Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 7571 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG SFOS 16.01.2 IPSec unable to initiate connection but connects if set to Respond Only

Kevin Walker

Downloaded XG Free Home Edition. I tried every possible combination of Phase 1/2 settings to connect IPSec VPN to a Cisco RV180W but could not get it to work.

I then switched the XG "Action on VPN Restart" from "Initiate" to "Respond Only" and the tunnel came up immediately.

Regardless of what I set if the Action on VPN Restart is set to Initiate the tunnel fails with the following message in the logs,

EST-P1: Peer did not accept any proposal sent

Even when I switch the action to "Respond Only" I see that error once during the negotiation, but the tunnel still gets created.

I have checked the policies on both sides and encryption, authentication, DH, life, etc are all identical.

Question, what would prevent the tunnel from being created when XG is initiate, but successfully created with XG is responding?



This thread was automatically locked due to age.
  • 0

    Hi Kevin,

    XG will act as a responder during phase 1 establishment when the action is set to  "Respond Only". In the IKE message exchange, XG will negotiate as a responder and gather the information regarding the algorithms from the initiator. Make sure Cisco device is set to respond if you wish XG to work as an initiator.

    Thanks

  • 0 in reply to sachingurung

    Thanks for the quick response, but that does not answer my question. When I have XG set to initiate and Cisco set to respond the connection is never established. When I reverse the settings it works. In either case I get errors that the proposals the XG sends are rejected, but when it is the responder it still seems to find a suitable algorithm to use.

    I don't have the tools to confirm, but it almost appears that the XG is not sending the correct proposals. In some cases the Cisco device logs errors that the proposals sent do not match the actual algorithm used.

    My question is what would cause the XG not to work as an initiator (and Cisco set to respond) but work fine as a responder when no other settings are changed on either side.

  • 0 in reply to Kevin Walker

    Kevin,

    I advice you to open a ticket with the Support and let us know.

    Thanks

  • 0

    Hey Kevin,

     

    Did you ever get this resolved as I have the same issue.

     

    Thanks