Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 3635 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Solved] -IPSEC S2S With FritzBox

Regex

HI. Im trying to establish connection between SophsXG and FritzBox 7360 but im facing issues. 

did someone was able to make it work? Here are some details:

CONFIG ON FRITZ BOX:

vpncfg {
connections {
{
enabled = yes;
editable = yes;
conn_type = conntype_lan;
name = "212.xx.xx.xx";
boxuser_id = 0;
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 212.xx.xx.xx;
remote_virtualip = 0.0.0.0;
keepalive_ip = 192.168.179.2;
localid {
fqdn = "This was some encoded thing";
}
remoteid {
ipaddr = 212.xx.xx.xx;
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "MY_PSK";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.178.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.179.1;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.179.1 255.255.255.0";
app_id = 0;
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";

Errors from log on Sophos:

Couldn't parse IKE header from XXX.XXX.XXX.XXX[55443]. Check the debug logs.

FritzBox_IPsecS2S - Remote gateway didn't respond to the initial message 0. Check if the remote gateway is reachable. (Remote: XX.XX.XX.XX)

FritzBox_IPsecS2S_Egid-1 - IKE message (AC004800) retransmission to XX.XX.XX.XX timed out. Check if the remote gateway is reachable. (Remote: XX.XX.XX.XX

Below what i have chosen on FritzBox - type of VPN:

SOPHOS SITE:



This thread was automatically locked due to age.
Parents
  • 0

    From the logs on XG, It seems that the UDP 500 traffic isn't reaching FritzBox. Is there any packet capture utility on fritzbox to see the UDP 500 traffic?

    Also, Does fritzbox has a publicly reachable IP? Make sure that its not coming through a CG-NAT on the ISP end.

  • 0 in reply to Packet0wl

    Well the FrizBox is in different country(Germany) My XG is in Poland, Im sure that mine device isnt behind any CG-Nat or else. But if FritzBox? im not sure. In the GUI of FritzBox i can see that its getting public IP but if its enought?. On FritzBox i have configure IPsec profile which allows me to connect to this device - so i can reach itch from my country.

    LOGS FROM SOPHOS:

    2021-12-29 12:59:16Z 19[IKE] <FritzBox_IPsecS2S_-1|5317> ### quick_mode_create: 0x7f8808001850 config 0x7f8844002650
    2021-12-29 12:59:16Z 19[IKE] <FritzBox_IPsecS2S_-1|5317> initiating Main Mode IKE_SA FritzBox_IPsecS2S_Egid-1[5317] to 93.XX.XX.XX
    2021-12-29 12:59:16Z 19[ENC] <FritzBox_IPsecS2S_-1|5317> generating ID_PROT request 0 [ SA V V V V V V ]
    2021-12-29 12:59:16Z 19[NET] <FritzBox_IPsecS2S_-1|5317> sending packet: from 212.XX.XX.XX[500] to 93.XX.XX.XX[500] (260 bytes)
    2021-12-29 12:59:16Z 06[NET] <FritzBox_IPsecS2S_1|5317> received packet: from 93.XX.XX.XX[500] to 212.XX.XX.XX[500] (56 bytes)
    2021-12-29 12:59:16Z 06[ENC] <FritzBox_IPsecS2S_-1|5317> parsed INFORMATIONAL_V1 request 1070551924 [ N(NO_PROP) ]
    2021-12-29 12:59:16Z 06[IKE] <FritzBox_IPsecS2S_-1|5317> informational: received NO_PROPOSAL_CHOSEN error notify
    2021-12-29 12:59:16Z 06[IKE] <FritzBox_IPsecS2S_-1|5317> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
    2021-12-29 12:59:16Z 06[IKE] <FritzBox_IPsecS2S_-1|5317> ### destroy: 0x7f8808001850
    2021-12-29 12:59:16Z 06[IKE] <FritzBox_IPsecS2S_-1|5317> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec
    2021-12-29 13:00:16Z 16[MGR] <FritzBox_IPsecS2S_-1|5318> Initiating CHILD_SA with configuration FritzBox_IPsecS2S_Eg

    It seems that there is some problem with proposal  but i couldnt find any info about what SA FritzBox is using or is capable for ;)


    Seems like ports for IPSEC are open

    I have also found information in logs that looks like XG cant read secrets?

