Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1962 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site Preshared key - no such file or directory

Gernot Innthaler

Hi community,

I'm trying to setup site to site IPSec connection with a preshared key between two XG 125. Both are running SFOS 18.5.2 MR-2-Build380.

I setup the connection according to https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNCreateSiteToSiteIPsecVPN/index.html#add-a-firewall-rule_1

I can active the IPSec connectin on both sides but when trying to connect from Branch office I simply get the error message IPsec connection could not be established.

Checking the logs I find this in strongswan.log:

2022-01-22 23:16:14Z 26[APP] [COP-UPDOWN][STATUS] (db_status_update) conn_name: Wiesham_to_HQ count: 0
2022-01-22 23:16:30Z 09[CFG] rereading secrets
2022-01-22 23:16:30Z 09[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2022-01-22 23:16:30Z 09[CFG] get_nsg_context tblvpnconnection:ipsec
2022-01-22 23:16:30Z 09[CFG] expanding file expression '/_conf/ipsec/connections/*.secrets' failed
2022-01-22 23:16:30Z 10[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
expanding file pattern '/_conf/ipsec/connections/*.conf' failed: No such file or directory
2022-01-22 23:16:31Z 18[CFG] vici initiate 'Wiesham_to_HQ-1'

This seems to me that there are missing config files. When are they created?

What do I have to do in order to fix this?

Any help would be highly appreciated!

Thanks,

Gernot



This thread was automatically locked due to age.
Parents
  • 0

    Try not to use * (Wildcard) for IPsec Site to Site connections. 

    Use a DDNS / Fixed IP as remote gateway. 

  • 0 in reply to LuCar Toni

    Hey guys,

    thanks a lot for your feedback. I followed your instructions.
    I created a new preshared key and made sure it is the same on both sides. Furthermore I followed the instructions step by step in the linked article.

    As far as I understand ports 500 and 4500 are open although I don't see any connection.

    I'm also using a fixed IP as remote gateway.

    However I'm still getting the same results.

    This is the output of tail -f /log/strongswan.log on the branch office side:

    Is it ok that there are *.conf files found?

    I don't see any hint that the XG is trying to establish a connection. To me it seems that it even stops before building the connection because of a missing configuration. Am I understanding this wrong?

    Thanks,

    Gernot

Reply
  • 0 in reply to LuCar Toni

    Hey guys,

    thanks a lot for your feedback. I followed your instructions.
    I created a new preshared key and made sure it is the same on both sides. Furthermore I followed the instructions step by step in the linked article.

    As far as I understand ports 500 and 4500 are open although I don't see any connection.

    I'm also using a fixed IP as remote gateway.

    However I'm still getting the same results.

    This is the output of tail -f /log/strongswan.log on the branch office side:

    Is it ok that there are *.conf files found?

    I don't see any hint that the XG is trying to establish a connection. To me it seems that it even stops before building the connection because of a missing configuration. Am I understanding this wrong?

    Thanks,

    Gernot

Children