This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Site to Site VPN Sophos XG 17.0.3 and Cisco 866

Hi There,

it seems that we ran into a mission impossible....

after we changed in a head office from Cisco 881 to a Sophos XG 135 with SFOS 17.0.3 we are unable to establish a IPsec Site to Site Connection to a Branch Office with a Cisco 866. Other Site to Site Connections (Sophos XG 105 and a Cisco 851) are working fine.

We tried to use the IPsec configuration from the cisco 851 but no connection. The Message at the Sophos is "received IKE message with invalid SPI (48AB99F0) from other side" with Status Deny.

The configuration at the Cisco 866 is as follows

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key "presharedkey" address ww.xx.yy.zz
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set ESP-AES128-MD5 esp-aes 256 esp-md5-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description ###Tunnel to Head Office###
set security-association lifetime seconds 86400
set peer ww.xx.yy.zz
set transform-set ESP-AES128-MD5
set pfs group5
match address 102

the ipsec profile at the Sophos XG 135 is

IKEv1

Main mode

Key Negotiation Tries 0

Re-Keying on

Because that is not working we tried IKEv2, SHA256, DH14 and so on but always the same errors. No solutions by searching Google helps.

at the Cisco Router the message at "sh cry isa sa" is "MM_KEY_EXCH" and then "MM_NO_STATE"

Does anyone knows someting about that?

The curious thing is, that teh S2S with the old 851 works....

Thanks for any suggestion and help.

Best Regards

Jürgen

This thread was automatically locked due to age.

Parents

0 sachingurung over 7 years ago

Hi Jürgen,

Can you delete the old IPSec Policy on the XG and reconfigure from scratch? Sometimes, the invalid SPI errors are resolved this way.

Let us know.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jürgen Barnickel over 7 years ago in reply to sachingurung

Hi Sachin,

we tried this several times with different settings on both sides simultaniously, now I buildt the policy from the scratch but the result is still the same.

by myself I don't know what differences between the Cisco 851 (which is running with the same policy) and the Cisco 866. One difference is, that the Cisco 866 has mor possibilities in encryption.

Thank you so far.

Greetings

Jürgen
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 7 years ago in reply to Jürgen Barnickel

Please PM me charon.log and strongswan.log to investigate the issue.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel

0 Jürgen Barnickel over 7 years ago in reply to sachingurung

Hello Sachingurung,

sorry for the late reply.... weekend and new years eve....

I'll tell you short what we have done last.

We build up a cisco 851 and configured it like the Cisco 866 in hope this will work. We made the same configuration like that one which si stable. But it even does not work with the same error.

Our next thought was, because the sophos xg 135 and the Ciscos both are behind a Fritz!Box as a exposed host and the Cisco and the Sophos have the similar WAN IP 192.168.178.XXX. So I've changed the WAN IP at Sophos side to 192.168.171.XXX, still no success.

Here now are the charon.log and strongswan.log from the sophos XG:

