ipsec vpn with UTM not passing traffic

Question

Hello, 
 i'm having quite an issue trying to get a UTM 9.411 to XG 16.0.5.1 MR1 tunnel working. 
 
 1) the tunnel itself is connecting succesfuly, i setup a common policy between both sites and the Sa establishes: 
 SA: 10.10.10.0/24=pubipa pubipb=10.10.20.0/24 
 both public ips are fixed. 
 on the UTM side i have auto FW rules on the tunnel and on the XG side i setup 2 rules, one LAN to VPN zone and the other VPN to LAN. 
 
 from any station in the XG network, i can't ping nor pass ANY traffic to the UTM side, the "firewall log" shows a hit on the LAN to VPN rule but that's it, on the UTM side i dont see anything. 
 
 i'm completely baffled, both sides use their respective sophos devices as default gateway, there's no subnet overlap, nothing, yet it's not working

DavidOkeyode · Answer

Yes I've tested this and saw the same behaviour that you saw. Without going into too much technical information, the issue you're seeing is caused by an algorithm mis-match. If you change the IPSEC authentication algorithm on the UTM from "SHA2-256" to "SHA2-256 (96 Bit)", that will work. Or you can also choose to drop to "SHA-1". On a side note, setting the key lifetime of phase1 and phase2 to the same value is not considered best practice. It's probably best to have the phase2 key lifetime to be shorter than that of phase1.

Sam Boyer · Answer

Thank you, this fixed our problem when connecting a Sophos XG to a Cyberoam. Had to clone the default head policy and check "SHA2 with 96-bit truncation"