Hi All,
Needing some help with this, we have a Site to Site VPN from our head office with a Sophos XG, to our Branch Office that has a Draytek behind a NAT.
This currently works with a Draytek to Draytek, with the branch behind the NAT, but am trying to roll out the Sophos XG at our head office.
From testing, I have received the below logs, which looks like there is a mismatch in Phase 1 & 2 protocols, however, I can't see any mismatch in the config:
XG230_WP02_SFOS 18.0.5 MR-5-Build586# tail -f /log/strongswan.log | grep -i "Site_1"
2021-08-20 14:01:23 18[CFG] <Site_1-1|8> received proposals: ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ
2021-08-20 14:01:23 18[CFG] <Site_1-1|8> configured proposals: ESP:AES_CBC_256/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
2021-08-20 14:01:23 18[IKE] <Site_1-1|8> no matching proposal found, sending NO_PROPOSAL_CHOSEN
2021-08-20 14:01:23 18[IKE] <Site_1-1|8> ### destroy: 0x7ff6b400af50
2021-08-20 14:01:23 18[ENC] <Site_1-1|8> generating INFORMATIONAL_V1 request 4038046832 [ HASH N(NO_PROP) ]
2021-08-20 14:01:23 18[NET] <Site_1-1|8> sending packet: from 61.67.12.156[4500] to 110.141.224.237[4500] (76 bytes)
2021-08-20 14:01:26 29[NET] <Site_1-1|8> received packet: from 110.141.224.237[4500] to 61.67.12.156[4500] (156 bytes)
2021-08-20 14:01:26 29[IKE] <Site_1-1|8> received retransmit of request with ID 1692804599, but no response to retransmit
2021-08-20 14:01:32 23[NET] <Site_1-1|8> received packet: from 110.141.224.237[4500] to 61.67.12.156[4500] (156 bytes)
2021-08-20 14:01:32 23[IKE] <Site_1-1|8> received retransmit of request with ID 1692804599, but no response to retransmit
2021-08-20 14:01:35 20[NET] <Site_1-1|8> received packet: from 110.141.224.237[4500] to 61.67.12.156[4500] (76 bytes)
2021-08-20 14:01:35 20[ENC] <Site_1-1|8> parsed INFORMATIONAL_V1 request 1964139744 [ HASH D ]
2021-08-20 14:01:35 20[IKE] <Site_1-1|8> received DELETE for IKE_SA Site_1-1[8]
2021-08-20 14:01:35 20[IKE] <Site_1-1|8> deleting IKE_SA Site_1-1[8] between 61.67.12.156[192.168.0.2]...110.141.224.237[192.168.0.2]
2021-08-20 14:01:35 10[CFG] <9> selected peer config "Site_1-1"
2021-08-20 14:01:35 10[IKE] <Site_1-1|9> IKE_SA Site_1-1[9] established between 61.67.12.156[192.168.0.2]...110.141.224.237[192.168.0.2]
2021-08-20 14:01:35 10[IKE] <Site_1-1|9> scheduling rekeying in 85994s
2021-08-20 14:01:35 10[IKE] <Site_1-1|9> maximum IKE_SA lifetime 86354s
2021-08-20 14:01:35 10[ENC] <Site_1-1|9> generating ID_PROT response 0 [ ID HASH ]
2021-08-20 14:01:35 10[NET] <Site_1-1|9> sending packet: from 61.67.12.156[4500] to 110.141.224.237[4500] (76 bytes)
2021-08-20 14:01:35 19[NET] <Site_1-1|9> received packet: from 110.141.224.237[4500] to 61.67.12.156[4500] (156 bytes)
2021-08-20 14:01:35 19[ENC] <Site_1-1|9> parsed QUICK_MODE request 1962348297 [ HASH SA No ID ID ]
2021-08-20 14:01:35 19[IKE] <Site_1-1|9> ### process_request invoking quick_mode_create
2021-08-20 14:01:35 19[IKE] <Site_1-1|9> ### quick_mode_create: 0x7ff6b8003a20 config (nil)
2021-08-20 14:01:35 19[IKE] <Site_1-1|9> ### process_r: 0x7ff6b8003a20 QM_INIT
2021-08-20 14:01:35 19[CFG] <Site_1-1|9> received proposals: ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ
2021-08-20 14:01:35 19[CFG] <Site_1-1|9> configured proposals: ESP:AES_CBC_256/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
2021-08-20 14:01:35 19[IKE] <Site_1-1|9> no matching proposal found, sending NO_PROPOSAL_CHOSEN
2021-08-20 14:01:35 19[IKE] <Site_1-1|9> ### destroy: 0x7ff6b8003a20
Sophos XG - Head Office
Draytek Branch Office -
Any guidance would be much appreciated!
Thanks
Steele
This thread was automatically locked due to age.
