Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 44160 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewall to ASA 5510 site to site VPN

SteveChung

Hello, we are planning to replace the existing firewall which has site-to-site VPN with Cisco ASA firewall.

Unfortunately, we could not find the way to setup site-to-site VPN between Cisco ASA firewall and Sophos XG210.

It always return following error.

Sophos XG210

2016-03-15 17:01:17 IPsec SUCCESSFUL - EST-P1: Peer did not accept any proposal sent 17853

Cisco ASA 5510

Mar 15 2016 13:56:45: %ASA-5-713904: Group = 9.8.8.32, IP = 9.8.8.32, All IPSec SA proposals found unacceptable!

Mar 15 2016 13:56:45: %ASA-7-713236: IP = 9.8.8.32, IKE_DECODE SENDING Message (msgid=4ea83cf3) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Mar 15 2016 13:56:45: %ASA-4-113019: Group = 9.8.8.32, Username = 9.8.8.32, IP = 9.8.8.32, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Here’s configuration of both devices.

Sohpos XG210 (SFOS 15.01.0) WAN: 9.8.8.32

System>VPN>IPSec

Name: VPN10080

Connection Type: Site to Site

Policy: VPN80Policy

Action on VPN Restart: Initiate

Authentication Type: Preshared Key

Local: 9.8.8.32

Remote: 10.1.23.6

IP Family: IPv4

Local Subnet: 192.168.10.0/24

NATed LAN: Same as Local LAN address

Local ID: <blank>

Allow NAT Traversal: Disable

Remote LAN Network: 192.168.8.0/24

Remote ID: <blank>

VPN80Policy

Allow Re-keying: Enable

Key Negotiation Tries: 3

Authenication Mode: Main Mode

Pass Data in Compressed Format: Enable

Phase 1

Algorithm: AES256 MD5

DH Group: 2

Key Life: 86400

Re-key Margin: 1200

Randomize Re-Keying Margin by: 0

Dead Peer Detection: Disable

Phase 2

Algorithm: AES256 MD5

PFS Group: Same as Phase-1

Key Life: 28800

ASA 5510 (Cisco Adaptive Security Appliance Software Version 8.2(1)) WAN: 10.1.23.6

access-list outside_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list inside1_access_in extended permit ip 192.168.8.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list inside1_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_cryptomap_5 extended permit ip 192.168.8.0 255.255.255.0 192.168.10.0 255.255.255.0

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map2 2 match address outside_cryptomap_5

crypto map outside_map2 2 set pfs

crypto map outside_map2 2 set peer 9.8.8.32

crypto map outside_map2 2 set transform-set ESP-AES-256-MD5

crypto map outside_map2 2 set nat-t-disable

crypto map outside_map2 interface outside

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

tunnel-group VPN10080 type ipsec-l2l

tunnel-group VPN10080 general-attributes

default-group-policy GroupPolicy1

tunnel-group VPN10080 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

isakmp keepalive disable

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec



This thread was automatically locked due to age.
Parents
  • 0

    Hi Steve,

    Thanks for the logs.

    On XG, 2016-03-15 17:01:17 IPsec SUCCESSFUL - EST-P1: Peer did not accept any proposal sent 17853, this log line states that there is a policy mismatch on either end.

    Further, in Phase 1 on XG - Key Life: 86400 and in Phase 1 on ASA : crypto ipsec security-association lifetime seconds 28800

    If this is the key life condition then this should be equal.

    Again, in Phase 1 on XG - Key Life: 28800 and in Phase 1 on ASA : lifetime 86400

    Please match the IPSec Policy on both the ends and this will be resolved.

    Hope that helps.

Reply
  • 0

    Hi Steve,

    Thanks for the logs.

    On XG, 2016-03-15 17:01:17 IPsec SUCCESSFUL - EST-P1: Peer did not accept any proposal sent 17853, this log line states that there is a policy mismatch on either end.

    Further, in Phase 1 on XG - Key Life: 86400 and in Phase 1 on ASA : crypto ipsec security-association lifetime seconds 28800

    If this is the key life condition then this should be equal.

    Again, in Phase 1 on XG - Key Life: 28800 and in Phase 1 on ASA : lifetime 86400

    Please match the IPSec Policy on both the ends and this will be resolved.

    Hope that helps.

Children
  • 0 in reply to sachingurung

    Dear Sachin,

    Thanks for the info.,

    However, isn't it supposed to be like this?

    Cisco ASA

    Phase 1
    crypto isakmp policy 2
    authentication pre-share
    encryption aes-256
    hash md5
    group 2
    lifetime 86400

    Phase 2
    crypto ipsec security-association lifetime seconds 28800

    Sophos XG 210

    Phase 1
    Algorithm: AES256 MD5
    DH Group: 2
    Key Life: 86400
    Re-key Margin: 1200
    Randomize Re-Keying Margin by: 0
    Dead Peer Detection: Disable

    Phase 2
    Algorithm: AES256 MD5
    PFS Group: Same as Phase-1
    Key Life: 28800

    Steve

  • 0 in reply to SteveChung

    Hi Steve,

    It seems, the policies are matching now. Are you able to establish the IPSec Tunnel ?

    If you are still facing the error, please provide us the IPSec logs when you initiate the connection.

    Cheers

    Sachin

  • 0 in reply to sachingurung

    Dear Sachin,

    I tried to set both life time to be 86400. But it still not working.

    I contacted Sophos support for this issue. The ticket number is [#5809171] [#5814985]. I provide remote access to them as well.

    Unfortunately, the problem couldn't be resolved in over 2 months.

    Then they suggested to follow this link (https://kb.cyberoam.com/default.asp?id=1967&SID=&Lang=1and recreate the VPN.

    But it was not working at all. There was no update from Sophos support after it.

    Is there any debug tools or command on Sophos XG 210 to troubleshoot VPN issue?

    Is there compatible issue on site to site VPN between Sophos XG 210 and Cisco ASA firewall?

    We did not have any problem on building site to site VPN between Cisco ASA, Juniper Netscreen and Checkpoint firewalls.

    Steve

  • 0 in reply to SteveChung

    Hi Steve,

    I looked into the case#, sorry for the delay in resolution. 

    Can you please post the log lines for IPSec VPN when you initiate a connect? To capture logs please take ssh to XG and go to option 4. system console.

    console> show vpn IPSec-logs

    Thanks

    SG

  • 0 in reply to sachingurung

    Hi Steve,

    Looked at your configuration , please try following option as described below when setting up IPsec configuration with Cisco.

    On XG Disable this options,

    go to System >VPN>IPsec>edit the configured IPsec profile 

    1) Find NAT traversal untick to disable it
    2) Local ID and Remote ID select from drop down option to "Select Local ID and Select Remote ID" which disable this option.

    Edit IP Sec Policy from Objects > Policies > IPsec used in IPsec profile edited in above step and Disable ,
    1) Pass Data in Compression Format
    2) PFS Group (DH Group) and select None

    On Cisco side ,

    1) Ensure that there isn't any PFS enabled.

    2) Make sure ipsec policy transform set match with XG firewall's phase 2 parameters. 

    3) Disable NAT-T or NAT Traversal.

    Test and update.

  • 0 in reply to NileshSisodia

    It's working now! Thank you so much!

    BTW, where can I find article of setting load balancing for SMTP servers behind Sophos XG?