This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG85W "IPsec connection could not be activated" ??? Site-to-site with certificates

So very simple, generated a CSR and signed it with my CA, and uploaded the corresponding certificate & key to the Sophos. The cert uploads successfully as is shown in the "Certificates" page. I am now trying to setup a site-to-site IPsec VPN.

I add the local and remote subnets as host objects under the "Hosts and Services" link, and create the following IPsec configuration:

But when I try to activate it I get the following error:

It says "IPsec connection could not be activated". This is literally the most unhelpful error message I've seen in a long time..... wtf??

Why, exactly, can't it be "activated"? There is zero information in any of the logs. Before you ask, yes my cert is fine, I use the same CA and certificate request/signing process on dozens of routers with no problem whatsoever....... This is a XG85 with latest firmware 17.0.1 MR-1

Oh, and if you put that error message in quotes into Google, you get absolutely zero results on the entire internet, and the error is not listed in the documentation anywhere either....

This thread was automatically locked due to age.

0 train_wreck over 7 years ago

One thing, under "Gateway Settings" -> "Local Gateway", the "Local ID" option is set to "DNS". This doesn't seem right; should it not be "DER ASN1 DN", matching the remote ID type? Both ends use certificates. For whatever reason, the interface has greyed out this box, and doesn't let me change it.....

Any ideas? Does Sophos officially monitor this forum? This is an extremely basic feature not to work......
Cancel
Vote Up 0 Vote Down

Cancel
0 train_wreck over 7 years ago

Anyone???
Cancel
Vote Up 0 Vote Down

Cancel
0 train_wreck over 7 years ago in reply to train_wreck

So, 1 month later and no replies.... does Sophos support read these forums? Does anyone, for that matter?

I went ahead and did a factory reset, and have since create an entirely new CA PKI (for 2018). After reset and a new cert requested from the Sophos & uploaded successfully, the "DNS" option has changed to "DER ASN1 DN". However, this problem still remains.

Has anyone actually been able to create a cert-based site-to-site IPsec on this device???
Cancel
Vote Up 0 Vote Down

Cancel
0 Weatherlights over 7 years ago in reply to train_wreck

Same issue here... we are currently evaluating firewalls for a replacement of our sophos utm... and it may be that we switch to another vendor this time...
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 7 years ago

Logging and reasons on why certain things are happening on XG are still a big dream it seems.

Check logs from advanced shell (cli > 5 > 3) inside /log folder:

strongswan.log, charon.log, ipsec.log, and ipsec_<NameOfTunnel>.log

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 Weatherlights over 7 years ago in reply to lferrara

Did... no log entry at all... :(. The logs do not even respond to any activation attempt.
Cancel
Vote Up 0 Vote Down

Cancel
0 Weatherlights over 7 years ago in reply to lferrara

OK found something with good old grep.

This was in applog.log:

Mar 11 20:18:47 load_ipsec_connections: Adding rw-connection 'MyP2S'
Sun Mar 11 20:18:47 CET 2018 ipsec_link_crl.sh: 2 arguments required: <absolute path to CA> <absolute path to directory>
Mar 11 20:18:47 load_ipsec_connections: Error: connection has a config ERROR check the logs!
Cancel
Vote Up 0 Vote Down

Cancel
0 Raphael Burri over 7 years ago in reply to Weatherlights

unfortunately I can second that I am seeing the exact same error as Weatherlights. I am currently running SFOS 17.0.6 MR-6.
Cancel
Vote Up 0 Vote Down

Cancel
0 Weatherlights over 7 years ago in reply to Weatherlights

For us this was the last straw... I was unable to gain confidence into the Sophos XG... we are now moving (a >10k project) to Fortigate.
Cancel
Vote Up 0 Vote Down

Cancel
0 train_wreck over 7 years ago in reply to Weatherlights

Yep, I am seeing the identical in applog. Also, I am seeing this output in the "Device Console" -> "show vpn IPsec-logs":

2018-03-20 01:44:14 14[IKE] <Rv345Psite-1|50> sending end entity cert "<MY_CERT_DN>"
2018-03-20 01:44:14 14[ENC] <Rv345Psite-1|50> generating ID_PROT request 0 [ ID CERT SIG ]
2018-03-20 01:44:14 14[NET] <Rv345Psite-1|50> sending packet: from x.x.x.93[500] to x.x.x.92[500] (1244 bytes)
2018-03-20 01:44:14 29[NET] <Rv345Psite-1|50> received packet: from x.x.x.92[500] to x.x.x.93[500] (364 bytes)
2018-03-20 01:44:14 29[ENC] <Rv345Psite-1|50> parsed ID_PROT response 0 [ ID SIG ]
2018-03-20 01:44:14 29[IKE] <Rv345Psite-1|50> no trusted RSA public key found for '<MY_CERT_DN>'
2018-03-20 01:44:14 29[IKE] <Rv345Psite-1|50> deleting IKE_SA Rv345Psite-1[50] between x.x.x.93[<MY_CERT_DN>]...x.x.x.92[<OTHER_CERT_DN>]
2018-03-20 01:44:14 29[IKE] <Rv345Psite-1|50> sending DELETE for IKE_SA Rv345Psite-1[50]
2018-03-20 01:44:14 29[ENC] <Rv345Psite-1|50> generating INFORMATIONAL_V1 request 2888959924 [ HASH D ]
2018-03-20 01:44:14 29[NET] <Rv345Psite-1|50> sending packet: from x.x.x.93[500] to x.x.x.92[500] (108 bytes)

Seeings as its been months and no one from Sophos has even acknowledged this post, and since this kind of error (not being able to find certs/keys that the user has uploaded) is a pretty severe low-level problem in the code, I no longer trust Sophos as a firewall vendor. Returning our units. We had already been in the process of rolling out Fortigate 30E and 50E devices to our clients, and will absolutely be staying with them and away from Sophos.

Horrible experience!
Cancel
Vote Up 0 Vote Down

Cancel