Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site 2 Site VPN

Hello folks

I am trying to create a s2s VPN connection between Sophos XG and Windows Server2012R2 using RRAS. The configuration on Windows Server I have followed this http://www.concurrency.com/blog/w/site-to-azure-vpn-using-windows-server-2012-rras. On Sophos XG side I have configured vpn using this post https://community.sophos.com/kb/en-us/123140. The only difference is I am using the default L2TP policy rather than DefaultHeadOffice.

I have been unable to create a connection :( Any help would be really appreciated

 

Thanks Alam  



This thread was automatically locked due to age.
Parents
  • Alam,

    what error do you get? Make sure that the policy and the local and remote networks match (reverse order on both side).

    Show some screenshot.

    Thanks

  • Hi

    Thanks for your reply.... Eventlog onXG box throws the message below as soon i try to connect. I have attached some screen shots from XG windows one if you want I can send those across but config is exactly same as in the blog

    2016-11-30 15:55:08
    IPsec
    SUCCESSFUL
    -
    EST-P1: Peer did not accept any proposal sent
    17853

     

    3681.SophosError.zip

  • Hammer,

    thank you for the screenshot. What about the Windows Server VPN configuration? Is the VPN policy using the same Phase 1 and Phase 2 settings?

    Can you share additional screenshot from Windows Server (policy) and XG (L2TP is used, did you edit it?)

    Thanks

  • Hi Luk,

    I don't have access to the Windows Server at the moment as soon as I have I will send you some screen shot, I have sent a message waiting for reply. The configuration on the Windows server matches e.g. same preshared key, DH group, & ESP protocol 3des sha1, only one we are using. 

    Attached are more detailed screen shots from XG. On XG previously I used Default L2TP policy without editing but I have changed that now, I am using my own policy called Test Policy, anything in the policy matches the Windows Server but I have been unable to establish a tunnel.1057.SophosError.zip

    Problem is I don't know which end has the problem , is it XG or Windows. For testing purpose I am preparing my own RRAS server and see if that connects and tunnel is created. If a tunnel is created that would tell me something wrong with XG else I will know we have other problems.

    One more on my XG that is all the configuration I have done to create site2site vpn do I need to do something else ? ideally I would like to get this config working but if there are compatibility issues I would then have to use RRAS on my end which is a pain because I have to disconnect my entire network

     

    Thanks for reply ...

    Alam

  • Hi Alam,

    The VPN policy on either end mismatches. I think this need to be verified from both the end. Please contact the administrator to reverify the policies on the server end.

    Thanks

  • Hi Sachin

    I have verified several times, it wont connect.

  • I have a bit more research , I wanted to test if i could create s2s with Azure. I followed 2 blogs http://www.stephens-blog.co.uk/sophos-utm-site-site-vpn-azure/ & https://kb.cyberoam.com/default.asp?id=2936. I am pretty sure all my settings match but I couldn't  create a tunnel as shown in the blogs.  Here is my log

    initiating Main Mode
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
    Dec 04 13:48:06 "Azure_LAN-1" #40: received Vendor ID payload [RFC 3947] method set to=110
    Dec 04 13:48:06 "Azure_LAN-1" #40: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring Vendor ID payload [FRAGMENTATION]
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring Vendor ID payload [IKE CGA version 1]
    Dec 04 13:48:06 "Azure_LAN-1" #40: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
    Dec 04 13:48:06 "Azure_LAN-1" #40: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    Dec 04 13:48:06 "Azure_LAN-1" #40: STATE_MAIN_I2: sent MI2, expecting MR2
    Dec 04 13:48:06 "Azure_LAN-1" #40: I did not send a certificate because I do not have one.
    Dec 04 13:48:06 "Azure_LAN-1" #40: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
    Dec 04 13:48:06 "Azure_LAN-1" #40: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    Dec 04 13:48:06 "Azure_LAN-1" #40: STATE_MAIN_I3: sent MI3, expecting MR3
    Dec 04 13:48:06 "Azure_LAN-1" #40: Main mode peer ID is ID_IPV4_ADDR: '13.67.186.209'
    Dec 04 13:48:06 "Azure_LAN-1" #40: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
    Dec 04 13:48:06 "Azure_LAN-1" #40: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
    Dec 04 13:48:06 "Azure_LAN-1" #40: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
    Dec 04 13:48:06 "Azure_LAN-1" #41: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+UP+failureDROP {using isakmp#40}
    Dec 04 13:48:06 "Azure_LAN-1" #40: ignoring informational payload, type INVALID_PAYLOAD_TYPE
    Dec 04 13:48:06 "Azure_LAN-1" #40: received and ignored informational message
    Dec 04 13:48:16 "Azure_LAN-1" #40: ignoring informational payload, type INVALID_PAYLOAD_TYPE
    Dec 04 13:48:16 "Azure_LAN-1" #40: received and ignored informational message
    Dec 04 13:48:20 "Azure_LAN-1" #40: cannot respond to IPsec SA request because no connection is known for 172.17.17.0/24===94.175.31.154...13.67.186.209===10.0.0.0/8
    Dec 04 13:48:20 "Azure_LAN-1" #40: sending encrypted notification INVALID_ID_INFORMATION to 13.67.186.209:500
    Dec 04 13:48:21 "Azure_LAN-1" #40: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)
    Dec 04 13:48:21 "Azure_LAN-1" #40: sending encrypted notification INVALID_MESSAGE_ID to 13.67.186.209:500
    Dec 04 13:48:22 "Azure_LAN-1" #40: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)
    Dec 04 13:48:22 "Azure_LAN-1" #40: sending encrypted notification INVALID_MESSAGE_ID to 13.67.186.209:500
    Dec 04 13:48:25 "Azure_LAN-1" #40: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x00000080 (perhaps this is a duplicated packet)
    Dec 04 13:48:25 "Azure_LAN-1" #40: sending encrypted notification INVALID_MESSAGE_ID to 13.67.186.209:500

  • "cannot respond to IPsec SA request because no connection is known for 172.17.17.0/24===94.175.31.154...13.67.186.209===10.0.0.0/8"

    Are you sure that the other other is not behind a NAT device?

    Enable the NAT Traversal on your XG and try to connect again!

    Regards,

  • Hi Luk,

    I have managed to get the damn thing working. I read that error and looked at the remote LAN, I had set it wrong, once I corrected it I got a connection. Attached are a few screenshots from my working sophos XG S2S VPN to help others. Also I found this very helpful resource https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices , this document tells you exactly what your IPSEC Parameters should look like, once matched you are good to go.

    Thank you... I really appreciate your help. This also proves Sophos XG only supports Internet Key Exchange V1 e.g. in Azure you need to configure static route rather than Dynamic which supports IKEV2 hence I am having trouble creating a tunnel with Windows 2012r2 RRAS. I hope the new updates include support for IKEV2

     

    6254.VPN.zip 

  • Finally!

    Yesterday when we share a conversation, I said that the right settings was AES128 and not 3DES.

    Enjoy it!

Reply Children
No Data