Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 45040 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN definitions

Jon Eyre

Hi

I am trying to get an Avaya Phone to connect to XG IPSEC VPN

There is a break in terminology between the two. The Avaya Phone asks for "IKE ID (Group Name)", where is that in the XG?

I ran the wizard to setup the connection on the XG and activated it but i constantly get "IKE Phase 1 no response" on the Avaya phone and i don't know why. Is there a way to diagnose on the XG?

I am not an IT guru so please bear with me



This thread was automatically locked due to age.
  • 0

    Hi again

    i found this in the console but have no idea what the errors mean

    Sophos Firmware Version SFOS 16.05.5 MR-5

    console> show vpn IPSec-logs
    Jun 29 09:52:54 Changing to directory '/conf/certificate/aacerts'
    Jun 29 09:52:54 Changing to directory '/conf/certificate/ocspcerts'
    Jun 29 09:52:54 Changing to directory '/conf/certificate/crls'
    Jun 29 09:52:54 loaded crl file 'Default.tar.gz' (673 bytes)
    Jun 29 09:52:54 file coded in unknown format, discarded
    Jun 29 09:52:54 loaded crl file 'Default.crl' (747 bytes)
    Jun 29 09:52:54 digest algorithm not supported
    Jun 29 09:52:54 loaded crl file 'ClientAuthentication_CA.crl' (698 bytes)
    Jun 29 09:52:54 crl issuer cacert not found for (file:///conf/certificate/crls/ClientAuthentication_CA.crl\352\020\010\220\240pw"\315aw)
    Jun 29 10:01:16 added connection description "avayaremote-1"

    This does not look right to me "digest algorithm not supported"

  • 0 in reply to Jon Eyre

    Jon,

    can you share the VPN Configuration you are using?

    Thanks

  • 0 in reply to lferrara

    Ok hope i give you all you need

     

    IPSEC connection

    name - avayaremote

    connection type - remote access

    policy - default remote access

    Action on vpn restart - respond only

    Auth type - PSK

    Local network - port 2

    local subnet - local destination

    LocalID - set it to DNS and entered a url, not actually sure what to put.

    Allow nat transversal - yes

    Remote lan network - any

    RemoteID - as LocalID

    specified a local user with rights to all vpn's

    Did nothing with certificates, left as application certificate

     

    There is a firewall profile allowing traffic from that user to the destination subnet

     

    I tried the same connection from windows 10, the XG did not seem to respond

  • 0 in reply to Jon Eyre

    Jon,

    please take a look at this 2 KB:

    https://community.sophos.com/kb/en-us/125446

    https://community.sophos.com/kb/en-us/125226

    And make sure  that if XG is behind another router/firewall, to forward the ports used by L2TP:

     UDP 4500 / 500 / 1701 

  • 0 in reply to lferrara

    Hi

    I am confused. The links you sent me are for L2TP, i was talking about IPSec. 

  • 0 in reply to Jon Eyre

    Jon,

    L2TP and IPSec are combined in order to provide encryption and then confidentiality because L2TP does not include that. So If you are allowing your remote users to access your network, you are creating an L2TP/IPsec tunnel.

    Regards

  • 0 in reply to lferrara

    Hi

    Can you advise me on any free training to help me understand this because i see no connection between the two in the XG.

    I am lost and confused

  • 0 in reply to Jon Eyre

    Jon,

    the documentation should be enough to configure the VPN. Make sure no other Firewall router are in front of XG.

    I can have a look at your config if the issue persists.

    Regards

  • 0 in reply to lferrara

    Hi

    Unfortunately my lack of knowledge prevails.

    The Sophos documentation is not written for the novice (i.e.me) it is written for people who already know. I am trying to learn at the same time, i do not see any Sophos documentation that contains examples.

     

    Both L2TP and IPSec use a PSK but it only goes in a client once, does not make sense to me.

  • 0 in reply to Jon Eyre

    Jon,

    I do not understand what are your doubts. The Documentation provides all the steps necessary to allow remote users to connect to XG. You can also use SSL VPN which is more secure and more simple to configure.

    Regards