Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 3581 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM to Algo VPN (Site-to-site IPsec)

Matt Berry

I have a working instance of Algo VPN, configured with default settings, set up on a cloud service - confirmed to work because individual clients can access it.  I would like to set up my Sophos UTM to direct all traffic over it so every device on the network uses the VPN without configuring client on every device.  To that end, I have tried to enable a Site-to-site VPN with no success.  I don't know what I'm doing wrong.

While running, the log from the Sophos UTM repeatedly records:

2017:08:22-11:19:24 utm pluto[24229]: packet from 104.xxx.xxx.xxx:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

(the x's are the ip address of the Algo VPN)

 

When just started up, the log reads:

2017:08:22-11:21:13 utm ipsec_starter[11855]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2017:08:22-11:21:13 utm pluto[11869]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2017:08:22-11:21:13 utm pluto[11869]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2017:08:22-11:21:13 utm pluto[11869]: including NAT-Traversal patch (Version 0.6c)
2017:08:22-11:21:13 utm pluto[11869]: Using Linux 2.6 IPsec interface code
2017:08:22-11:21:13 utm ipsec_starter[11863]: pluto (11869) started after 20 ms
2017:08:22-11:21:13 utm pluto[11869]: loading ca certificates from '/etc/ipsec.d/cacerts'
2017:08:22-11:21:13 utm pluto[11869]: error in X.509 certificate
2017:08:22-11:21:13 utm pluto[11869]: building CRED_CERTIFICATE - PLUTO_CERT failed, tried 2 builders
2017:08:22-11:21:13 utm pluto[11869]: loaded ca certificate from '/etc/ipsec.d/cacerts/StartSSL Certificate 2 Verification CA 2.pem'
2017:08:22-11:21:13 utm pluto[11869]: loaded ca certificate from '/etc/ipsec.d/cacerts/StartSSL Certificate 2016 Verification CA 1.pem'
2017:08:22-11:21:13 utm pluto[11869]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA (Wed Oct 29 19:35:34 2014).pem'
2017:08:22-11:21:13 utm pluto[11869]: loaded ca certificate from '/etc/ipsec.d/cacerts/Local X509 Cert (Wed Oct 29 20:16:59 2014).pem'
2017:08:22-11:21:13 utm pluto[11869]: loaded ca certificate from '/etc/ipsec.d/cacerts/StartSSL Certificate 2 Verification CA 1.pem'
2017:08:22-11:21:13 utm pluto[11869]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2017:08:22-11:21:13 utm pluto[11869]: loaded ca certificate from '/etc/ipsec.d/cacerts/WebAdmin certificate (Wed Oct 29 20:19:40 2014).pem'
2017:08:22-11:21:13 utm pluto[11869]: loading aa certificates from '/etc/ipsec.d/aacerts'
2017:08:22-11:21:13 utm pluto[11869]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2017:08:22-11:21:13 utm pluto[11869]: Changing to directory '/etc/ipsec.d/crls'
2017:08:22-11:21:13 utm pluto[11869]: loading attribute certificates from '/etc/ipsec.d/acerts'
2017:08:22-11:21:13 utm pluto[11869]: adding interface tun0/tun0 10.10.10.1:500
2017:08:22-11:21:13 utm pluto[11869]: adding interface tun0/tun0 10.10.10.1:4500
2017:08:22-11:21:13 utm pluto[11869]: adding interface eth2/eth2 192.168.0.1:500
2017:08:22-11:21:13 utm pluto[11869]: adding interface eth2/eth2 192.168.0.1:4500
2017:08:22-11:21:13 utm pluto[11869]: adding interface eth1/eth1 108.xxx.xxx.xxx:500 (my ip address)
2017:08:22-11:21:13 utm pluto[11869]: adding interface eth1/eth1 108.xxx.xxx.xxx:4500 (my ip address)
2017:08:22-11:21:13 utm pluto[11869]: adding interface lo/lo 127.0.0.1:500
2017:08:22-11:21:13 utm pluto[11869]: adding interface lo/lo 127.0.0.1:4500
2017:08:22-11:21:13 utm pluto[11869]: adding interface lo/lo ::1:500
2017:08:22-11:21:13 utm pluto[11869]: loading secrets from "/etc/ipsec.secrets"
2017:08:22-11:21:13 utm pluto[11869]: loaded private key from 'Local X509 Cert (regenerated).pem'
2017:08:22-11:21:13 utm pluto[11869]: listening for IKE messages
2017:08:22-11:21:13 utm pluto[11869]: loaded host certificate from '/etc/ipsec.d/certs/Local X509 Cert (regenerated).pem'
2017:08:22-11:21:13 utm pluto[11869]: error in X.509 certificate
2017:08:22-11:21:13 utm pluto[11869]: building CRED_CERTIFICATE - PLUTO_CERT failed, tried 2 builders
2017:08:22-11:21:13 utm pluto[11869]: added connection description "S_AlgoVPN"
2017:08:22-11:21:13 utm pluto[11869]: "S_AlgoVPN" #1: initiating Main Mode
2017:08:22-11:21:13 utm pluto[11869]: ERROR: "S_AlgoVPN" #1: sendto on eth1 to 104.xxx.xxx.xxx:500 failed in main_outI1. Errno 1: Operation not permitted (Algo VPN ip address)
2017:08:22-11:21:13 utm pluto[11869]: added connection description "X_AlgoVPN"
 
Any guidance would be appreciated.  I know the "question" is vague, but I don't know enough at this point to form a more specific one.
Many thanks,
Matt


This thread was automatically locked due to age.
  • 0

    Hi, Matt, and welcome to the UTM Community!

    Since this happens immediately after "initiating Main Mode," either the PSK is incorrect or the Algo device is behind a NAT.

    IPsec doesn't play well with NAT.  If this is the case, the easiest solution is to create a new Remote Gateway in the UTM that is in "Respond only" mode and use that instead of the current one which is probably in "Initiate connection" mode.

    If neither of those works for you, please show us a picture of your Remote Gateway definition.

    Cheers - Bob