Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 3374 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to Connect Site to Site VPN Tunnels - Sophos XG

Steele

Hi, I have some existing Site to Site VPN Tunnels on our Draytek routers which we are upgrading to Sophos XG.

I am having some issues when setting up Site to Site VPN Tunnels, even though these are setup exactly the same on the Drayteks which work without issue.

I am trying to understand the logs better to resolve these tunnels. Any help in understanding these would be much appreciated.

Tunnel 1:

2021-07-22 15:49:17 14[IKE] <Site1-1|2> giving up after 5 retransmits
2021-07-22 15:49:17 14[DMN] <Site1-1|2> [GARNER-LOGGING] (child_alert) ALERT: IKE message (68001400) retransmission to 110.141.215.236 timed out
2021-07-22 15:49:17 14[DMN] <Site1-1|2> [GARNER-LOGGING] (child_alert) ALERT: peer did not respond to initial message 2
2021-07-22 15:49:17 14[IKE] <Site1-1|2> peer not responding, trying again (4/0)
2021-07-22 15:49:17 14[IKE] <Site1-1|2> initiating Main Mode IKE_SA Site1-1[2] to 110.141.215.236
2021-07-22 15:49:17 14[ENC] <Site1-1|2> generating ID_PROT request 0 [ SA V V V V V V ]
2021-07-22 15:49:17 14[NET] <Site1-1|2> sending packet: from 61.68.29.167[500] to 110.141.215.236[500] (312 bytes)
2021-07-22 15:49:17 20[NET] <Site1-1|2> received packet: from 110.141.215.236[500] to 61.68.29.167[500] (128 bytes)
2021-07-22 15:49:17 20[ENC] <Site1-1|2> parsed ID_PROT response 0 [ SA V V ]
2021-07-22 15:49:17 20[IKE] <Site1-1|2> received DPD vendor ID
2021-07-22 15:49:17 20[IKE] <Site1-1|2> received NAT-T (RFC 3947) vendor ID
2021-07-22 15:49:17 20[ENC] <Site1-1|2> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
2021-07-22 15:49:17 20[NET] <Site1-1|2> sending packet: from 61.68.29.167[500] to 110.141.215.236[500] (364 bytes)
2021-07-22 15:49:17 21[NET] <Site1-1|2> received packet: from 110.141.215.236[500] to 61.68.29.167[500] (348 bytes)
2021-07-22 15:49:17 21[ENC] <Site1-1|2> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
2021-07-22 15:49:17 21[ENC] <Site1-1|2> generating ID_PROT request 0 [ ID HASH ]
2021-07-22 15:49:17 21[NET] <Site1-1|2> sending packet: from 61.68.29.167[4500] to 110.141.215.236[4500] (76 bytes)

Tunnel 2:

2021-07-22 15:44:42 27[ENC] <30> generating INFORMATIONAL_V1 request 2811380931 [ HASH N(PLD_MAL) ]
2021-07-22 15:44:42 27[IKE] <30> ID_PROT request with message ID 0 processing failed
2021-07-22 15:44:42 25[JOB] <23> deleting half open IKE_SA with 203.39.128.154 after timeout
2021-07-22 15:44:42 25[DMN] <23> [GARNER-LOGGING] (child_alert) ALERT: IKE_SA timed out before it could be established
2021-07-22 15:44:44 07[NET] <31> received packet: from 203.39.128.154[500] to 203.198.128.106[500] (292 bytes)
2021-07-22 15:44:44 07[ENC] <31> parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
2021-07-22 15:44:44 07[IKE] <31> received NAT-T (RFC 3947) vendor ID
2021-07-22 15:44:44 07[IKE] <31> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2021-07-22 15:44:44 07[IKE] <31> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2021-07-22 15:44:44 07[IKE] <31> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2021-07-22 15:44:44 07[ENC] <31> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
2021-07-22 15:44:44 07[IKE] <31> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
2021-07-22 15:44:44 07[IKE] <31> received DPD vendor ID
2021-07-22 15:44:44 07[IKE] <31> received FRAGMENTATION vendor ID
2021-07-22 15:44:44 07[IKE] <31> received FRAGMENTATION vendor ID
2021-07-22 15:44:44 07[ENC] <31> received unknown vendor ID: 82:99:03:17:57:a3:82:c6:a6:21:de:00:00:00:00
2021-07-22 15:44:44 07[IKE] <31> 203.39.128.154 is initiating a Main Mode IKE_SA
2021-07-22 15:44:44 07[ENC] <31> generating ID_PROT response 0 [ SA V V V V V ]
2021-07-22 15:44:44 07[NET] <31> sending packet: from 203.198.128.106[500] to 203.39.128.154[500] (184 bytes)
2021-07-22 15:44:44 21[NET] <31> received packet: from 203.39.128.154[500] to 203.198.128.106[500] (292 bytes)
2021-07-22 15:44:44 21[ENC] <31> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2021-07-22 15:44:44 21[ENC] <31> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2021-07-22 15:44:44 21[NET] <31> sending packet: from 203.198.128.106[500] to 203.39.128.154[500] (308 bytes)
2021-07-22 15:44:44 16[NET] <31> received packet: from 203.39.128.154[500] to 203.198.128.106[500] (108 bytes)
2021-07-22 15:44:44 16[ENC] <31> invalid ID_V1 payload length, decryption failed?
2021-07-22 15:44:44 16[ENC] <31> could not decrypt payloads
2021-07-22 15:44:44 16[IKE] <31> message parsing failed
2021-07-22 15:44:44 16[ENC] <31> generating INFORMATIONAL_V1 request 1915868167 [ HASH N(PLD_MAL) ]
2021-07-22 15:44:44 16[NET] <31> sending packet: from 203.198.128.106[500] to 203.39.128.154[500] (76 bytes)
2021-07-22 15:44:44 16[IKE] <31> ID_PROT request with message ID 0 processing failed
2021-07-22 15:44:44 16[DMN] <31> [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 203.39.128.154[500] failed

