Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 5361 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Translate ShrewSoft VPN Configuration to UTM Site-to-Site?

precisonline

We have a SG 115 with ~20 working IPsec tunnels to a variety of customer appliances.  This much is working.  We have a new customer that we can connect to with the Shrewsoft VPN client on an individual workstation, but I'd really prefer to have a tunnel to them through our Sophos appliance so that we can control access to them for my entire (distributed) team.

I'm thinking it should be possible to "convert" the Shrewsoft configuration to the Sophos, but to date I've not been successful.  I seem to get close, but end up with AUTHENTICATION FAILED in the Live Log on the SG.  A summary of messages from a recent attempt looks like this:

2016:12:17-10:40:14 vpn-1 pluto[15203]: "S_RCW" #68402: initiating Main Mode
2016:12:17-10:40:14 vpn-1 pluto[15203]: | state object #68402 found, in STATE_MAIN_I1
2016:12:17-10:40:14 vpn-1 pluto[15203]: "S_RCW" #68402: received Vendor ID payload [XAUTH]
2016:12:17-10:40:14 vpn-1 pluto[15203]: "S_RCW" #68402: received Vendor ID payload [Dead Peer Detection]
2016:12:17-10:40:14 vpn-1 pluto[15203]: "S_RCW" #68402: ignoring Vendor ID payload [Cisco-Unity]
2016:12:17-10:40:14 vpn-1 pluto[15203]: "S_RCW" #68402: received Vendor ID payload [RFC 3947]
2016:12:17-10:40:14 vpn-1 pluto[15203]: "S_RCW" #68402: enabling possible NAT-traversal with method 3
2016:12:17-10:40:14 vpn-1 pluto[15203]: | state object #68402 found, in STATE_MAIN_I2
2016:12:17-10:40:14 vpn-1 pluto[15203]: | requested CA: "C=US, O=..., CN=unknown CA, E=..."  (ellipses added)
2016:12:17-10:40:14 vpn-1 pluto[15203]: "S_RCW" #68402: NAT-Traversal: Result using RFC 3947: peer is NATed
2016:12:17-10:40:14 vpn-1 pluto[15203]: | our certificate policy is ALWAYS_SEND
2016:12:17-10:40:14 vpn-1 pluto[15203]: "S_RCW" #68402: we have a cert and are sending it
2016:12:17-10:40:14 vpn-1 pluto[15203]: | state object #68402 found, in STATE_MAIN_I3
2016:12:17-10:40:14 vpn-1 pluto[15203]: "S_RCW" #68402: ignoring informational payload, type AUTHENTICATION_FAILED

I have verified that the XAUTH configuration matches between the Sophos and Shrewsoft configuration, but there is one setting in Shrewsoft I don't quite understand: "auth-server-cert-data". The Shrewsoft documentation says this is a "Certificate Authority certificate and public key that was used to generate the Client Gateways certificate".  I'm thinking that this has to be migrated somehow to the Sophos somehow, but ... so far nothing has worked.

Anyone have any experience migrating Shrewsoft configuration to an SG that can help me make this connection, or at least tell me if what I'm trying to do is impossible?




This thread was automatically locked due to age.
Parents
  • 0

    I haven't tried this, but "peer is NATed" makes me think that the client's IPsec endpoint is behind a NAT.  If this is the case, there are only two ways I know how to resolve the conflict:

    • Set the Remote Gateway as "Respond only" and let the other side "call" your UTM.  I think that's incompatible with XAUTH though.
    • Define the Remote Gateway as "Initiate connection" and, using either an RSA or a Preshared Key, set the 'VPN ID' to the internal IP of the remote endpoint.  Apparently, the current connection with your client is using certificates, so I don't think that this second method will work either.

    Seems like it might be easier to configure a new site-to-site connection with them.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    We tried the site to site configuration for several hours and was unable to make it work.  I think it may be the customer's unfamiliarity with their VPN endpoint, or maybe just an incompatibility, but all efforts to set up a simple IPSec endpoint failed miserably.  This is why we went with the Shrewsoft connection; it does work for connectivity but on a single-user basis.  That said, you may be onto something if their peer address is behind a NAT; that could explain the problems we had in making the direct IPsec connection.

    I've never setup an XAUTH connection with the UTM so I'm not sure how it's supposed to work exactly.  So I've contacted the customer about the certificate that is embedded in ShrewSoft.  I'm thinking that if I can get their original cert - rather than attempting to mine it out of the Shrewsoft configs - perhaps I can load it as a local cert and try connecting that way.

    I don't have any option in the UTM to set it up for "Respond Only". The only option it's giving me is "Initiate Connection".

    I just can't help but think if Shrew can do it, Sophos certainly should be able to make the connection with the same configuration.  I'm just not convinced that I have the same configuration in terms of that cert in the Shrewsoft config.

  • 0 in reply to precisonline

    "I don't have any option in the UTM to set it up for 'Respond Only'. The only option it's giving me is 'Initiate Connection'."

    You can't change that aspect of a Remote Gateway definition.  You have to make a new one.

    "I just can't help but think if Shrew can do it, Sophos certainly should be able to make the connection with the same configuration."

    It's the difference between a client (Shrewsoft) and a server (UTM).  Like I said, I don't think you can get a site-to-site UTM IPsec Connection to talk to your client's Remote Access IPsec server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to precisonline

    "I don't have any option in the UTM to set it up for 'Respond Only'. The only option it's giving me is 'Initiate Connection'."

    You can't change that aspect of a Remote Gateway definition.  You have to make a new one.

    "I just can't help but think if Shrew can do it, Sophos certainly should be able to make the connection with the same configuration."

    It's the difference between a client (Shrewsoft) and a server (UTM).  Like I said, I don't think you can get a site-to-site UTM IPsec Connection to talk to your client's Remote Access IPsec server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML