Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 426 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RBVPN with dynamic IP forces to have ID type set

njabi

Hi folks,

referring to this case v18 - Route based VPN between two Sophos Appliances, branch office with dynamic peer IP and NAT - Discussions - XG Firewall - Sophos Community I have something to ask/add here.

I am not able to set up a fully working VTI for RBVPN between two XG firewalls (v18.0.4) where XG_A has a public static ip and XG_B has a public dynamic ip without set local ID and remote ID.
I have another combo of XGs running RBVPN but having respectively public static ip on both sides. Here no local / remote ID is necessary to make things work.

Is this design or bug? ;)



This thread was automatically locked due to age.
Parents
  • 0

    What do you mean by "Not work". Cannot you not save the config or does the tunnel not come up? 

  • 0 in reply to LuCar Toni

    sorry for hiding this point!

    The tunnel does not come up:


    2021-01-29 09:47:44 15[NET] <3877> received packet: from <DYN-IP>[500] to <STAT-IP>[500] (1482 bytes)
2021-01-29 09:47:44 15[ENC] <3877> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2021-01-29 09:47:44 15[IKE] <3877> <DYN-IP> is initiating an IKE_SA
2021-01-29 09:47:44 15[IKE] <3877> sending cert request for "C=DE, ST=Hamburg, L=Hamburg, O=<ORG-Name, OU=ThinkTank, CN=<DefaultCA>, E=<adminmail@>"
2021-01-29 09:47:44 15[ENC] <3877> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2021-01-29 09:47:44 15[NET] <3877> sending packet: from <STAT-IP>[500] to <DYN-IP>[500] (267 bytes)
2021-01-29 09:47:44 27[NET] <3877> received packet: from <DYN-IP>[500] to <STAT-IP>[500] (928 bytes)
2021-01-29 09:47:44 27[ENC] <3877> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2021-01-29 09:47:44 27[CFG] <3877> looking for peer configs matching <STAT-IP>[<STAT-IP>]...<DYN-IP>[<DYN-IP>]
2021-01-29 09:47:44 27[CFG] <3877> no matching peer config found
2021-01-29 09:47:44 27[DMN] <3877> [GARNER-LOGGING] (child_alert) ALERT: peer authentication failed
2021-01-29 09:47:44 27[ENC] <3877> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2021-01-29 09:47:44 27[NET] <3877> sending packet: from <STAT-IP>[500] to <DYN-IP>[500] (96 bytes)

  • 0 in reply to njabi

    You are using Cert for auth? What about RSA Keys, do they work? 

  • 0 in reply to LuCar Toni

    I am using RSA for authentication.

    I just found out that on XG with static IP remote ID must be set (i set it to a DNS value) and on XG with dyn IP local ID must be set to same value (understandably)

  • 0 in reply to njabi

    XG with static IP VPN config:

    XG with dynamic IP VPN config:

  • 0 in reply to njabi

    I believe you can also set it to e-mail and make sure to enter the same email address on both sides of the connection. (or dns and use ddns name).

Reply Children