This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RBVPN with dynamic IP forces to have ID type set

Hi folks,

referring to this case v18 - Route based VPN between two Sophos Appliances, branch office with dynamic peer IP and NAT - Discussions - XG Firewall - Sophos Community I have something to ask/add here.

I am not able to set up a fully working VTI for RBVPN between two XG firewalls (v18.0.4) where XG_A has a public static ip and XG_B has a public dynamic ip without set local ID and remote ID.
I have another combo of XGs running RBVPN but having respectively public static ip on both sides. Here no local / remote ID is necessary to make things work.

Is this design or bug? ;)

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 4 years ago

What do you mean by "Not work". Cannot you not save the config or does the tunnel not come up?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

0 njabi over 4 years ago in reply to LuCar Toni

sorry for hiding this point!

The tunnel does not come up:

2021-01-29 09:47:44 15[NET] <3877> received packet: from <DYN-IP>[500] to <STAT-IP>[500] (1482 bytes)
2021-01-29 09:47:44 15[ENC] <3877> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2021-01-29 09:47:44 15[IKE] <3877> <DYN-IP> is initiating an IKE_SA
2021-01-29 09:47:44 15[IKE] <3877> sending cert request for "C=DE, ST=Hamburg, L=Hamburg, O=<ORG-Name, OU=ThinkTank, CN=<DefaultCA>, E=<adminmail@>"
2021-01-29 09:47:44 15[ENC] <3877> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2021-01-29 09:47:44 15[NET] <3877> sending packet: from <STAT-IP>[500] to <DYN-IP>[500] (267 bytes)
2021-01-29 09:47:44 27[NET] <3877> received packet: from <DYN-IP>[500] to <STAT-IP>[500] (928 bytes)
2021-01-29 09:47:44 27[ENC] <3877> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2021-01-29 09:47:44 27[CFG] <3877> looking for peer configs matching <STAT-IP>[<STAT-IP>]...<DYN-IP>[<DYN-IP>]
2021-01-29 09:47:44 27[CFG] <3877> no matching peer config found
2021-01-29 09:47:44 27[DMN] <3877> [GARNER-LOGGING] (child_alert) ALERT: peer authentication failed
2021-01-29 09:47:44 27[ENC] <3877> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2021-01-29 09:47:44 27[NET] <3877> sending packet: from <STAT-IP>[500] to <DYN-IP>[500] (96 bytes)

0 LuCar Toni over 4 years ago in reply to njabi

You are using Cert for auth? What about RSA Keys, do they work?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 njabi over 4 years ago in reply to LuCar Toni

I am using RSA for authentication.

I just found out that on XG with static IP remote ID must be set (i set it to a DNS value) and on XG with dyn IP local ID must be set to same value (understandably)
Cancel
Vote Up 0 Vote Down

Cancel
0 njabi over 4 years ago in reply to njabi

XG with static IP VPN config:

XG with dynamic IP VPN config:
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels over 4 years ago in reply to njabi

I believe you can also set it to e-mail and make sure to enter the same email address on both sides of the connection. (or dns and use ddns name).

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 apijnappels over 4 years ago in reply to njabi

I believe you can also set it to e-mail and make sure to enter the same email address on both sides of the connection. (or dns and use ddns name).

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 njabi over 4 years ago in reply to apijnappels

definitely!
My question was: why is setting up local id / remote id necessary if working with dyndns names since it is not necessary with static IPs
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels over 4 years ago in reply to njabi

With fixed it "automatically" substitutes the fixed IP-address when nothing else is configured and since it's fixed both sides of the connection "know" what the actual address will be.

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel