Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1356 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with unidirectional Site-to-Site VPN

Alan Spark

We have an XG 135 in the head office and XGS 116 in the branch. We would like to have a unidirectional link from branch to head office (i.e. branch can access servers in head office but head office cannot access branch).

This is a follow on from an existing thread (community.sophos.com/.../site-to-site-vpn-with-xg-135-and-xgs-136) where I had an outstanding question but have moved on since then. Rather than using the wizard I created the connections manually.

Today I created the connection at the head office in "VPN/IPsec connections" pointing to the gateway host address. I set the local subnet to that of the servers that we want to access from the branch. I felt that remote subnet should be empty because we don't want the head office to have access to the branch. However, it would not let me do this and I selected our existing "IPsec VPN Client Hosts" as a test.

On the branch office I went into "VPN/IPsec connections" and added a new one. I ticked the "Create firewall rule" option and entered the remote gateway IP address. I don't understand the local and remote subnet in this context. I selected our existing "IPsec VPN Client Hosts" subnet for local and "Any" for remote. I saved the configuration and it successfully activated. This created a firewall rule with LAN and VPN as both source and destination zones. However, I got error "IPsec connection could not be established" when I tried to connect.

So this is closer than I have been but still not working. I need clarification about exactly which steps I need to take, first to get the connection to work and secondly to make sure it is a unidirectional connection.



This thread was automatically locked due to age.
  • 0

    It is actually simple:

    Use VTI (Tunnel interface). So migrate the tunnel to a VTI. Then create routing, as you wish. And do not create a firewall rule on both firewalls, or explicitly drop the traffic. 

  • 0 in reply to LuCar Toni

    Thanks, I have created a tunnel interface on both ends with the head office configured as the responder and branch as initiator. This is all that I have done so far, no firewall rules yet.

    Both ends successfully activate but I still get the "IPsec connection could not be established" error when I try to connect at either end.

    I tried to follow the steps in this video: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/118661/sophos-xg-firewall-v18-route-based-vpn

    However, I do not see an xfrm1 tunnel interface - this was automatically created in the video. So I am not sure how to proceed.

  • 0 in reply to Alan Spark

    Can you share screenshots of your config? 

  • 0 in reply to LuCar Toni

    Yes, here are the head office settings from "VPN/IPsec connections":

    Head Office 1

    Head Office 2

    Head Office 3

    Here are the equivalent branch office settings:

    Branch Office 1

    Branch Office 2

    Branch Office 3

    This is the connection status at either end:

    Connection Status

  • 0 in reply to Alan Spark

    Would recommend to login to the CLI, check the VPN Logs on the strongswan.log if you find the issue there. 

    See: https://support.sophos.com/support/s/article/KB-000038566?language=en_US

  • 0 in reply to LuCar Toni

    Thanks, here are the logs from the head office when I try to activate the connection from the branch office:

    2021-11-01 07:58:20 22[NET] <8021> received packet: from *.*.*.*[500] to *.*.*.*[500] (1482 bytes)
    2021-11-01 07:58:20 22[ENC] <8021> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2021-11-01 07:58:20 22[IKE] <8021> no IKE config found for *.*.*.*...*.*.*.*, sending NO_PROPOSAL_CHOSEN
    2021-11-01 07:58:20 22[ENC] <8021> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    2021-11-01 07:58:20 22[NET] <8021> sending packet: from *.*.*.*[500] to *.*.*.*[500] (36 bytes)

    I have verified that the settings on either end match with both using IKEv2 and the same preshared key.

