Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 35314 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]
Parents
  • 0

    Updated from 18.5 MR1 to MR2 and IPSec VPN stopped working for NCP IPSec VPN clients with previously working config.

    I'm using IPSec connections (not Remote Access) with ConnType = Remote Access (legacy) and PSK.

    Phase 1 connects just fine, phase 2 is cancelling due to "INVALID_ID_INFORMATION : 18" (NCP log).

    This is the excerpt from /log/charon.log. (VPN name and IPs redacted for privacy)

    2022-02-03 22:18:03Z 22[NET] <CLIENT_VPN-1|64> received packet: from 93.104.xx.xx[10954] to 80.154.xx.xx[4500] (604 bytes)
2022-02-03 22:18:03Z 22[ENC] <CLIENT_VPN-1|64> parsed QUICK_MODE request 3455262986 [ HASH SA No KE ID ID ]
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> ### process_request invoking quick_mode_create
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> ### quick_mode_create: 0x7efc98003780 config (nil)
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> ### process_r: 0x7efc98003780 QM_INIT
2022-02-03 22:18:03Z 22[CFG] <CLIENT_VPN-1|64> looking for a child config for 192.168.1.0/24 === 192.168.254.2/32
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> trying other candidates from phase 1
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> no matching CHILD_SA config found
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> queueing INFORMATIONAL task, already 0 tasks queued
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> flush_queue(IKE_NATD)
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> ### destroy: 0x7efc98003780
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> activating new tasks
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64>   activating INFORMATIONAL task
2022-02-03 22:18:03Z 22[ENC] <CLIENT_VPN-1|64> generating INFORMATIONAL_V1 request 866459256 [ HASH N(INVAL_ID) ]
2022-02-03 22:18:03Z 22[NET] <CLIENT_VPN-1|64> sending packet: from 80.154.xx.xx[4500] to 93.104.xx.xx[10954] (92 bytes)
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> activating new tasks
2022-02-03 22:18:03Z 04[NET] sending packet: from 80.154.xx.xx[4500] to 93.104.xx.xx[10954]
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> nothing to initiate

    Any advise would be helpful. Thanks!

Reply
  • 0

    Updated from 18.5 MR1 to MR2 and IPSec VPN stopped working for NCP IPSec VPN clients with previously working config.

    I'm using IPSec connections (not Remote Access) with ConnType = Remote Access (legacy) and PSK.

    Phase 1 connects just fine, phase 2 is cancelling due to "INVALID_ID_INFORMATION : 18" (NCP log).

    This is the excerpt from /log/charon.log. (VPN name and IPs redacted for privacy)

    2022-02-03 22:18:03Z 22[NET] <CLIENT_VPN-1|64> received packet: from 93.104.xx.xx[10954] to 80.154.xx.xx[4500] (604 bytes)
2022-02-03 22:18:03Z 22[ENC] <CLIENT_VPN-1|64> parsed QUICK_MODE request 3455262986 [ HASH SA No KE ID ID ]
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> ### process_request invoking quick_mode_create
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> ### quick_mode_create: 0x7efc98003780 config (nil)
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> ### process_r: 0x7efc98003780 QM_INIT
2022-02-03 22:18:03Z 22[CFG] <CLIENT_VPN-1|64> looking for a child config for 192.168.1.0/24 === 192.168.254.2/32
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> trying other candidates from phase 1
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> no matching CHILD_SA config found
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> queueing INFORMATIONAL task, already 0 tasks queued
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> flush_queue(IKE_NATD)
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> ### destroy: 0x7efc98003780
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> activating new tasks
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64>   activating INFORMATIONAL task
2022-02-03 22:18:03Z 22[ENC] <CLIENT_VPN-1|64> generating INFORMATIONAL_V1 request 866459256 [ HASH N(INVAL_ID) ]
2022-02-03 22:18:03Z 22[NET] <CLIENT_VPN-1|64> sending packet: from 80.154.xx.xx[4500] to 93.104.xx.xx[10954] (92 bytes)
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> activating new tasks
2022-02-03 22:18:03Z 04[NET] sending packet: from 80.154.xx.xx[4500] to 93.104.xx.xx[10954]
2022-02-03 22:18:03Z 22[IKE] <CLIENT_VPN-1|64> nothing to initiate

    Any advise would be helpful. Thanks!

Children