Tunnel 3:

2021-07-22 15:46:27 10[DMN] <Site3-1|4> [GARNER-LOGGING] (child_alert) ALERT: IKE message (90000E40) retransmission to 192.140.226.189 timed out
2021-07-22 15:46:27 10[DMN] <Site3-1|4> [GARNER-LOGGING] (child_alert) ALERT: peer did not respond to initial message 1
2021-07-22 15:46:27 10[IKE] <Site3-1|4> peer not responding, trying again (3/0)
2021-07-22 15:46:27 10[IKE] <Site3-1|4> initiating IKE_SA 201.140.226.188-1[4] to 192.140.226.189
2021-07-22 15:46:27 10[ENC] <Site3-1|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2021-07-22 15:46:27 10[NET] <Site3-1|4> sending packet: from 201.140.226.188[500] to 192.140.226.189[500] (1046 bytes)

Tunnel 4:

2021-07-22 15:46:27 13[IKE] <Site4-1|1> giving up after 5 retransmits
2021-07-22 15:46:27 13[DMN] <Site4-1|1> [GARNER-LOGGING] (child_alert) ALERT: IKE message (70004270) retransmission to 203.39.130.222 timed out
2021-07-22 15:46:27 13[DMN] <Site4-1|1> [GARNER-LOGGING] (child_alert) ALERT: peer did not respond to initial message 1
2021-07-22 15:46:27 13[IKE] <Site4-1|1> peer not responding, trying again (3/0)
2021-07-22 15:46:27 13[IKE] <Site4-1|1> initiating Main Mode IKE_SA Site4-1[1] to 203.39.130.222
2021-07-22 15:46:27 13[ENC] <Site4-1|1> generating ID_PROT request 0 [ SA V V V V V V ]
2021-07-22 15:46:27 13[NET] <Site4-1|1> sending packet: from 61.68.10.150[500] to 203.39.130.222[500] (312 bytes)

Thank you!

Steele



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    ==> Tunnel 1:

    Request take strongswan.log events again for 'Site1-1' tunnel.

    # tail -f /log/strongswan.log | grep -i "Site1-1"

    ==> Tunnel 2:

    Steele said:
    2021-07-22 15:44:44 21[NET] <31> sending packet: from 203.198.128.106[500] to 203.39.128.154[500] (308 bytes)
    2021-07-22 15:44:44 16[NET] <31> received packet: from 203.39.128.154[500] to 203.198.128.106[500] (108 bytes)
    2021-07-22 15:44:44 16[ENC] <31> invalid ID_V1 payload length, decryption failed?
    2021-07-22 15:44:44 16[ENC] <31> could not decrypt payloads
    2021-07-22 15:44:44 16[IKE] <31> message parsing failed

    It seems to be an issue with the authentication, please check PSK at both ends.