charon.log

Fullscreen charon.log Download

2017-12-31 14:25:13 13[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'   
2017-12-31 14:25:13 13[CFG] loading secrets from '/_conf/ipsec/connections/Shrew
VPN.secrets'                                                                    
2017-12-31 14:25:13 13[CFG]   loaded IKE secret for 192.168.171.254 %any        
2017-12-31 14:25:13 13[CFG]   loaded IKE secret for info@orthopaedie-hof.de tech
nik@itl-edv.de                                                                  
2017-12-31 14:25:13 13[CFG] loading secrets from '/_conf/ipsec/connections/Site_
to_Site_BT.secrets'                                                             
2017-12-31 14:25:13 13[CFG]   loaded IKE secret for 192.168.171.254 92.79.166.22
0                                                                               
2017-12-31 14:25:13 13[CFG] loading secrets from '/_conf/ipsec/connections/VPN_K
H_Mueb.secrets'                                                                 
2017-12-31 14:25:13 13[CFG]   loaded IKE secret for 192.168.171.254 79.210.5.163
2017-12-31 14:25:13 13[CFG] loading secrets from '/_conf/ipsec/connections/VPN_N
aila.secrets'                                                                   
2017-12-31 14:25:13 13[CFG]   loaded IKE secret for 192.168.171.254 87.139.177.1
0                                                                               
2017-12-31 14:25:13 13[CFG]   loaded IKE secret for 62.91.85.163 87.139.177.10  
2017-12-31 14:25:13 08[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d
/cacerts'                                                                       
2017-12-31 14:25:13 18[CFG] vici initiate 'VPN_KH_Mueb-1'                       
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> queueing ISAKMP_VENDOR task   
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> queueing ISAKMP_CERT_PRE task 
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> queueing MAIN_MODE task       
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> queueing ISAKMP_CERT_POST task
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> queueing ISAKMP_NATD task     
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> queueing QUICK_MODE task      
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> activating new tasks          
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873>   activating ISAKMP_VENDOR tas
k                                                                               
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873>   activating ISAKMP_CERT_PRE t
ask                                                                             
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873>   activating MAIN_MODE task   
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873>   activating ISAKMP_CERT_POST 
task                                                                            
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873>   activating ISAKMP_NATD task 
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> sending XAuth vendor ID       
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> sending DPD vendor ID         
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> sending FRAGMENTATION vendor I
D                                                                               
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> sending NAT-T (RFC 3947) vendo
r ID                                                                            
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> sending draft-ietf-ipsec-nat-t
-ike-02\n vendor ID                                                             
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> initiating Main Mode IKE_SA VP
N_KH_Mueb-1[46873] to 79.210.5.163                                              
2017-12-31 14:25:13 22[IKE] <VPN_KH_Mueb-1|46873> IKE_SA VPN_KH_Mueb-1[46873] st
ate change: CREATED => CONNECTING                                               
2017-12-31 14:25:13 22[CFG] <VPN_KH_Mueb-1|46873> configured proposals: IKE:AES_
CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_
256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA2_256_128/HMAC_SH
A2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_5
21/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MO
DP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM
_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_2
56/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/E
CP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/
MODP_8192/MODP_2048                                                             
2017-12-31 14:25:13 22[ENC] <VPN_KH_Mueb-1|46873> generating ID_PROT request 0 [
 SA V V V V V ]                                                                 
2017-12-31 14:25:13 22[NET] <VPN_KH_Mueb-1|46873> sending packet: from 192.168.1
71.254[500] to 79.210.5.163[500] (252 bytes)                                    
2017-12-31 14:25:13 04[NET] sending packet: from 192.168.171.254[500] to 79.210.
5.163[500]                                                                      
2017-12-31 14:25:13 03[NET] received packet: from 79.210.5.163[500] to 192.168.1
71.254[500]                                                                     
2017-12-31 14:25:13 03[NET] waiting for data on sockets                         
2017-12-31 14:25:13 11[NET] <VPN_KH_Mueb-1|46873> received packet: from 79.210.5
.163[500] to 192.168.171.254[500] (108 bytes)                                   
2017-12-31 14:25:13 11[ENC] <VPN_KH_Mueb-1|46873> parsed ID_PROT response 0 [ SA
 V ]                                                                            
2017-12-31 14:25:13 11[IKE] <VPN_KH_Mueb-1|46873> received draft-ietf-ipsec-nat-
t-ike-02\n vendor ID                                                            
2017-12-31 14:25:13 11[CFG] <VPN_KH_Mueb-1|46873> selecting proposal:           
2017-12-31 14:25:13 11[CFG] <VPN_KH_Mueb-1|46873>   proposal matches            
2017-12-31 14:25:13 11[CFG] <VPN_KH_Mueb-1|46873> received proposals: IKE:AES_CB
C_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536                                        
