Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1359 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Remote (Client) VPN

Elizabeth Owen

I have a Sophos XG (Firmware 18.0) and have set up the IPSec Client VPN for a few users to connect to.

When I try to connect to the IPSec Client VPN I get the following error: 

2021-09-28 04:02:06AM 00[DMN] Starting IKE service charon-svc (strongSwan 5.8.0, Windows Client 6.2.9200 (SP 0.0)
2021-09-28 04:02:06AM 00[LIB] TAP-Windows driver version 1.0 available.
2021-09-28 04:02:08AM 00[LIB] opened TUN device: {0625B307-BEF5-4C96-A0CF-502246069556}
2021-09-28 04:02:08AM 00[LIB] loaded plugins: charon-svc nonce x509 pubkey pkcs1 pkcs7 pkcs8 pkcs12 pem openssl kernel-libipsec kernel-iph socket-win vici eap-identity eap-gtc eap-mschapv2 xauth-generic windows-dns
2021-09-28 04:02:08AM 00[JOB] spawning 16 worker threads
2021-09-28 04:02:11AM 17[KNL] interface 25 'Microsoft Wi-Fi Direct Virtual Adapter #3' appeared
2021-09-28 04:02:13AM 17[KNL] interface 23 'Intel(R) Dual Band Wireless-AC 8265' changed state from Down to Up
2021-09-28 04:02:13AM 17[KNL] 169.254.49.224 disappeared from interface 23 'Intel(R) Dual Band Wireless-AC 8265'
2021-09-28 04:02:14AM 18[KNL] interface 80 'Hyper-V Virtual Ethernet Adapter' changed state from Up to Down
2021-09-28 04:02:14AM 18[KNL] 172.26.160.1 disappeared from interface 80 'Hyper-V Virtual Ethernet Adapter'
2021-09-28 04:02:17AM 17[KNL] interface 80 'Hyper-V Virtual Ethernet Adapter' disappeared
2021-09-28 04:02:17AM 18[KNL] interface 80 'Hyper-V Virtual Ethernet Adapter' appeared
2021-09-28 04:02:48AM 18[KNL] interface 103 'Harrys UK VPN' appeared
2021-09-28 04:03:56AM 18[KNL] interface 24 'Microsoft Wi-Fi Direct Virtual Adapter #4' appeared
2021-09-28 09:34:17AM 18[KNL] interface 4 'Sophos TAP Adapter' changed state from Down to Up
2021-09-28 09:34:17AM 19[KNL] 169.254.99.238 disappeared from interface 4 'Sophos TAP Adapter'
2021-09-28 07:20:13PM 18[KNL] interface 4 'Sophos TAP Adapter' changed state from Up to Down
2021-09-28 07:20:13PM 18[KNL] 10.10.50.34 disappeared from interface 4 'Sophos TAP Adapter'
2021-09-28 07:20:37PM 15[CFG] loaded IKE shared key with id 'HRY_NYC_IPSec_VPN-psk-id' for: '%any'
2021-09-28 07:20:38PM 12[CFG] loaded EAP shared key with id 'HRY_NYC_IPSec_VPN-user-id' for: 'liz.cat'
2021-09-28 07:20:39PM 01[LIB] TAP-Windows driver version 1.0 available.
2021-09-28 07:20:39PM 18[KNL] interface 4 'Sophos TAP Adapter' changed state from Down to Up
2021-09-28 07:20:41PM 01[CFG] added vici connection: HRY_NYC_IPSec_VPN
2021-09-28 07:20:41PM 05[CFG] vici initiate CHILD_SA 'HRY_NYC_IPSec_VPN-tunnel-1'
2021-09-28 07:20:41PM 04[IKE] <HRY_NYC_IPSec_VPN|1> initiating Main Mode IKE_SA HRY_NYC_IPSec_VPN[1] to PUBLIC-IP-ADDRESS
2021-09-28 07:20:41PM 04[ENC] <HRY_NYC_IPSec_VPN|1> generating ID_PROT request 0 [ SA V V V V V ]
2021-09-28 07:20:41PM 04[NET] <HRY_NYC_IPSec_VPN|1> sending packet: from 10.20.48.210[64536] to PUBLIC-IP-ADDRESS[500] (180 bytes)
2021-09-28 07:20:44PM 08[IKE] <HRY_NYC_IPSec_VPN|1> sending retransmit 1 of request message ID 0, seq 1
2021-09-28 07:20:44PM 08[NET] <HRY_NYC_IPSec_VPN|1> sending packet: from 10.20.48.210[64536] to PUBLIC-IP-ADDRESS[500] (180 bytes)
2021-09-28 07:20:50PM 09[IKE] <HRY_NYC_IPSec_VPN|1> sending retransmit 2 of request message ID 0, seq 1
2021-09-28 07:20:50PM 09[NET] <HRY_NYC_IPSec_VPN|1> sending packet: from 10.20.48.210[64536] to PUBLIC-IP-ADDRESS[500] (180 bytes)
2021-09-28 07:21:02PM 15[IKE] <HRY_NYC_IPSec_VPN|1> giving up after 2 retransmits
2021-09-28 07:21:02PM 15[IKE] <HRY_NYC_IPSec_VPN|1> establishing IKE_SA failed, peer not responding
2021-09-28 07:21:03PM 16[CFG] vici terminate IKE_SA 'HRY_NYC_IPSec_VPN'
2021-09-28 07:21:03PM 01[ESP] unsupported IP version
2021-09-28 07:21:03PM 18[KNL] interface 4 'Sophos TAP Adapter' changed state from Up to Down
2021-09-28 07:21:04PM 04[CFG] unloaded shared key with id 'HRY_NYC_IPSec_VPN-psk-id'
2021-09-28 07:21:04PM 13[CFG] unloaded shared key with id 'HRY_NYC_IPSec_VPN-user-id'

It says that the IKE UDP Ports are blocked and then another message that the FW is not responding. I've used the IKE UDP Ports (500,4500) on my home network before and they work fine. I checked my firewall rules just in case and my home router is allowing all traffic. This is the .scx file configuration:

{
"favicon" : "",
"local_auth" : {
"psk" : {
"id" : "0.0.0.0"
},
"xauth" : {
"can_save" : false
},
"otp" : true
},
"type" : "xg",
"start_action" : "none",
"child" : {
"proposals" : [
"aes256-sha2_256-modp2048"
],
"rekey_time" : 3060,
"remote_ts" : [
"0.0.0.0/0"
]
},
"display_name" : "IPSec_VPN",
"managed" : false,
"proposals" : [
"aes256-sha2_256-modp2048"
],
"vip" : "0.0.0.0",
"run_logon_script" : true,
"auto_connect" : {
"required" : false,
"enabled" : false
},
"version" : 1,
"remote_auth" : {
"otp" : false,
"psk" : {
"id" : "0.0.0.0",
"secret" : "PSK"
}
},
"domain_suffix" : "company.local",
"rekey_time" : 15300,
"gateway" : "PUBLIC-IP-ADDRESS",
"name" : "IPSec_VPN",
"dpd_delay" : "60 ",
"history" : {
"connect_time" : 0,
"connect_result" : 0
}
}



This thread was automatically locked due to age.
Parents Reply Children
No Data