    2021-12-29 13:18:27Z 06[CFG] received stroke: delete connection 'FritzBox_IPsecS2S_-1'
    2021-12-29 13:18:27Z 06[CFG] deleted connection 'FritzBox_IPsecS2S_-1'
    2021-12-29 13:18:27Z 31[CFG] vici terminate IKE_SA #5328
    2021-12-29 13:18:27Z 29[IKE] <FritzBox_IPsecS2S_-1|5328> destroying IKE_SA in state CONNECTING without notification
    2021-12-29 13:18:27Z 15[CFG] rereading secrets
    2021-12-29 13:18:27Z 15[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
    2021-12-29 13:18:27Z 15[CFG] get_nsg_context tblvpnconnection:ipsec
    2021-12-29 13:18:27Z 15[CFG] expanding file expression '/_conf/ipsec/connections/*.secrets' failed
    2021-12-29 13:18:27Z 14[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2021-12-29 13:18:31Z 15[CFG] rereading secrets
    2021-12-29 13:18:31Z 15[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
    2021-12-29 13:18:31Z 15[CFG] get_nsg_context tblvpnconnection:ipsec
    2021-12-29 13:18:31Z 15[CFG] loading secrets from '/_conf/ipsec/connections/FritzBox_IPsecS2S_.secrets'
    2021-12-29 13:18:31Z 15[CFG] get_nsg_context tblvpnconnection:FritzBox_IPsecS2S_
    2021-12-29 13:18:31Z 15[CFG] NSGENC decrypt timetaken 0.000446 seconds
    2021-12-29 13:18:31Z 15[CFG] loaded IKE secret for 212.xx.xx.xx DDNS.ddns.net
    2021-12-29 13:18:31Z 15[CFG] NSGENC decrypt timetaken 0.000349 seconds
    2021-12-29 13:18:31Z 15[CFG] loaded IKE secret for DDNS.synology.me DDNS.ddns.net
    2021-12-29 13:18:31Z 14[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2021-12-29 13:18:31Z 27[CFG] received stroke: add connection 'FritzBox_IPsecS2S_-1'
    2021-12-29 13:18:31Z 27[CFG] added configuration 'FritzBox_IPsecS2S_-1'

    EDIT:

    I did manage to work but from my side (Poland) i cant ping (Germany) - im trying to teach 192.168.178.1 and no luck - i assume that i must configure a routing but i dont understand how its done on sophos where on Fortigate its very logical. At static routing I cant see Interface which belongs to IPsec connection. FW rules are set in both directions. This is how its done on FGT:

    As you can see i can choose which interface is responsible for specific connection. Maybe sophos does it automaticly?

    On FritzBox device i can also put IPv4 Routing but access to this device is remotly so i dont want to mess up so can you just coonfirm that im thinking correct?

    192.168.2.0 - Network on Sophos Side
    192.168.178.1 - GW of FritzBox

Reply
  • 0 in reply to Packet0wl

    Well the FrizBox is in different country(Germany) My XG is in Poland, Im sure that mine device isnt behind any CG-Nat or else. But if FritzBox? im not sure. In the GUI of FritzBox i can see that its getting public IP but if its enought?. On FritzBox i have configure IPsec profile which allows me to connect to this device - so i can reach itch from my country.

    LOGS FROM SOPHOS:

