Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 36900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipsec vpn with UTM not passing traffic

Mast_01

Hello,

i'm having quite an issue trying to get a UTM 9.411 to XG 16.0.5.1 MR1 tunnel working.

 

1) the tunnel itself is connecting succesfuly, i setup a common policy between both sites and the Sa establishes:

SA:     10.10.10.0/24=pubipa         pubipb=10.10.20.0/24

both public ips are fixed.

on the UTM side i have auto FW rules on the tunnel and on the XG side i setup 2 rules, one LAN to VPN zone and the other VPN to LAN.

 

from any station in the XG network, i can't ping nor pass ANY traffic to the UTM side, the "firewall log" shows a hit on the LAN to VPN rule but that's it, on the UTM side i dont see anything.

 

i'm completely baffled, both sides use their respective sophos devices as default gateway, there's no subnet overlap, nothing, yet it's not working



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to DavidOkeyode

    David,

    on the UTM side the policy is:

    AES256 XG  
    Compression on, not using strict policy.
    IKE Settings: AES 256 / SHA2 256 / Group 5: MODP 1536   Lifetime: 28800 seconds
    IPsec Settings: AES 256 / SHA2 256 / Group 2: MODP 1024   Lifetime: 28800 seconds

    on the XG side:

     
    Automatic
    Main Mode
    Yes
    Enable
    AES256 - SHA2 256
    AES256 - SHA2 256

    Allow Re-keying ON, key retries 3

    phase 1: group 5 (DH1536), DPD, 28800 life

    re-key margin 120s, 0% randomization, 30s check peer, 120s timeout, re-initiate connection

    phase 2: PFS group 2 (DH1024), 28800 life

  • 0 in reply to DavidOkeyode

    have you managed to test it?

  • 0 in reply to Mast_01

    Hi, do you have any static routs and also make sure on XG side the LAN to VPN and VPN to LAN rules are on top

  • 0 in reply to Vadym Orlyak

    no static routes, the FW rules are on top.

     

    besides, if it where a route or rule problem, simply changing the tunnel encryption parameters should not affect it

  • +1 in reply to Mast_01

    Yes I've tested this and saw the same behaviour that you saw. Without going into too much technical information, the issue you're seeing is caused by an algorithm mis-match. If you change the IPSEC authentication algorithm on the UTM from "SHA2-256" to "SHA2-256 (96 Bit)", that will work. Or you can also choose to drop to "SHA-1". On a side note, setting the key lifetime of phase1 and phase2 to the same value is not considered best practice. It's probably best to have the phase2 key lifetime to be shorter than that of phase1.

  • 0 in reply to DavidOkeyode

    David,

    if there's an algorithm mismatch, shouldn't the connection not establish at all?.

     

    why isn't it a best practice?(or putting it differently: what's wrong that the two keys expire at the same time?, let's say i put phase2 shorter, it will at some point expire at the same time)

  • +1 in reply to DavidOkeyode

    Thank you, this fixed our problem when connecting a Sophos XG to a Cyberoam.  Had to clone the default head policy and check "SHA2 with 96-bit truncation"