Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 26 subscribers
  • Views 11625 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site 2 Site VPN

HammerRodx

Hello folks

I am trying to create a s2s VPN connection between Sophos XG and Windows Server2012R2 using RRAS. The configuration on Windows Server I have followed this http://www.concurrency.com/blog/w/site-to-azure-vpn-using-windows-server-2012-rras. On Sophos XG side I have configured vpn using this post https://community.sophos.com/kb/en-us/123140. The only difference is I am using the default L2TP policy rather than DefaultHeadOffice.

I have been unable to create a connection :( Any help would be really appreciated

 

Thanks Alam  



This thread was automatically locked due to age.
Parents
  • 0

    Alam,

    what error do you get? Make sure that the policy and the local and remote networks match (reverse order on both side).

    Show some screenshot.

    Thanks

  • 0 in reply to lferrara

    Hi

    Thanks for your reply.... Eventlog onXG box throws the message below as soon i try to connect. I have attached some screen shots from XG windows one if you want I can send those across but config is exactly same as in the blog

    2016-11-30 15:55:08
    IPsec
    SUCCESSFUL
    -
    EST-P1: Peer did not accept any proposal sent
    17853

     

    3681.SophosError.zip

  • 0 in reply to HammerRodx

    Hammer,

    thank you for the screenshot. What about the Windows Server VPN configuration? Is the VPN policy using the same Phase 1 and Phase 2 settings?

    Can you share additional screenshot from Windows Server (policy) and XG (L2TP is used, did you edit it?)

    Thanks

  • 0 in reply to lferrara

    Hi Luk,

    I don't have access to the Windows Server at the moment as soon as I have I will send you some screen shot, I have sent a message waiting for reply. The configuration on the Windows server matches e.g. same preshared key, DH group, & ESP protocol 3des sha1, only one we are using. 

    Attached are more detailed screen shots from XG. On XG previously I used Default L2TP policy without editing but I have changed that now, I am using my own policy called Test Policy, anything in the policy matches the Windows Server but I have been unable to establish a tunnel.1057.SophosError.zip

    Problem is I don't know which end has the problem , is it XG or Windows. For testing purpose I am preparing my own RRAS server and see if that connects and tunnel is created. If a tunnel is created that would tell me something wrong with XG else I will know we have other problems.

    One more on my XG that is all the configuration I have done to create site2site vpn do I need to do something else ? ideally I would like to get this config working but if there are compatibility issues I would then have to use RRAS on my end which is a pain because I have to disconnect my entire network

     

    Thanks for reply ...

    Alam

  • 0 in reply to HammerRodx

    Hi Alam,

    The VPN policy on either end mismatches. I think this need to be verified from both the end. Please contact the administrator to reverify the policies on the server end.

    Thanks

  • 0 in reply to sachingurung

    Hi Sachin

    I have verified several times, it wont connect.

  • 0 in reply to HammerRodx

    I have a bit more research , I wanted to test if i could create s2s with Azure. I followed 2 blogs http://www.stephens-blog.co.uk/sophos-utm-site-site-vpn-azure/ & https://kb.cyberoam.com/default.asp?id=2936. I am pretty sure all my settings match but I couldn't  create a tunnel as shown in the blogs.  Here is my log

    initiating Main Mode
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
    Dec 04 13:48:06 "Azure_LAN-1" #40: received Vendor ID payload [RFC 3947] method set to=110
    Dec 04 13:48:06 "Azure_LAN-1" #40: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring Vendor ID payload [FRAGMENTATION]
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring Vendor ID payload [IKE CGA version 1]
    Dec 04 13:48:06 "Azure_LAN-1" #40: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
    Dec 04 13:48:06 "Azure_LAN-1" #40: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    Dec 04 13:48:06 "Azure_LAN-1" #40: STATE_MAIN_I2: sent MI2, expecting MR2
    Dec 04 13:48:06 "Azure_LAN-1" #40: I did not send a certificate because I do not have one.
    Dec 04 13:48:06 "Azure_LAN-1" #40: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
    Dec 04 13:48:06 "Azure_LAN-1" #40: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    Dec 04 13:48:06 "Azure_LAN-1" #40: STATE_MAIN_I3: sent MI3, expecting MR3
    Dec 04 13:48:06 "Azure_LAN-1" #40: Main mode peer ID is ID_IPV4_ADDR: '13.67.186.209'
    Dec 04 13:48:06 "Azure_LAN-1" #40: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
    Dec 04 13:48:06 "Azure_LAN-1" #40: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
    Dec 04 13:48:06 "Azure_LAN-1" #40: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
    Dec 04 13:48:06 "Azure_LAN-1" #41: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+UP+failureDROP {using isakmp#40}
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring informational payload, type INVALID_PAYLOAD_TYPE
    Dec 04 13:48:06 "Azure_LAN-1" #40: received and ignored informational message
    Dec 04 13:48:16 "Azure_LAN-1" #40: ignoring informational payload, type INVALID_PAYLOAD_TYPE
    Dec 04 13:48:16 "Azure_LAN-1" #40: received and ignored informational message
    Dec 04 13:48:20 "Azure_LAN-1" #40: cannot respond to IPsec SA request because no connection is known for 172.17.17.0/24===94.175.31.154...13.67.186.209===10.0.0.0/8
    Dec 04 13:48:20 "Azure_LAN-1" #40: sending encrypted notification INVALID_ID_INFORMATION to 13.67.186.209:500
    Dec 04 13:48:21 "Azure_LAN-1" #40: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)
    Dec 04 13:48:21 "Azure_LAN-1" #40: sending encrypted notification INVALID_MESSAGE_ID to 13.67.186.209:500
    Dec 04 13:48:22 "Azure_LAN-1" #40: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)
    Dec 04 13:48:22 "Azure_LAN-1" #40: sending encrypted notification INVALID_MESSAGE_ID to 13.67.186.209:500
    Dec 04 13:48:25 "Azure_LAN-1" #40: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)
    Dec 04 13:48:25 "Azure_LAN-1" #40: sending encrypted notification INVALID_MESSAGE_ID to 13.67.186.209:500

  • 0 in reply to HammerRodx

    "cannot respond to IPsec SA request because no connection is known for 172.17.17.0/24===94.175.31.154...13.67.186.209===10.0.0.0/8"

    Are you sure that the other other is not behind a NAT device?

    Enable the NAT Traversal on your XG and try to connect again!

    Regards,

Reply
  • 0 in reply to HammerRodx

    "cannot respond to IPsec SA request because no connection is known for 172.17.17.0/24===94.175.31.154...13.67.186.209===10.0.0.0/8"

    Are you sure that the other other is not behind a NAT device?

    Enable the NAT Traversal on your XG and try to connect again!

    Regards,

Children