Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 19612 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG85W "IPsec connection could not be activated" ??? Site-to-site with certificates

train_wreck

So very simple, generated a CSR and signed it with my CA, and uploaded the corresponding certificate & key to the Sophos. The cert uploads successfully as is shown in the "Certificates" page. I am now trying to setup a site-to-site IPsec VPN.

 

I add the local and remote subnets as host objects under the "Hosts and Services" link, and create the following IPsec configuration:

But when I try to activate it I get the following error:

It says "IPsec connection could not be activated". This is literally the most unhelpful error message I've seen in a long time..... wtf??

Why, exactly, can't it be "activated"? There is zero information in any of the logs. Before you ask, yes my cert is fine, I use the same CA and certificate request/signing process on dozens of routers with no problem whatsoever....... This is a XG85 with latest firmware 17.0.1 MR-1

Oh, and if you put that error message in quotes into Google, you get absolutely zero results on the entire internet, and the error is not listed in the documentation anywhere either....



This thread was automatically locked due to age.
Parents
  • 0

    Logging and reasons on why certain things are happening on XG are still a big dream it seems.

    Check logs from advanced shell (cli > 5 > 3) inside /log folder:

    strongswan.log, charon.log, ipsec.log, and ipsec_<NameOfTunnel>.log

    Regards

  • 0 in reply to lferrara

    OK found something with good old grep.

    This was in applog.log:

    Mar 11 20:18:47 load_ipsec_connections: Adding rw-connection 'MyP2S'
    Sun Mar 11 20:18:47 CET 2018 ipsec_link_crl.sh: 2 arguments required: <absolute path to CA> <absolute path to directory>
    Mar 11 20:18:47 load_ipsec_connections: Error: connection has a config ERROR check the logs!

Reply
  • 0 in reply to lferrara

    OK found something with good old grep.

    This was in applog.log:

    Mar 11 20:18:47 load_ipsec_connections: Adding rw-connection 'MyP2S'
    Sun Mar 11 20:18:47 CET 2018 ipsec_link_crl.sh: 2 arguments required: <absolute path to CA> <absolute path to directory>
    Mar 11 20:18:47 load_ipsec_connections: Error: connection has a config ERROR check the logs!

Children