    ==> Tunnel 3:

    Steele said:
    2021-07-22 15:46:27 10[DMN] <Site3-1|4> [GARNER-LOGGING] (child_alert) ALERT: IKE message (90000E40) retransmission to 192.140.226.189 timed out
    2021-07-22 15:46:27 10[DMN] <Site3-1|4> [GARNER-LOGGING] (child_alert) ALERT: peer did not respond to initial message 1
    2021-07-22 15:46:27 10[IKE] <Site3-1|4> peer not responding, trying again (3/0)

    There’s no response coming from the remote gateway for IKE message.

    ==> Tunnel 4:

    Steele said:
    2021-07-22 15:46:27 13[DMN] <Site4-1|1> [GARNER-LOGGING] (child_alert) ALERT: IKE message (70004270) retransmission to 203.39.130.222 timed out
    2021-07-22 15:46:27 13[DMN] <Site4-1|1> [GARNER-LOGGING] (child_alert) ALERT: peer did not respond to initial message 1
    2021-07-22 15:46:27 13[IKE] <Site4-1|1> peer not responding, trying again (3/0)

    Same as Tunnel 3, there’s no response for IKE message.

    IPsec troubleshooting and most common errors

  • 0 in reply to FormerMember

    Hi Yash Kothari,

    Thanks for your advice! I believe I have resolved the PSK issue, however, have been met with a NAT-T issue.

    The Public IP is a router (110.141.214.200) that port forwards to the VPN router client (192.168.0.2) for Site_1. The LAN of Site_1 is 192.168.41.0/24. This currently works with our Drayteks but am unable to connect with the Sophos XG.

    I did attempt to switch the .0.2 with the .41.0 for the NAT-T and Remote Subnet but this did not work. The firewall rule has both of these subnets via DNAT assistant.

    XG230_WP02_SFOS 18.0.5 MR-5-Build586# tail -f /log/strongswan.log | grep -i "Site_1"

