Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Subscribers 31 subscribers
  • Views 27927 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

no chance to get IPSEC Site to Site - XG 17. MR1 to SG330 9.506-2 up

RoleMole

I applied the V17 update to my XG 16-MR8,

 

after this, no chance to get the ipsec connection up again ?

also tested

- entering PSK again

- switching to RSA Key


Tried EVERY Phase 1 / 2 setting / Combination- nothing works?

Our SG has several Tunnels to Cisco Asa and XG`s (16MR8) up - so everything is fine there.

 

Is this a Mayor known Bug ?

 

Can anyone please HELP

 

This is the Only Message our XG shows

 

 

Thank you

 

Rolemole



This thread was automatically locked due to age.
Parents
  • 0

    Having the same issue between XG135 v17.MR1 and Fortigate v5.4.4 UTMs. IPSec worked fine on v16 and stopped working upon v17 and v17.MR1 upgrades.

     

    For reference, we are using IKEv1.

  • 0 in reply to Richard Fenoglio

    we are also using IKEv1 !

    Sophos UTM 9.5 doesn`t support Ikev2 yet.

    did you also get IKE messages with invalid Spi`s ?

     

    Mayby some XG Expert will take a look at this please.

  • 0 in reply to RoleMole

    I'v sent you a PM with some further questions to clarify the situation.

  • 0 in reply to RoleMole

    Yeah, we are also getting the SPI errors as well.

  • 0 in reply to RoleMole

    RoleMole said:

    we are also using IKEv1 !

    Sophos UTM 9.5 doesn`t support Ikev2 yet.

     

    RoleMole

    As a work around for now. Have you tried building a RED tunnel between your XG and your UTM? I currently have 2 RED tunnels configured on my Home UTM running 9.5006-2 to support my parents computers w/o having to use some third party. One of the RED endpoints is an XG running 17 MR1 and the other is running the same version of UTM as I am.

    For now this will allow you to setup your security policy using the RED as the transport til the IPSec stuff shakes out a little better.  (crossing fingers for 17 MR2)

    -Ron

  • +1 in reply to RoleMole

    RoleMole said:

    Sophos UTM 9.5 doesn`t support Ikev2 yet.

    did you also get IKE messages with invalid Spi`s ?

     

    Mayby some XG Expert will take a look at this please.

    Hi RoleMole,

    after investigating the issue on your system, i can tell that the root cause is likely special characters in the Preshared Key.

    This is a known issue (Ticket NC-23039) which will be fixed in v17MR2 (pretty soon).

    As a workaround, please choose a PSK which does not contain characters like '#' or 'space'.

  • 0 in reply to dna

    DNA has solved the Problen,

     

    The first Thing was that the PSK cannot contain special characters in V17.MR1 / will be fixed in MR2 :-)

    second, in Phase 2 to set the Auth to SHA2 256 with 96 bit trunkation.

     

    with this settings; now it works like a charm :-)

     



     

    Thank you

     

    best regards

    RoleMole

Reply
  • 0 in reply to dna

    DNA has solved the Problen,

     

    The first Thing was that the PSK cannot contain special characters in V17.MR1 / will be fixed in MR2 :-)

    second, in Phase 2 to set the Auth to SHA2 256 with 96 bit trunkation.

     

    with this settings; now it works like a charm :-)

     



     

    Thank you

     

    best regards

    RoleMole

Children
  • 0 in reply to RoleMole

    RoleMole said:
    second, in Phase 2 to set the Auth to SHA2 256 with 96 bit trunkation.

    This needs some correction. Theoretically you can choose whichever hash function you like, but you need to ensure that if it is SHA2 256bit, that both ends of the tunnel do the trunction with the same amount of bits. Choosing anything else but not SHA2 256bit avoids this confusion.