Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 19612 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG85W "IPsec connection could not be activated" ??? Site-to-site with certificates

train_wreck

So very simple, generated a CSR and signed it with my CA, and uploaded the corresponding certificate & key to the Sophos. The cert uploads successfully as is shown in the "Certificates" page. I am now trying to setup a site-to-site IPsec VPN.

 

I add the local and remote subnets as host objects under the "Hosts and Services" link, and create the following IPsec configuration:

But when I try to activate it I get the following error:

It says "IPsec connection could not be activated". This is literally the most unhelpful error message I've seen in a long time..... wtf??

Why, exactly, can't it be "activated"? There is zero information in any of the logs. Before you ask, yes my cert is fine, I use the same CA and certificate request/signing process on dozens of routers with no problem whatsoever....... This is a XG85 with latest firmware 17.0.1 MR-1

Oh, and if you put that error message in quotes into Google, you get absolutely zero results on the entire internet, and the error is not listed in the documentation anywhere either....



This thread was automatically locked due to age.
Parents
  • 0

    Logging and reasons on why certain things are happening on XG are still a big dream it seems.

    Check logs from advanced shell (cli > 5 > 3) inside /log folder:

    strongswan.log, charon.log, ipsec.log, and ipsec_<NameOfTunnel>.log

    Regards

  • 0 in reply to lferrara

    Did... no log entry at all... :(. The logs do not even respond to any activation attempt.

  • 0 in reply to Weatherlights

    For us this was the last straw... I was unable to gain confidence into the Sophos XG... we are now moving (a >10k project) to Fortigate.

  • 0 in reply to Weatherlights

    Yep, I am seeing the identical in applog. Also, I am seeing this output in the "Device Console" -> "show vpn IPsec-logs":

     

    2018-03-20 01:44:14 14[IKE] <Rv345Psite-1|50> sending end entity cert "<MY_CERT_DN>"
    2018-03-20 01:44:14 14[ENC] <Rv345Psite-1|50> generating ID_PROT request 0 [ ID CERT SIG ]
    2018-03-20 01:44:14 14[NET] <Rv345Psite-1|50> sending packet: from x.x.x.93[500] to x.x.x.92[500] (1244 bytes)
    2018-03-20 01:44:14 29[NET] <Rv345Psite-1|50> received packet: from x.x.x.92[500] to x.x.x.93[500] (364 bytes)
    2018-03-20 01:44:14 29[ENC] <Rv345Psite-1|50> parsed ID_PROT response 0 [ ID SIG ]
    2018-03-20 01:44:14 29[IKE] <Rv345Psite-1|50> no trusted RSA public key found for '<MY_CERT_DN>'
    2018-03-20 01:44:14 29[IKE] <Rv345Psite-1|50> deleting IKE_SA Rv345Psite-1[50] between x.x.x.93[<MY_CERT_DN>]...x.x.x.92[<OTHER_CERT_DN>]
    2018-03-20 01:44:14 29[IKE] <Rv345Psite-1|50> sending DELETE for IKE_SA Rv345Psite-1[50]
    2018-03-20 01:44:14 29[ENC] <Rv345Psite-1|50> generating INFORMATIONAL_V1 request 2888959924 [ HASH D ]
    2018-03-20 01:44:14 29[NET] <Rv345Psite-1|50> sending packet: from x.x.x.93[500] to x.x.x.92[500] (108 bytes)

    Seeings as its been months and no one from Sophos has even acknowledged this post, and since this kind of error (not being able to find certs/keys that the user has uploaded) is a pretty severe low-level problem in the code, I no longer trust Sophos as a firewall vendor. Returning our units. We had already been in the process of rolling out Fortigate 30E and 50E devices to our clients, and will absolutely be staying with them and away from Sophos.

    Horrible experience!

  • 0 in reply to train_wreck

    Train,

    I do not own a XG85 but I totally agree with you. Basic staff on XG are a dream. I still see a lot of Fortigate Units on customer side and the reason is very clear. XG needs to be written from scratch. They are adding layers and layers and feature on a OS and packages but the core of the product is not developed for Enterprise feature. I really hope that in v18 Sophos started from scracth otherwise bye bye XG.

Reply
  • 0 in reply to train_wreck

    Train,

    I do not own a XG85 but I totally agree with you. Basic staff on XG are a dream. I still see a lot of Fortigate Units on customer side and the reason is very clear. XG needs to be written from scratch. They are adding layers and layers and feature on a OS and packages but the core of the product is not developed for Enterprise feature. I really hope that in v18 Sophos started from scracth otherwise bye bye XG.

Children
  • 0 in reply to lferrara

    Yeah, I'm somewhat of a "junior" member of our MIS staff, and when I suggested trying out a "2nd tier" vendor all of my colleagues told me it was a bad idea... should have listened! :)

    A shame, since the UTM market is expanding rapidly, and as as far as I know Sophos has a pretty decent AV/malware research lab. Oh well, firewalls are hard I gues.....

    Thanks all for the analysis/comments!