2017-12-31 14:25:13 11[CFG] <VPN_KH_Mueb-1|46873> configured proposals: IKE:AES_
CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_
256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA2_256_128/HMAC_SH
A2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_5
21/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MO
DP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM
_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_2
56/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/E
CP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/
MODP_8192/MODP_2048                                                             
2017-12-31 14:25:13 11[CFG] <VPN_KH_Mueb-1|46873> selected proposal: IKE:AES_CBC
_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536                                         
2017-12-31 14:25:13 11[IKE] <VPN_KH_Mueb-1|46873> reinitiating already active ta
sks                                                                             
2017-12-31 14:25:13 11[IKE] <VPN_KH_Mueb-1|46873>   ISAKMP_VENDOR task          
2017-12-31 14:25:13 11[IKE] <VPN_KH_Mueb-1|46873>   MAIN_MODE task              
2017-12-31 14:25:13 11[ENC] <VPN_KH_Mueb-1|46873> generating ID_PROT request 0 [
 KE No NAT-D NAT-D ]                                                            
2017-12-31 14:25:13 11[NET] <VPN_KH_Mueb-1|46873> sending packet: from 192.168.1
71.254[500] to 79.210.5.163[500] (300 bytes)                                    
2017-12-31 14:25:13 04[NET] sending packet: from 192.168.171.254[500] to 79.210.
5.163[500]                                                                      
2017-12-31 14:25:13 03[NET] received packet: from 79.210.5.163[500] to 192.168.1
71.254[500]                                                                     
2017-12-31 14:25:13 03[NET] waiting for data on sockets                         
2017-12-31 14:25:13 23[NET] <VPN_KH_Mueb-1|46873> received packet: from 79.210.5
.163[500] to 192.168.171.254[500] (360 bytes)                                   
2017-12-31 14:25:13 23[ENC] <VPN_KH_Mueb-1|46873> parsed ID_PROT response 0 [ KE
 No V V V V NAT-D NAT-D ]                                                       
2017-12-31 14:25:13 23[IKE] <VPN_KH_Mueb-1|46873> received Cisco Unity vendor ID
2017-12-31 14:25:13 23[IKE] <VPN_KH_Mueb-1|46873> received DPD vendor ID        
2017-12-31 14:25:13 23[ENC] <VPN_KH_Mueb-1|46873> received unknown vendor ID: 72
:e5:c7:fa:1b:44:04:6a:2d:8e:7a:8f:8a:49:53:76                                   
2017-12-31 14:25:13 23[IKE] <VPN_KH_Mueb-1|46873> received XAuth vendor ID      
2017-12-31 14:25:13 23[IKE] <VPN_KH_Mueb-1|46873> local host is behind NAT, send
ing keep alives                                                                 
2017-12-31 14:25:13 23[IKE] <VPN_KH_Mueb-1|46873> remote host is behind NAT     
2017-12-31 14:25:13 23[IKE] <VPN_KH_Mueb-1|46873> reinitiating already active ta
sks                                                                             
2017-12-31 14:25:13 23[IKE] <VPN_KH_Mueb-1|46873>   ISAKMP_VENDOR task          
2017-12-31 14:25:13 23[IKE] <VPN_KH_Mueb-1|46873>   MAIN_MODE task              
2017-12-31 14:25:13 23[ENC] <VPN_KH_Mueb-1|46873> generating ID_PROT request 0 [
 ID HASH ]                                                                      
2017-12-31 14:25:13 23[NET] <VPN_KH_Mueb-1|46873> sending packet: from 192.168.1
71.254[4500] to 79.210.5.163[4500] (76 bytes)                                   
2017-12-31 14:25:13 04[NET] sending packet: from 192.168.171.254[4500] to 79.210
.5.163[4500]                                                                    
2017-12-31 14:25:13 03[NET] received packet: from 79.210.5.163[4500] to 192.168.
171.254[4500]                                                                   
2017-12-31 14:25:13 03[NET] waiting for data on sockets                         
2017-12-31 14:25:13 07[NET] <VPN_KH_Mueb-1|46873> received packet: from 79.210.5
.163[4500] to 192.168.171.254[4500] (76 bytes)                                  
2017-12-31 14:25:13 07[ENC] <VPN_KH_Mueb-1|46873> parsed ID_PROT response 0 [ ID
 HASH ]                                                                         
2017-12-31 14:25:13 07[IKE] <VPN_KH_Mueb-1|46873> IDir '192.168.178.201' does no
t match to '79.210.5.163'                                                       
2017-12-31 14:25:13 07[IKE] <VPN_KH_Mueb-1|46873> queueing ISAKMP_DELETE task   
2017-12-31 14:25:13 07[IKE] <VPN_KH_Mueb-1|46873> activating new tasks          
2017-12-31 14:25:13 07[IKE] <VPN_KH_Mueb-1|46873>   activating ISAKMP_DELETE tas
k                                                                               
2017-12-31 14:25:13 07[IKE] <VPN_KH_Mueb-1|46873> deleting IKE_SA VPN_KH_Mueb-1[
46873] between 192.168.171.254[192.168.171.254]...79.210.5.163[%any]            
2017-12-31 14:25:13 07[IKE] <VPN_KH_Mueb-1|46873> sending DELETE for IKE_SA VPN_
KH_Mueb-1[46873]                                                                
2017-12-31 14:25:13 07[IKE] <VPN_KH_Mueb-1|46873> IKE_SA VPN_KH_Mueb-1[46873] st
ate change: CONNECTING => DELETING                                              
2017-12-31 14:25:13 07[ENC] <VPN_KH_Mueb-1|46873> generating INFORMATIONAL_V1 re
quest 3135784448 [ HASH D ]                                                     
2017-12-31 14:25:13 07[NET] <VPN_KH_Mueb-1|46873> sending packet: from 192.168.1
71.254[4500] to 79.210.5.163[4500] (92 bytes)                                   
2017-12-31 14:25:13 04[NET] sending packet: from 192.168.171.254[4500] to 79.210
.5.163[4500]                                                                    
2017-12-31 14:25:13 07[IKE] <VPN_KH_Mueb-1|46873> IKE_SA VPN_KH_Mueb-1[46873] st
ate change: DELETING => DESTROYING                                              
2017-12-31 14:25:13 03[NET] received packet: from 79.210.5.163[4500] to 192.168.
171.254[4500]                                                                   
2017-12-31 14:25:13 03[NET] waiting for data on sockets                         
2017-12-31 14:25:13 26[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE m
essage with invalid SPI (815F32A5) from other side