    ^C
    XG230_WP02_SFOS 18.0.5 MR-5-Build586# tail -f /log/strongswan.log | grep -i Site_1
    2021-07-28 15:33:05 17[CFG] loading secrets from '/_conf/ipsec/connections/Site_1.secrets'
    2021-07-28 15:33:05 17[CFG] get_nsg_context tblvpnconnection:Site_1
    2021-07-28 15:33:05 10[CFG] vici initiate 'Site_1-1'
    2021-07-28 15:33:05 18[IKE] <Site_1-1|20> ### queue_child invoking quick_mode_create
    2021-07-28 15:33:05 18[IKE] <Site_1-1|20> ### quick_mode_create: 0x7fb160001100 config 0x7fb140002790
    2021-07-28 15:33:05 18[IKE] <Site_1-1|20> initiating Main Mode IKE_SA Site_1-1[20] to 110.141.214.200
    2021-07-28 15:33:05 18[ENC] <Site_1-1|20> generating ID_PROT request 0 [ SA V V V V V V ]
    2021-07-28 15:33:05 18[NET] <Site_1-1|20> sending packet: from 61.68.20.100[500] to 110.141.214.200[500] (312 bytes)
    2021-07-28 15:33:06 23[NET] <Site_1-1|20> received packet: from 110.141.214.200[500] to 61.68.20.100[500] (128 bytes)
    2021-07-28 15:33:06 23[ENC] <Site_1-1|20> parsed ID_PROT response 0 [ SA V V ]
    2021-07-28 15:33:06 23[IKE] <Site_1-1|20> received DPD vendor ID
    2021-07-28 15:33:06 23[IKE] <Site_1-1|20> received NAT-T (RFC 3947) vendor ID
    2021-07-28 15:33:06 23[ENC] <Site_1-1|20> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2021-07-28 15:33:06 23[NET] <Site_1-1|20> sending packet: from 61.68.20.100[500] to 110.141.214.200[500] (364 bytes)
    2021-07-28 15:33:06 31[NET] <Site_1-1|20> received packet: from 110.141.214.200[500] to 61.68.20.100[500] (348 bytes)
    2021-07-28 15:33:06 31[ENC] <Site_1-1|20> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2021-07-28 15:33:06 31[IKE] <Site_1-1|20> remote host is behind NAT
    2021-07-28 15:33:06 31[ENC] <Site_1-1|20> generating ID_PROT request 0 [ ID HASH ]
    2021-07-28 15:33:06 31[NET] <Site_1-1|20> sending packet: from 61.68.20.100[4500] to 110.141.214.200[4500] (76 bytes)
    2021-07-28 15:33:06 13[NET] <Site_1-1|20> received packet: from 110.141.214.200[4500] to 61.68.20.100[4500] (92 bytes)
    2021-07-28 15:33:06 13[ENC] <Site_1-1|20> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
    2021-07-28 15:33:06 13[IKE] <Site_1-1|20> IDir '192.168.0.2' does not match to '110.141.214.200'
    2021-07-28 15:33:06 13[IKE] <Site_1-1|20> deleting IKE_SA Site_1-1[20] between 61.68.20.100[61.68.20.100]...110.141.214.200[%any]
    2021-07-28 15:33:06 13[IKE] <Site_1-1|20> sending DELETE for IKE_SA Site_1-1[20]
    2021-07-28 15:33:06 13[ENC] <Site_1-1|20> generating INFORMATIONAL_V1 request 2194495073 [ HASH D ]
    2021-07-28 15:33:06 13[NET] <Site_1-1|20> sending packet: from 61.68.20.100[4500] to 110.141.214.200[4500] (92 bytes)
    2021-07-28 15:33:06 13[IKE] <Site_1-1|20> ### destroy: 0x7fb160001100
    2021-07-28 15:33:26 31[CFG] loading secrets from '/_conf/ipsec/connections/Site_1.secrets'
    2021-07-28 15:33:26 31[CFG] get_nsg_context tblvpnconnection:Site_1
    2021-07-28 15:35:06 12[CFG] received stroke: delete connection 'Site_1-1'
    2021-07-28 15:35:06 12[CFG] deleted connection 'Site_1-1'
    2021-07-28 15:35:08 05[CFG] loading secrets from '/_conf/ipsec/connections/Site_1.secrets'
    2021-07-28 15:35:08 05[CFG] get_nsg_context tblvpnconnection:Site_1
    2021-07-28 15:35:08 09[CFG] received stroke: add connection 'Site_1-1'
    2021-07-28 15:35:08 09[CFG] added configuration 'Site_1-1'
    2021-07-28 15:35:08 07[CFG] received stroke: initiate 'Site_1-1'
    2021-07-28 15:35:08 07[IKE] <Site_1-1|29> ### queue_child invoking quick_mode_create
    2021-07-28 15:35:08 07[IKE] <Site_1-1|29> ### quick_mode_create: 0x7fb158003df0 config 0x7fb15c002a30
    2021-07-28 15:35:08 07[IKE] <Site_1-1|29> initiating Main Mode IKE_SA Site_1-1[29] to 110.141.214.200
    2021-07-28 15:35:08 07[ENC] <Site_1-1|29> generating ID_PROT request 0 [ SA V V V V V V ]
    2021-07-28 15:35:08 07[NET] <Site_1-1|29> sending packet: from 61.68.20.100[500] to 110.141.214.200[500] (312 bytes)
    2021-07-28 15:35:08 20[NET] <Site_1-1|29> received packet: from 110.141.214.200[500] to 61.68.20.100[500] (128 bytes)
