Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 44164 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewall to ASA 5510 site to site VPN

SteveChung

Hello, we are planning to replace the existing firewall which has site-to-site VPN with Cisco ASA firewall.

Unfortunately, we could not find the way to setup site-to-site VPN between Cisco ASA firewall and Sophos XG210.

It always return following error.

Sophos XG210

2016-03-15 17:01:17 IPsec SUCCESSFUL - EST-P1: Peer did not accept any proposal sent 17853

Cisco ASA 5510

Mar 15 2016 13:56:45: %ASA-5-713904: Group = 9.8.8.32, IP = 9.8.8.32, All IPSec SA proposals found unacceptable!

Mar 15 2016 13:56:45: %ASA-7-713236: IP = 9.8.8.32, IKE_DECODE SENDING Message (msgid=4ea83cf3) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Mar 15 2016 13:56:45: %ASA-4-113019: Group = 9.8.8.32, Username = 9.8.8.32, IP = 9.8.8.32, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Here’s configuration of both devices.

Sohpos XG210 (SFOS 15.01.0) WAN: 9.8.8.32

System>VPN>IPSec

Name: VPN10080

Connection Type: Site to Site

Policy: VPN80Policy

Action on VPN Restart: Initiate

Authentication Type: Preshared Key

Local: 9.8.8.32

Remote: 10.1.23.6

IP Family: IPv4

Local Subnet: 192.168.10.0/24

NATed LAN: Same as Local LAN address

Local ID: <blank>

Allow NAT Traversal: Disable

Remote LAN Network: 192.168.8.0/24

Remote ID: <blank>

VPN80Policy

Allow Re-keying: Enable

Key Negotiation Tries: 3

Authenication Mode: Main Mode

Pass Data in Compressed Format: Enable

Phase 1

Algorithm: AES256 MD5

DH Group: 2

Key Life: 86400

Re-key Margin: 1200

Randomize Re-Keying Margin by: 0

Dead Peer Detection: Disable

Phase 2

Algorithm: AES256 MD5

PFS Group: Same as Phase-1

Key Life: 28800

ASA 5510 (Cisco Adaptive Security Appliance Software Version 8.2(1)) WAN: 10.1.23.6

access-list outside_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list inside1_access_in extended permit ip 192.168.8.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list inside1_nat0_outbound extended permit ip 192.168.8.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_cryptomap_5 extended permit ip 192.168.8.0 255.255.255.0 192.168.10.0 255.255.255.0

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map2 2 match address outside_cryptomap_5

crypto map outside_map2 2 set pfs

crypto map outside_map2 2 set peer 9.8.8.32

crypto map outside_map2 2 set transform-set ESP-AES-256-MD5

crypto map outside_map2 2 set nat-t-disable

crypto map outside_map2 interface outside

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

tunnel-group VPN10080 type ipsec-l2l

tunnel-group VPN10080 general-attributes

default-group-policy GroupPolicy1

tunnel-group VPN10080 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

isakmp keepalive disable

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec



This thread was automatically locked due to age.
Parents
  • 0

    Hi Steve,

    Thanks for the logs.

    On XG, 2016-03-15 17:01:17 IPsec SUCCESSFUL - EST-P1: Peer did not accept any proposal sent 17853, this log line states that there is a policy mismatch on either end.

    Further, in Phase 1 on XG - Key Life: 86400 and in Phase 1 on ASA : crypto ipsec security-association lifetime seconds 28800

    If this is the key life condition then this should be equal.

    Again, in Phase 1 on XG - Key Life: 28800 and in Phase 1 on ASA : lifetime 86400

    Please match the IPSec Policy on both the ends and this will be resolved.

    Hope that helps.

  • 0 in reply to sachingurung

    Dear Sachin,

    Thanks for the info.,

    However, isn't it supposed to be like this?

    Cisco ASA

    Phase 1
    crypto isakmp policy 2
    authentication pre-share
    encryption aes-256
    hash md5
    group 2
    lifetime 86400

    Phase 2
    crypto ipsec security-association lifetime seconds 28800

    Sophos XG 210

    Phase 1
    Algorithm: AES256 MD5
    DH Group: 2
    Key Life: 86400
    Re-key Margin: 1200
    Randomize Re-Keying Margin by: 0
    Dead Peer Detection: Disable

    Phase 2
    Algorithm: AES256 MD5
    PFS Group: Same as Phase-1
    Key Life: 28800

    Steve

  • 0 in reply to SteveChung

    Hi Steve,

    It seems, the policies are matching now. Are you able to establish the IPSec Tunnel ?

    If you are still facing the error, please provide us the IPSec logs when you initiate the connection.

    Cheers

    Sachin

Reply Children
No Data