strongswan.log

Fullscreen strongswan.log Download

2017-12-31 14:30:38 29[CFG] loading secrets from '/_conf/ipsec/connections/VPN_K
H_Mueb.secrets'                                                                 
2017-12-31 14:30:38 29[CFG]   loaded IKE secret for 192.168.171.254 79.210.5.163
2017-12-31 14:30:38 29[CFG] loading secrets from '/_conf/ipsec/connections/VPN_N
aila.secrets'                                                                   
2017-12-31 14:30:38 29[CFG]   loaded IKE secret for 192.168.171.254 87.139.177.1
0                                                                               
2017-12-31 14:30:38 29[CFG]   loaded IKE secret for 62.91.85.163 87.139.177.10  
2017-12-31 14:30:38 25[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d
/cacerts'                                                                       
2017-12-31 14:30:38 20[CFG] vici initiate 'VPN_KH_Mueb-1'                       
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> queueing ISAKMP_VENDOR task   
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> queueing ISAKMP_CERT_PRE task 
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> queueing MAIN_MODE task       
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> queueing ISAKMP_CERT_POST task
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> queueing ISAKMP_NATD task     
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> queueing QUICK_MODE task      
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> activating new tasks          
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874>   activating ISAKMP_VENDOR tas
k                                                                               
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874>   activating ISAKMP_CERT_PRE t
ask                                                                             
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874>   activating MAIN_MODE task   
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874>   activating ISAKMP_CERT_POST 
task                                                                            
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874>   activating ISAKMP_NATD task 
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> sending XAuth vendor ID       
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> sending DPD vendor ID         
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> sending FRAGMENTATION vendor I
D                                                                               
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> sending NAT-T (RFC 3947) vendo
r ID                                                                            
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> sending draft-ietf-ipsec-nat-t
-ike-02\n vendor ID                                                             
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> initiating Main Mode IKE_SA VP
N_KH_Mueb-1[46874] to 79.210.5.163                                              
2017-12-31 14:30:38 11[IKE] <VPN_KH_Mueb-1|46874> IKE_SA VPN_KH_Mueb-1[46874] st
ate change: CREATED => CONNECTING                                               
2017-12-31 14:30:38 11[CFG] <VPN_KH_Mueb-1|46874> configured proposals: IKE:AES_
CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_
256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA2_256_128/HMAC_SH
A2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_5
21/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MO
DP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM
_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_2
56/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/E
CP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/
MODP_8192/MODP_2048                                                             
2017-12-31 14:30:38 11[ENC] <VPN_KH_Mueb-1|46874> generating ID_PROT request 0 [
 SA V V V V V ]                                                                 
2017-12-31 14:30:38 11[NET] <VPN_KH_Mueb-1|46874> sending packet: from 192.168.1
71.254[500] to 79.210.5.163[500] (252 bytes)                                    
2017-12-31 14:30:38 04[NET] sending packet: from 192.168.171.254[500] to 79.210.
5.163[500]                                                                      
2017-12-31 14:30:38 03[NET] received packet: from 91.62.251.47[4500] to 192.168.
