Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 21 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 2404 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Route

Thierry MICHELS

Hi there,

can someone please tell me where I can find the equivalent of Zyxel's Policy Route



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Thierry MICHELS

    Can you enable the strongswan service in debug with the following command:
    On the CLI, select option 5. Device Management, then option 3. Advanced Shell

    #service strongswan:debug -ds  nosync

    And then collect the debug logs with the following command, [re-establish the tunnel by toggling off and on]

    #tail -f /log/strongswan.log 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thank you for your help

    XG115_XN03_SFOS 19.0.1 MR-1-Build365# debug -ds nosync                         
    /bin/sh: debug: not found                                                      
    XG115_XN03_SFOS 19.0.1 MR-1-Build365# tail -f /log/strongswan.log              
    2023-01-13 08:34:39Z 14[CFG]   loaded IKE secret for 195.162.165.58 %any       
    2023-01-13 08:34:39Z 08[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.
    d/cacerts'                                                                     
    2023-01-13 08:34:44Z 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE
    message with invalid SPI (E1231F72) from the remote gateway.                   
    2023-01-13 08:34:44Z 05[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE
    message with invalid SPI (E1231F72) from the remote gateway.                   
    2023-01-13 08:34:45Z 06[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE
    message with invalid SPI (E1231F72) from the remote gateway.                   
    2023-01-13 08:34:47Z 30[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE
    message with invalid SPI (E1231F72) from the remote gateway.                   
    2023-01-13 08:34:51Z 23[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE
    message with invalid SPI (E1231F72) from the remote gateway.                   
    2023-01-13 08:34:59Z 14[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE
    message with invalid SPI (E1231F72) from the remote gateway.                   
    2023-01-13 08:35:15Z 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE
    message with invalid SPI (E1231F72) from the remote gateway.                   
    2023-01-13 08:35:45Z 28[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE
    message with invalid SPI (E1231F72) from the remote gateway.                   

  • 0 in reply to Thierry MICHELS

    You executed the wrong command for debug  use the complete command after the #

    anyways, in the normal logs we can see, we are receiving invalid SPI [Security Parameter Index] please get it checked with the remote site's logs once...

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Ok sorry I am not familiar with the debug.

    But anyway like you say : receiving invalid SPI

    When I remove the second one (VLAN_Arosa) its works fine without errors

  • 0 in reply to Thierry MICHELS

    Yup, so please check the logs on the remote site to narrow down the situation !

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Just one question:

    Should the method I chose work?

    If so, I think the problem is on the other side. And they need to check their configuration

  • 0 in reply to Thierry MICHELS

    Correct, please inform the team check on the remote site !

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Thierry MICHELS

    Better asked question

    Could I have 2 different Subnet in the remote subnet section

  • 0 in reply to Thierry MICHELS

    Of course, but whatever changes you make locally need to be reflected on the remote site !

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML