IPSec Site 2 Site VPN XG 115

Hi Brando,

Do a quick check on the subnets defined in the Local and Remote network configuration of the IPSec policy. Make sure they are correct on either end. Next, go to; Administration > Device Access and check if the Ping is selected in the VPN row. I would also request you to upgrade to v17 before we take further look.

Thanks

Hi,

I check all the subnet defined on both sides, upgrade to v17, check ping over vpn but nothing changed.

Can you please help me?

Thanks

I have the exact same problem despite having followed all the instructions - tunnel comes up instantly but no traffic, not even pings, make it across. What more is needed - I mean the whole point with site to site VPN is to link 2 LANs so why doesn't it work when set up as instructed?

Tunnel is active

Setup on server

Firewall rules (mirrored on client)

Is there any news?
Same problem after updating to V17 on site 1.
Issue was resolved after hours of searching through downgrade to V16.

If sha2 is used, please check if the policy on both XGs and see if they both have the same state for the checkbox 'SHA2 with 96-bit truncation'. Otherwise such a problem can occur.

That´s it, thanks for the quick help!

Can you tell me more about the background of the problem?

Some time back in past when sha2 256 was pretty new with ipsec, the truncation length was not yet standardised. Thus there are some old implementations which do the truncation with SHA2 256 wrong. Since the IKE protocol cannot find out which truncation is used, the only way is to provide this checkbox to give the customer a chance to connect to such machines.

Here is the upstream ticket Markus used to provide the patch to the strongswan project:

wiki.strongswan.org/.../1353

Some time back in past when sha2 256 was pretty new with ipsec, the truncation length was not yet standardised. Thus there are some old implementations which do the truncation with SHA2 256 wrong. Since the IKE protocol cannot find out which truncation is used, the only way is to provide this checkbox to give the customer a chance to connect to such machines.

Here is the upstream ticket Markus used to provide the patch to the strongswan project:

wiki.strongswan.org/.../1353