171.254[4500]                                                                   
2017-12-31 14:30:38 03[NET] waiting for data on sockets                         
2017-12-31 14:30:38 17[NET] <ShrewVPN-1|46872> received packet: from 91.62.251.4
7[4500] to 192.168.171.254[4500] (108 bytes)                                    
2017-12-31 14:30:38 17[ENC] <ShrewVPN-1|46872> parsed INFORMATIONAL_V1 request 2
057653246 [ HASH N(DPD) ]                                                       
2017-12-31 14:30:38 17[IKE] <ShrewVPN-1|46872> queueing ISAKMP_DPD task         
2017-12-31 14:30:38 17[IKE] <ShrewVPN-1|46872> activating new tasks             
2017-12-31 14:30:38 17[IKE] <ShrewVPN-1|46872>   activating ISAKMP_DPD task     
2017-12-31 14:30:38 17[ENC] <ShrewVPN-1|46872> generating INFORMATIONAL_V1 reque
st 1839969069 [ HASH N(DPD_ACK) ]                                               
2017-12-31 14:30:38 17[NET] <ShrewVPN-1|46872> sending packet: from 192.168.171.
254[4500] to 91.62.251.47[4500] (108 bytes)                                     
2017-12-31 14:30:38 17[IKE] <ShrewVPN-1|46872> activating new tasks             
2017-12-31 14:30:38 04[NET] sending packet: from 192.168.171.254[4500] to 91.62.
251.47[4500]                                                                    
2017-12-31 14:30:38 17[IKE] <ShrewVPN-1|46872> nothing to initiate              
2017-12-31 14:30:38 03[NET] received packet: from 79.210.5.163[500] to 192.168.1
71.254[500]                                                                     
2017-12-31 14:30:38 03[NET] waiting for data on sockets                         
2017-12-31 14:30:38 21[NET] <VPN_KH_Mueb-1|46874> received packet: from 79.210.5
.163[500] to 192.168.171.254[500] (108 bytes)                                   
2017-12-31 14:30:38 21[ENC] <VPN_KH_Mueb-1|46874> parsed ID_PROT response 0 [ SA
 V ]                                                                            
2017-12-31 14:30:38 21[IKE] <VPN_KH_Mueb-1|46874> received draft-ietf-ipsec-nat-
t-ike-02\n vendor ID                                                            
2017-12-31 14:30:38 21[CFG] <VPN_KH_Mueb-1|46874> selecting proposal:           
2017-12-31 14:30:38 21[CFG] <VPN_KH_Mueb-1|46874>   proposal matches            
2017-12-31 14:30:38 21[CFG] <VPN_KH_Mueb-1|46874> received proposals: IKE:AES_CB
C_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536                                        
2017-12-31 14:30:38 21[CFG] <VPN_KH_Mueb-1|46874> configured proposals: IKE:AES_
CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_
256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA2_256_128/HMAC_SH
A2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_5
21/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MO
DP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM
_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_2
56/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/E
CP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/
MODP_8192/MODP_2048                                                             
2017-12-31 14:30:38 21[CFG] <VPN_KH_Mueb-1|46874> selected proposal: IKE:AES_CBC
_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536                                         
2017-12-31 14:30:38 21[IKE] <VPN_KH_Mueb-1|46874> reinitiating already active ta
sks                                                                             
2017-12-31 14:30:38 21[IKE] <VPN_KH_Mueb-1|46874>   ISAKMP_VENDOR task          
2017-12-31 14:30:38 21[IKE] <VPN_KH_Mueb-1|46874>   MAIN_MODE task              
2017-12-31 14:30:38 21[ENC] <VPN_KH_Mueb-1|46874> generating ID_PROT request 0 [
 KE No NAT-D NAT-D ]                                                            
2017-12-31 14:30:38 21[NET] <VPN_KH_Mueb-1|46874> sending packet: from 192.168.1
71.254[500] to 79.210.5.163[500] (300 bytes)                                    
2017-12-31 14:30:38 04[NET] sending packet: from 192.168.171.254[500] to 79.210.
5.163[500]                                                                      
2017-12-31 14:30:38 03[NET] received packet: from 79.210.5.163[500] to 192.168.1
71.254[500]                                                                     
2017-12-31 14:30:38 03[NET] waiting for data on sockets                         
2017-12-31 14:30:38 14[NET] <VPN_KH_Mueb-1|46874> received packet: from 79.210.5
.163[500] to 192.168.171.254[500] (360 bytes)                                   