    2021-07-28 15:35:08 20[ENC] <Site_1-1|29> parsed ID_PROT response 0 [ SA V V ]
    2021-07-28 15:35:08 20[IKE] <Site_1-1|29> received DPD vendor ID
    2021-07-28 15:35:08 20[IKE] <Site_1-1|29> received NAT-T (RFC 3947) vendor ID
    2021-07-28 15:35:08 20[ENC] <Site_1-1|29> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2021-07-28 15:35:08 20[NET] <Site_1-1|29> sending packet: from 61.68.20.100[500] to 110.141.214.200[500] (364 bytes)
    2021-07-28 15:35:08 28[NET] <Site_1-1|29> received packet: from 110.141.214.200[500] to 61.68.20.100[500] (348 bytes)
    2021-07-28 15:35:08 28[ENC] <Site_1-1|29> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2021-07-28 15:35:08 28[IKE] <Site_1-1|29> remote host is behind NAT
    2021-07-28 15:35:08 28[ENC] <Site_1-1|29> generating ID_PROT request 0 [ ID HASH ]
    2021-07-28 15:35:08 28[NET] <Site_1-1|29> sending packet: from 61.68.20.100[4500] to 110.141.214.200[4500] (76 bytes)
    2021-07-28 15:35:08 06[NET] <Site_1-1|29> received packet: from 110.141.214.200[4500] to 61.68.20.100[4500] (92 bytes)
    2021-07-28 15:35:08 06[ENC] <Site_1-1|29> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
    2021-07-28 15:35:08 06[IKE] <Site_1-1|29> IDir '192.168.0.2' does not match to '110.141.214.200'
    2021-07-28 15:35:08 06[IKE] <Site_1-1|29> deleting IKE_SA Site_1-1[29] between 61.68.20.100[61.68.20.100]...110.141.214.200[%any]
    2021-07-28 15:35:08 06[IKE] <Site_1-1|29> sending DELETE for IKE_SA Site_1-1[29]
    2021-07-28 15:35:08 06[ENC] <Site_1-1|29> generating INFORMATIONAL_V1 request 3018537207 [ HASH D ]
    2021-07-28 15:35:08 06[NET] <Site_1-1|29> sending packet: from 61.68.20.100[4500] to 110.141.214.200[4500] (92 bytes)
    2021-07-28 15:35:08 06[IKE] <Site_1-1|29> ### destroy: 0x7fb158003df0
    2021-07-28 15:37:25 10[CFG] received stroke: delete connection 'Site_1-1'
    2021-07-28 15:37:25 10[CFG] deleted connection 'Site_1-1'
    2021-07-28 15:37:26 13[CFG] loading secrets from '/_conf/ipsec/connections/Site_1.secrets'
    2021-07-28 15:37:26 13[CFG] get_nsg_context tblvpnconnection:Site_1
    2021-07-28 15:37:26 10[CFG] received stroke: add connection 'Site_1-1'
    2021-07-28 15:37:26 10[CFG] added configuration 'Site_1-1'
    2021-07-28 15:37:26 29[CFG] received stroke: initiate 'Site_1-1'
    2021-07-28 15:37:26 29[IKE] <Site_1-1|39> ### queue_child invoking quick_mode_create
    2021-07-28 15:37:26 29[IKE] <Site_1-1|39> ### quick_mode_create: 0x7fb140002020 config 0x7fb140002c70
    2021-07-28 15:37:26 29[IKE] <Site_1-1|39> initiating Main Mode IKE_SA Site_1-1[39] to 110.141.214.200
    2021-07-28 15:37:26 29[ENC] <Site_1-1|39> generating ID_PROT request 0 [ SA V V V V V V ]
    2021-07-28 15:37:26 29[NET] <Site_1-1|39> sending packet: from 61.68.20.100[500] to 110.141.214.200[500] (312 bytes)
    2021-07-28 15:37:26 24[NET] <Site_1-1|39> received packet: from 110.141.214.200[500] to 61.68.20.100[500] (128 bytes)
    2021-07-28 15:37:26 24[ENC] <Site_1-1|39> parsed ID_PROT response 0 [ SA V V ]
    2021-07-28 15:37:26 24[IKE] <Site_1-1|39> received DPD vendor ID
    2021-07-28 15:37:26 24[IKE] <Site_1-1|39> received NAT-T (RFC 3947) vendor ID
    2021-07-28 15:37:26 24[ENC] <Site_1-1|39> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2021-07-28 15:37:26 24[NET] <Site_1-1|39> sending packet: from 61.68.20.100[500] to 110.141.214.200[500] (364 bytes)
    2021-07-28 15:37:27 32[NET] <Site_1-1|39> received packet: from 110.141.214.200[500] to 61.68.20.100[500] (348 bytes)
    2021-07-28 15:37:27 32[ENC] <Site_1-1|39> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2021-07-28 15:37:27 32[IKE] <Site_1-1|39> remote host is behind NAT
    2021-07-28 15:37:27 32[ENC] <Site_1-1|39> generating ID_PROT request 0 [ ID HASH ]
    2021-07-28 15:37:27 32[NET] <Site_1-1|39> sending packet: from 61.68.20.100[4500] to 110.141.214.200[4500] (76 bytes)
    2021-07-28 15:37:27 28[NET] <Site_1-1|39> received packet: from 110.141.214.200[4500] to 61.68.20.100[4500] (92 bytes)