  • 0 in reply to Alan Spark

    I had another look at this and got a different log message. I suspect I didn't activate the connection on the head office for the above log so it can be ignored. Here is the latest log (where h.h.h.h is the head office and b.b.b.b is the branch) after both ends have been activated and the branch initiates the connection:

    2021-11-03 06:57:38 12[ENC] <8188> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    2021-11-03 06:57:38 12[NET] <8188> sending packet: from h.h.h.h[4500] to b.b.b.b[4500] (96 bytes)
    2021-11-03 06:57:38 11[NET] <8189> received packet: from b.b.b.b[500] to h.h.h.h[500] (1482 bytes)
    2021-11-03 06:57:38 11[ENC] <8189> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2021-11-03 06:57:38 11[IKE] <8189> b.b.b.b is initiating an IKE_SA
    2021-11-03 06:57:38 11[IKE] <8189> remote host is behind NAT
    2021-11-03 06:57:38 11[ENC] <8189> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    2021-11-03 06:57:38 11[NET] <8189> sending packet: from h.h.h.h[500] to b.b.b.b[500] (242 bytes)
    2021-11-03 06:57:38 25[IKE] <IPsec_VPN-1|8173> sending DPD request
    2021-11-03 06:57:38 25[ENC] <IPsec_VPN-1|8173> generating INFORMATIONAL_V1 request 2252369749 [ HASH N(DPD) ]
    2021-11-03 06:57:38 25[NET] <IPsec_VPN-1|8173> sending packet: from h.h.h.h[4500] to 51.6.24.40[57126] (108 bytes)
    2021-11-03 06:57:38 13[NET] <8189> received packet: from b.b.b.b[4500] to h.h.h.h[4500] (464 bytes)
    2021-11-03 06:57:38 13[ENC] <8189> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    2021-11-03 06:57:38 13[CFG] <8189> looking for peer configs matching h.h.h.h[h.h.h.h]...b.b.b.b[*.*.*.*]
    2021-11-03 06:57:38 13[CFG] <8189> no matching peer config found
    2021-11-03 06:57:38 13[DMN] <8189> [GARNER-LOGGING] (child_alert) ALERT: peer authentication failed
    2021-11-03 06:57:38 13[ENC] <8189> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

    Let me know if you have any ideas.

  • 0 in reply to Alan Spark

    Looks like the PSK is not correct. Try RSA Key.

  • 0 in reply to LuCar Toni

    Thanks, I just tried RSA and get a slightly different log:

    2021-11-03 09:27:57 09[ENC] <8234> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    2021-11-03 09:27:57 09[NET] <8234> sending packet: from h.h.h.h[4500] to b.b.b.b[4500] (96 bytes)
    2021-11-03 09:27:57 19[NET] <8235> received packet: from b.b.b.b[500] to h.h.h.h[500] (1482 bytes)
    2021-11-03 09:27:57 19[ENC] <8235> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2021-11-03 09:27:57 19[IKE] <8235> b.b.b.b is initiating an IKE_SA
    2021-11-03 09:27:57 19[IKE] <8235> remote host is behind NAT
    2021-11-03 09:27:57 19[IKE] <8235> sending cert request for "C=*, ST=*, L=*, O=*, OU=*, CN=*, E=*"
    2021-11-03 09:27:57 19[ENC] <8235> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    2021-11-03 09:27:57 19[NET] <8235> sending packet: from h.h.h.h[500] to b.b.b.b[500] (267 bytes)
    2021-11-03 09:27:57 11[NET] <8235> received packet: from b.b.b.b[4500] to h.h.h.h[4500] (960 bytes)
    2021-11-03 09:27:57 11[ENC] <8235> parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    2021-11-03 09:27:57 11[IKE] <8235> received 1 cert requests for an unknown ca
    2021-11-03 09:27:57 11[CFG] <8235> looking for peer configs matching h.h.h.h[h.h.h.h]...b.b.b.b[*.*.*.*]
    2021-11-03 09:27:57 11[CFG] <8235> no matching peer config found
    2021-11-03 09:27:57 11[DMN] <8235> [GARNER-LOGGING] (child_alert) ALERT: peer authentication failed
    2021-11-03 09:27:57 11[ENC] <8235> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

    However, I think the ultimate failure is the same: "no matching peer config found"

  • 0 in reply to Alan Spark

    Config selection is done on based of the the IP of the remote gateway. So check if both remote gateways are the correct IP/DNS