2017-12-31 14:30:38 14[ENC] <VPN_KH_Mueb-1|46874> parsed ID_PROT response 0 [ KE
 No V V V V NAT-D NAT-D ]                                                       
2017-12-31 14:30:38 14[IKE] <VPN_KH_Mueb-1|46874> received Cisco Unity vendor ID
2017-12-31 14:30:38 14[IKE] <VPN_KH_Mueb-1|46874> received DPD vendor ID        
2017-12-31 14:30:38 14[ENC] <VPN_KH_Mueb-1|46874> received unknown vendor ID: 72
:e5:c7:fa:38:14:37:f8:ff:07:a1:58:91:86:35:8f                                   
2017-12-31 14:30:38 14[IKE] <VPN_KH_Mueb-1|46874> received XAuth vendor ID      
2017-12-31 14:30:38 14[IKE] <VPN_KH_Mueb-1|46874> local host is behind NAT, send
ing keep alives                                                                 
2017-12-31 14:30:38 14[IKE] <VPN_KH_Mueb-1|46874> remote host is behind NAT     
2017-12-31 14:30:38 14[IKE] <VPN_KH_Mueb-1|46874> reinitiating already active ta
sks                                                                             
2017-12-31 14:30:38 14[IKE] <VPN_KH_Mueb-1|46874>   ISAKMP_VENDOR task          
2017-12-31 14:30:38 14[IKE] <VPN_KH_Mueb-1|46874>   MAIN_MODE task              
2017-12-31 14:30:38 14[ENC] <VPN_KH_Mueb-1|46874> generating ID_PROT request 0 [
 ID HASH ]                                                                      
2017-12-31 14:30:38 14[NET] <VPN_KH_Mueb-1|46874> sending packet: from 192.168.1
71.254[4500] to 79.210.5.163[4500] (76 bytes)                                   
2017-12-31 14:30:38 04[NET] sending packet: from 192.168.171.254[4500] to 79.210
.5.163[4500]                                                                    
2017-12-31 14:30:38 03[NET] received packet: from 79.210.5.163[4500] to 192.168.
171.254[4500]                                                                   
2017-12-31 14:30:38 03[NET] waiting for data on sockets                         
2017-12-31 14:30:38 10[NET] <VPN_KH_Mueb-1|46874> received packet: from 79.210.5
.163[4500] to 192.168.171.254[4500] (76 bytes)                                  
2017-12-31 14:30:38 10[ENC] <VPN_KH_Mueb-1|46874> parsed ID_PROT response 0 [ ID
 HASH ]                                                                         
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> IDir '192.168.178.201' does no
t match to '79.210.5.163'                                                       
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> queueing ISAKMP_DELETE task   
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> activating new tasks          
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874>   activating ISAKMP_DELETE tas
k                                                                               
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> deleting IKE_SA VPN_KH_Mueb-1[
46874] between 192.168.171.254[192.168.171.254]...79.210.5.163[%any]            
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> sending DELETE for IKE_SA VPN_
KH_Mueb-1[46874]                                                                
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> IKE_SA VPN_KH_Mueb-1[46874] st
ate change: CONNECTING => DELETING                                              
2017-12-31 14:30:38 10[ENC] <VPN_KH_Mueb-1|46874> generating INFORMATIONAL_V1 re
quest 1002753830 [ HASH D ]                                                     
2017-12-31 14:30:38 10[NET] <VPN_KH_Mueb-1|46874> sending packet: from 192.168.1
71.254[4500] to 79.210.5.163[4500] (92 bytes)                                   
2017-12-31 14:30:38 04[NET] sending packet: from 192.168.171.254[4500] to 79.210
.5.163[4500]                                                                    
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> IKE_SA VPN_KH_Mueb-1[46874] st
ate change: DELETING => DESTROYING                                              
2017-12-31 14:30:38 03[NET] received packet: from 79.210.5.163[4500] to 192.168.
171.254[4500]                                                                   
2017-12-31 14:30:38 03[NET] waiting for data on sockets                         
2017-12-31 14:30:38 18[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE m
essage with invalid SPI (FD07BCDB) from other side                              
??^C                                                                            
XG135_XN02_SFOS 17.0.3 MR-3# ??                                                 
XG135_XN02_SFOS 17.0.3 MR-3#

