Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 871 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG FW and Cisco ASA ios 9.15 Site2Site VPN - grrrrr, can't make it work...

Kenneth Fribert1

We're trying to create an example setup for other S2S tunnels here.

Sophos S2S setup looks like this:

The profile looks like this

The strongswan.log looks like this

2022-06-10 10:03:05Z 14[IKE] <CiscoTest_S2S-1|7854> sending DPD request
2022-06-10 10:03:05Z 14[ENC] <CiscoTest_S2S-1|7854> generating INFORMATIONAL request 50 [ ]
2022-06-10 10:03:05Z 14[NET] <CiscoTest_S2S-1|7854> sending packet: from 185.45.186.236[500] to 152.115.168.30[500] (96 bytes)
2022-06-10 10:03:05Z 15[NET] <CiscoTest_S2S-1|7854> received packet: from 152.115.168.30[500] to 185.45.186.236[500] (96 bytes)
2022-06-10 10:03:05Z 15[ENC] <CiscoTest_S2S-1|7854> parsed INFORMATIONAL response 50 [ ]
2022-06-10 10:03:27Z 26[IKE] <CiscoTest_S2S-1|7854> establishing CHILD_SA CiscoTest_S2S-1
2022-06-10 10:03:27Z 26[ENC] <CiscoTest_S2S-1|7854> generating CREATE_CHILD_SA request 51 [ SA No TSi TSr ]
2022-06-10 10:03:27Z 26[NET] <CiscoTest_S2S-1|7854> sending packet: from x.x.x.x[500] to y.y.y.y[500] (304 bytes)
2022-06-10 10:03:27Z 21[NET] <CiscoTest_S2S-1|7854> received packet: from x.x.x.x[500] to y.y.y.y[500] (96 bytes)
2022-06-10 10:03:27Z 21[ENC] <CiscoTest_S2S-1|7854> parsed CREATE_CHILD_SA response 51 [ N(NO_PROP) ]
2022-06-10 10:03:27Z 21[IKE] <CiscoTest_S2S-1|7854> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
2022-06-10 10:03:27Z 21[DMN] <CiscoTest_S2S-1|7854> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
2022-06-10 10:03:27Z 21[IKE] <CiscoTest_S2S-1|7854> creating CHILD_SA failed, trying again in 61 seconds

As far as we can see on the cisco box, phase 1 completes, but phase 2 does not, I don't know if that is what is shown here as well?
We've tried different combinations of Encryption/Authentication in phase 2, but can't make it work.

We read somewhere on the forum that the Diffie-Hellman group has to be none in phase 2, which I really don't like, but that didn't help.

Has anybody a working setup with proper encryption / authentication, we have previosly set another S2S up with SHA1, but I really don't want to create a recommended setup here with that.



This thread was automatically locked due to age.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?