CISCO ASA 5515 to UTM 9.4 (SG230) VPN Peer ID

In your original post, you had the log line:

2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: we require peer to have ID 'abc', but peer declares 'abc'

Please insert a picture of the Edit of the Remote Gateway definition that resulted in that line.  If you haven't already opened a ticket with Sophos Support, you should get started on that now.

Cheers - Bob

Hey Bob,

I'm a colleague of J F1's. I'm attaching a screenshot of that definition. We do have a case open with support, and actually had a conference yesterday with them as well as the vendor who has the Cisco. Here's an interesting note-we currently have a Sonicwall deployed at one of our branch offices, and as a workaround, were able to route the traffic through there. However, we're retiring that Sonicwall within the next few weeks, sothis is only a temporary fix. Strangely enough, the configuration provided to us by the vendor worked just fine-no additional config needed on our end when going through the Sonicwall.

I'm following this thread as I posted a link earlier on in this:

https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/53974/ipsec-vpn-id-question

In the above thread, there is discussion about using psk's and vpn id's which could clearly apply to this issue.

Can anybody confirm that you can change the VPN ID type (and it is not transparently overidden by the UTM) when using psk's?

I can confirm that. See screenshot.

regards

mod

Cheers mod2402,

I've never set up like this so it's good to know for future reference. Did the above work in both initiate connection and respond only and both ways?

To the OP, there are some settings under advanced eg use VPN ID for preshared keys. Have you tried that?

eg on vpn host setup leave VPN ID as blank, go to advanced settings and then set it there eg try hostname and abc? shot in the dark really.

Please insert pictures of the Edits of both KWI Server definitions with 'Advanced' open.  Feel free to obfuscate the IPs.

Cheers - Bob

Here you go

That looks good, so I vote for Louis' idea - use a Remote Gateway definition set to "Respond only" instead.

Cheers - Bob

That looks good, so I vote for Louis' idea - use a Remote Gateway definition set to "Respond only" instead.

Cheers - Bob

We actually tried Respond Only with no success (with Sophos support as well). I also attempted to add the peer id as a dns name in the network definition and try setting the id type to IP address, but the same errors persisted. Sophos support was able to create a working test environment with an XG, see here:

017:04:05-15:09:13 halnad pluto[28439]: added connection description "S_XG-To-UTM"
2017:04:05-15:09:13 halnad pluto[28439]: "S_XG-To-UTM" #8: initiating Main Mode
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: received Vendor ID payload [Dead Peer Detection]
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: received Vendor ID payload [RFC 3947]
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: ignoring Vendor ID payload [Cisco-Unity]
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: enabling possible NAT-traversal with method 3
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: Peer ID is ID_FQDN: 'abc'
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: Dead Peer Detection (RFC 3706) enabled
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: ISAKMP SA established
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#8}
2017:04:05-15:09:23 halnad pluto[28439]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="XG-To-UTM" address="24.53.246.134" local_net="192.168.1.0/24" remote_net="172.16.16.0/24"
2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #9: sent QI2, IPsec SA established {ESP=>0x9ae7f256 <0x21353479 DPD}

The most noticeable difference here is the Peer ID is a FQDN. This is what led me to try adding a DNS name in the network definition, but again, it didn't work. I haven't found any FQDN in the settings.