I hope this can help you and me to find a solution.

If not, I'm afraid I will loose my head [;)]

Thankx and a happy new year to all of you.

Best regards and greetings

Jürgen

0 apalm123 over 7 years ago in reply to Jürgen Barnickel

I recently had issues connecting XG105 (17.0.3) to an ASA. All of the settings matched on our IPSEC policies, but after contacting Sophos support who setup brand new policies for me on my XG, it works. The settings they used were basically copies of the default "Branch" office, and none of the key life time values matched the ASA, but it's stayed up for over a week so far.
Cancel
Vote Up 0 Vote Down

Cancel
0 kofi over 7 years ago in reply to Jürgen Barnickel

Hi Juergen,

according to the logs it looks like the local-/remote id are not set correctly.

2017-12-31 14:30:38 10[NET] <VPN_KH_Mueb-1|46874> received packet: from 79.210.5.163[4500] to 192.168.171.254[4500] (76 bytes)
2017-12-31 14:30:38 10[ENC] <VPN_KH_Mueb-1|46874> parsed ID_PROT response 0 [ ID HASH ]
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> IDir '192.168.178.201' does not match to '79.210.5.163'
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> queueing ISAKMP_DELETE task
2017-12-31 14:30:38 10[IKE] <VPN_KH_Mueb-1|46874> activating new tasks

If not already done I recommend to set the local-/remote id on both side explicit.

Cheers,

Kofi
Cancel
Vote Up 0 Vote Down

Cancel
0 apalm123 over 7 years ago in reply to apalm123

I need to amend my comment, and reverse it. After messing around with Ikev1 to connect to an ASA on the other end, I gave up on 17mr3. I put close to 15 - 20 hours trying to get it to work and stay up. Installed the latest 16 version, and my tunnel came up the very first time, and all subnets stayed connected. No errors.
Cancel
Vote Up 0 Vote Down

Cancel
0 Dominic Russell over 7 years ago in reply to apalm123

Hello,

I also had issues with 17.0.3, and had to revert to 17.0.2. In my case, Sophos-XG MR3 kept opening tunnels after tunnels, until something would crash...
Cancel
Vote Up 0 Vote Down

Cancel
0 John Woodall over 7 years ago in reply to Dominic Russell

17.08 is still an issue as well.

I have a hard time believing they let this out the door when it killed so many (all?) VPNs to non-Sophos devices.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 John Woodall over 7 years ago in reply to Dominic Russell

17.08 is still an issue as well.

I have a hard time believing they let this out the door when it killed so many (all?) VPNs to non-Sophos devices.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data