    2021-07-28 15:37:27 28[ENC] <Site_1-1|39> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
    2021-07-28 15:37:27 28[IKE] <Site_1-1|39> IDir '192.168.0.2' does not match to '110.141.214.200'
    2021-07-28 15:37:27 28[IKE] <Site_1-1|39> deleting IKE_SA Site_1-1[39] between 61.68.20.100[61.68.20.100]...110.141.214.200[%any]
    2021-07-28 15:37:27 28[IKE] <Site_1-1|39> sending DELETE for IKE_SA Site_1-1[39]
    2021-07-28 15:37:27 28[ENC] <Site_1-1|39> generating INFORMATIONAL_V1 request 1850178586 [ HASH D ]
    2021-07-28 15:37:27 28[NET] <Site_1-1|39> sending packet: from 61.68.20.100[4500] to 110.141.214.200[4500] (92 bytes)
    2021-07-28 15:37:27 28[IKE] <Site_1-1|39> ### destroy: 0x7fb140002020
    2021-07-28 15:37:34 11[CFG] loading secrets from '/_conf/ipsec/connections/Site_1.secrets'
    2021-07-28 15:37:34 11[CFG] get_nsg_context tblvpnconnection:Site_1
    2021-07-28 15:37:34 10[CFG] vici initiate 'Site_1-1'
    2021-07-28 15:37:34 29[IKE] <Site_1-1|41> ### queue_child invoking quick_mode_create
    2021-07-28 15:37:34 29[IKE] <Site_1-1|41> ### quick_mode_create: 0x7fb140002190 config 0x7fb140002c70
    2021-07-28 15:37:34 29[IKE] <Site_1-1|41> initiating Main Mode IKE_SA Site_1-1[41] to 110.141.214.200
    2021-07-28 15:37:34 29[ENC] <Site_1-1|41> generating ID_PROT request 0 [ SA V V V V V V ]
    2021-07-28 15:37:34 29[NET] <Site_1-1|41> sending packet: from 61.68.20.100[500] to 110.141.214.200[500] (312 bytes)
    2021-07-28 15:37:34 12[NET] <Site_1-1|41> received packet: from 110.141.214.200[500] to 61.68.20.100[500] (128 bytes)
    2021-07-28 15:37:34 12[ENC] <Site_1-1|41> parsed ID_PROT response 0 [ SA V V ]
    2021-07-28 15:37:34 12[IKE] <Site_1-1|41> received DPD vendor ID
    2021-07-28 15:37:34 12[IKE] <Site_1-1|41> received NAT-T (RFC 3947) vendor ID
    2021-07-28 15:37:34 12[ENC] <Site_1-1|41> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    2021-07-28 15:37:34 12[NET] <Site_1-1|41> sending packet: from 61.68.20.100[500] to 110.141.214.200[500] (364 bytes)
    2021-07-28 15:37:35 31[NET] <Site_1-1|41> received packet: from 110.141.214.200[500] to 61.68.20.100[500] (348 bytes)
    2021-07-28 15:37:35 31[ENC] <Site_1-1|41> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    2021-07-28 15:37:35 31[IKE] <Site_1-1|41> remote host is behind NAT
    2021-07-28 15:37:35 31[ENC] <Site_1-1|41> generating ID_PROT request 0 [ ID HASH ]
    2021-07-28 15:37:35 31[NET] <Site_1-1|41> sending packet: from 61.68.20.100[4500] to 110.141.214.200[4500] (76 bytes)
    2021-07-28 15:37:35 26[NET] <Site_1-1|41> received packet: from 110.141.214.200[4500] to 61.68.20.100[4500] (92 bytes)
    2021-07-28 15:37:35 26[ENC] <Site_1-1|41> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
    2021-07-28 15:37:35 26[IKE] <Site_1-1|41> IDir '192.168.0.2' does not match to '110.141.214.200'
    2021-07-28 15:37:35 26[IKE] <Site_1-1|41> deleting IKE_SA Site_1-1[41] between 61.68.20.100[61.68.20.100]...110.141.214.200[%any]
    2021-07-28 15:37:35 26[IKE] <Site_1-1|41> sending DELETE for IKE_SA Site_1-1[41]
    2021-07-28 15:37:35 26[ENC] <Site_1-1|41> generating INFORMATIONAL_V1 request 2617462833 [ HASH D ]
    2021-07-28 15:37:35 26[NET] <Site_1-1|41> sending packet: from 61.68.20.100[4500] to 110.141.214.200[4500] (92 bytes)
    2021-07-28 15:37:35 26[IKE] <Site_1-1|41> ### destroy: 0x7fb140002190

  • +1 in reply to Steele

    For anyone that has a similar issue, it appears you need to define the local & remote Id's id defined by the router is natting to on the remote end.

    For example, public IP address 111.168.10.14 with local IP of 192.168.1.1 port forwarding/NAT to router behind this with IP 192.168.1.2.

    The 192.168.1.2 address will need to be defined in the Sophos as Local & Remote ID's of IP Address. This should also be defined in the remote VPN router.

    Hope this helps someone as I found this information from a community post for UTM from 9 years ago and this is not documented anywhere by Sophos.