    2021-12-29 12:59:16Z 19[IKE] <FritzBox_IPsecS2S_-1|5317> ### quick_mode_create: 0x7f8808001850 config 0x7f8844002650
    2021-12-29 12:59:16Z 19[IKE] <FritzBox_IPsecS2S_-1|5317> initiating Main Mode IKE_SA FritzBox_IPsecS2S_Egid-1[5317] to 93.XX.XX.XX
    2021-12-29 12:59:16Z 19[ENC] <FritzBox_IPsecS2S_-1|5317> generating ID_PROT request 0 [ SA V V V V V V ]
    2021-12-29 12:59:16Z 19[NET] <FritzBox_IPsecS2S_-1|5317> sending packet: from 212.XX.XX.XX[500] to 93.XX.XX.XX[500] (260 bytes)
    2021-12-29 12:59:16Z 06[NET] <FritzBox_IPsecS2S_1|5317> received packet: from 93.XX.XX.XX[500] to 212.XX.XX.XX[500] (56 bytes)
    2021-12-29 12:59:16Z 06[ENC] <FritzBox_IPsecS2S_-1|5317> parsed INFORMATIONAL_V1 request 1070551924 [ N(NO_PROP) ]
    2021-12-29 12:59:16Z 06[IKE] <FritzBox_IPsecS2S_-1|5317> informational: received NO_PROPOSAL_CHOSEN error notify
    2021-12-29 12:59:16Z 06[IKE] <FritzBox_IPsecS2S_-1|5317> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
    2021-12-29 12:59:16Z 06[IKE] <FritzBox_IPsecS2S_-1|5317> ### destroy: 0x7f8808001850
    2021-12-29 12:59:16Z 06[IKE] <FritzBox_IPsecS2S_-1|5317> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec
    2021-12-29 13:00:16Z 16[MGR] <FritzBox_IPsecS2S_-1|5318> Initiating CHILD_SA with configuration FritzBox_IPsecS2S_Eg

    It seems that there is some problem with proposal  but i couldnt find any info about what SA FritzBox is using or is capable for ;)


    Seems like ports for IPSEC are open

    I have also found information in logs that looks like XG cant read secrets?

    2021-12-29 13:18:27Z 06[CFG] received stroke: delete connection 'FritzBox_IPsecS2S_-1'
    2021-12-29 13:18:27Z 06[CFG] deleted connection 'FritzBox_IPsecS2S_-1'
    2021-12-29 13:18:27Z 31[CFG] vici terminate IKE_SA #5328
    2021-12-29 13:18:27Z 29[IKE] <FritzBox_IPsecS2S_-1|5328> destroying IKE_SA in state CONNECTING without notification
    2021-12-29 13:18:27Z 15[CFG] rereading secrets
    2021-12-29 13:18:27Z 15[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
    2021-12-29 13:18:27Z 15[CFG] get_nsg_context tblvpnconnection:ipsec
    2021-12-29 13:18:27Z 15[CFG] expanding file expression '/_conf/ipsec/connections/*.secrets' failed
    2021-12-29 13:18:27Z 14[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2021-12-29 13:18:31Z 15[CFG] rereading secrets
    2021-12-29 13:18:31Z 15[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
    2021-12-29 13:18:31Z 15[CFG] get_nsg_context tblvpnconnection:ipsec
    2021-12-29 13:18:31Z 15[CFG] loading secrets from '/_conf/ipsec/connections/FritzBox_IPsecS2S_.secrets'
    2021-12-29 13:18:31Z 15[CFG] get_nsg_context tblvpnconnection:FritzBox_IPsecS2S_
    2021-12-29 13:18:31Z 15[CFG] NSGENC decrypt timetaken 0.000446 seconds
    2021-12-29 13:18:31Z 15[CFG] loaded IKE secret for 212.xx.xx.xx DDNS.ddns.net
    2021-12-29 13:18:31Z 15[CFG] NSGENC decrypt timetaken 0.000349 seconds
    2021-12-29 13:18:31Z 15[CFG] loaded IKE secret for DDNS.synology.me DDNS.ddns.net
    2021-12-29 13:18:31Z 14[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2021-12-29 13:18:31Z 27[CFG] received stroke: add connection 'FritzBox_IPsecS2S_-1'
    2021-12-29 13:18:31Z 27[CFG] added configuration 'FritzBox_IPsecS2S_-1'

    EDIT:

    I did manage to work but from my side (Poland) i cant ping (Germany) - im trying to teach 192.168.178.1 and no luck - i assume that i must configure a routing but i dont understand how its done on sophos where on Fortigate its very logical. At static routing I cant see Interface which belongs to IPsec connection. FW rules are set in both directions. This is how its done on FGT:

    As you can see i can choose which interface is responsible for specific connection. Maybe sophos does it automaticly?

    On FritzBox device i can also put IPv4 Routing but access to this device is remotly so i dont want to mess up so can you just coonfirm that im thinking correct?

    192.168.2.0 - Network on Sophos Side
    192.168.178.1 - GW of FritzBox

Children
No Data