Problem site to site between Sophos XG V18 and Fritzbox 749 V7.21

Question

Hallo, 
 urgent help for VPN- Site to site connection between a fritzbox 7490 V7.21 and Sophos XG home V18.0.4. I cannot establish the VPN. 
 A short overview:

Config file of the Fritzbox: 
 enabled = yes; editable = yes; conn_type = conntype_out; name = "Buttenhausen Plochingen"; boxuser_id = 0; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = no; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 0.0.0.0; remote_virtualip = 0.0.0.0; remotehostname = "fw-greiner-pl01.myfirewall.co"; keepalive_ip = 192.168.0.1; localid { key_id = "$$$$3RIQ4SWQN4QTNDLGZMTISOESJ1VNTVMFUBRMRBYQD35ZPTL4CKMITRQKGV4LN33KD3ZMX5XYT6FHYAAA"; } mode = phase1_mode_aggressive; phase1ss = "all/all/all"; keytype = connkeytype_pre_shared; key = "$$$$B4XPAPG6TY2MBP2A3NJPXELFK3AIR14URHLGOPM5EPTZJE23OZ1EENATV5EPKEOTYGUO6SYNL5BWUAAA"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = no; use_cfgmode = yes; phase2localid { ipnet { ipaddr = 0.0.0.0; mask = 0.0.0.0; } } phase2remoteid { ipnet { ipaddr = 0.0.0.0; mask = 0.0.0.0; } } phase2ss = "esp-all-all/ah-none/comp-all/no-pfs"; accesslist = "permit ip any 192.168.w.w 255.255.252.0" 
 app_id = 0;

FormerMember · Answer

Thank you for sharing the log events.

2021-03-23 19:58:42 08[IKE] <189648> received NAT-T (RFC 3947) vendor ID
2021-03-23 19:58:42 08[IKE] <189648> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2021-03-23 19:58:42 08[IKE] <189648> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2021-03-23 19:58:42 08[ENC] <189648> received unknown vendor ID: a2:22:6f:c3:64:50:0f:56:34:ff:77:db:3b:74:f4:1b
2021-03-23 19:58:42 08[IKE] <189648> 77.182.12.196 is initiating a Aggressive Mode IKE_SA
2021-03-23 19:58:42 08[IKE] <189648> Aggressive Mode PSK disabled for security reasons
2021-03-23 19:58:42 08[ENC] <189648> generating INFORMATIONAL_V1 request 215035122 [ N(AUTH_FAILED) ]
2021-03-23 19:58:42 08[NET] <189648> sending packet: from 95.208.76.27[500] to 77.182.12.196[500] (56 bytes)
2021-03-23 19:58:42 32[NET] <VPNButtenhausen-1|189647> received packet: from 77.182.12.196[500] to 95.208.76.27[500] (56 bytes)
2021-03-23 19:58:42 32[ENC] <VPNButtenhausen-1|189647> parsed INFORMATIONAL_V1 request 4032525331 [ N(INVAL_ID) ]
2021-03-23 19:58:42 32[IKE] <VPNButtenhausen-1|189647> informational: received INVALID_ID_INFORMATION error notify
2021-03-23 19:58:42 32[IKE] <VPNButtenhausen-1|189647> IKE_SA INVALID_ID_INFORMATION set_condition COND_START_OVER
2021-03-23 19:58:42 32[IKE] <VPNButtenhausen-1|189647> ### destroy: 0x7fea8c001770

Events indicates that the responder does not accept the ID payloads sent by XG.

==> At Fritzbox end you just have set up local-id, not remote-id.

Bernd Greiner1 said:
localid {
key_id = "$$$$3RIQ4SWQN4QTNDLGZMTISOESJ1VNTVMFUBRMRBYQD35ZPTL4CKMITRQKGV4LN33KD3ZMX5XYT6FHYAAA";
}

==> I'd suggest changing it to fqdn or IP address

==> Apply same changes at XG end.

==> Also please confirm the pre-shared key.

==> In IPsec policy at XG end lease disable 'Pass data in compressed format' and 'SHA2 with 96-bit truncation'.

You may refer to the links below for reference.

https://community.sophos.com/xg-firewall/f/discussions/76424/site-to-site-connection-between-sophos-xg-and-fritzbox-no-ping

https://blog.webernetz.net/fritzos-ab-06-23-ipsec-p2-proposals-erweitert/

https://blog.webernetz.net/ipsec-site-to-site-vpn-fortigate-fritzbox/

Problem site to site between Sophos XG V18 and Fritzbox 749 V7.21

Top Replies