilex" #2: sent QI2, IPsec SA established {ESP=>0xc40115de <0xbd42dbdb DPD}



    Added log entries
    [edited by: JanZa at 10:47 PM (GMT -8) on 15 Dec 2020]
  • 0 in reply to JanZa

    Hello JanZa,

    Please open a case with Support and provide me with the Case ID, so I can follow-up!

    Regards,

  • 0 in reply to emmosophos

    Will open a ticket as soon as I have access to the support portal again. Had access before, now I get the error message described here: https://support.sophos.com/support/s/article/KB-000040572?language=en_US&c__displayLanguage=en_US.

    I called via phone today and am waiting to be authorised again.

  • 0 in reply to emmosophos

    Hello Emmanuel,

    I called this morning (UTC +1) as well as tried my luck in the support chat to regain access to the support portal. Unfortunately without success so far. Customer Care refers to the Network Security colleague and he refers back to Customer Care, which then went offline.
    However, I have an old case number (03337515) from another case from November, where I still had access to the support portal, so maybe you can do something with it or help me. I'll try calling again tomorrow and when the chat is back up, I'll try my luck there too.
    A somewhat sobering experience with Sophos support outside the community area ...

    Regards
    Jan

  • 0 in reply to JanZa

    Hello JanZa,

    Thank you for the update.

    Let me know if you don't hear from the engineer by Friday. I have left a note in your case. 

    Regards,

  • 0 in reply to emmosophos

    Hello Emmanuel,

    here is a status update:

    • To my old ticket 03337515 someone has answered in the meantime. He wants to call me on Monday, let's see, previously an engineer also wanted to do, but then another engineer took over the ticket and the explanation of the problem started all over again, without a phone call.
    • Regarding my problem with the login to the support portal, I received an email and also answered it on 12/17/2020 at 8am (UTC +1) - since then no answer and also no access to the support portal (I tested again today 12/18/2020 at 08:45am). For this I have no ticket number, but only this: ref:_00D301GN6a._5003Z1AI1Y2:ref
    • So to get a ticket number for this forum post we have made only moderate progress. An email to support@sophos.com is rejected with an automatic reply that I should open the ticket via the support portal.


    Bullet list added
    [edited by: JanZa at 8:40 AM (GMT -8) on 18 Dec 2020]
  • 0 in reply to emmosophos

    According to the support ticket to regain access to the support portal, I can only wait. A time period was not specified.


    Regarding the status of the issue originally mentioned in this forum post, I have updated the XG Firewall to the latest version SFOS 18.0.4 MR-4. The problem is still as I originally described it (i.e. no improvement or worsening).

    Oh, the colleague who was going to call me didn't call me, of course (ticket 03337515).

  • 0 in reply to emmosophos

    Hi,

    my old ticket from November 2020 (#03337515) is closed. After updating to the new firewall version the error was gone or the affected website supported more SSL ciphers than before and now it works. Anyway, that's not what this ticket is about.

    Can someone help me with the problem described here, even without opening a support ticket, because my access to the support portal is time unclear?