Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 8599 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPSec UTM-UTM "no suitable connection"

JohnRobson

Hi all,

I have a pair of identical UTM devices (small form factor, fairly low power, boxes with quad nics) at two locations.

They are doing the 'right thing'(TM) when it comes to single site networking, one of them also acts as a road warrior VPN endpoint for my devices.

 

I'm struggling to get a site-site IPSec tunnel working though...

I have set both up with the other defined as a remote gateway with a pre-shared key, and I've tried with RSA keys (generated and then copied public keys between the UTM gateways), but I can't establish a connection (so the routing and firewall rules that will be generated are irrelevant at this stage I think).

 

I'm sure I'm doing something really daft, but can't quite work out what it is... There is clearly a connection attempt, both are reporting much the same, which includes replies from each other, but also:

Error message with PSK: "no suitable connection for peer"

Error message with RSA: "no public key known for"

 

My google-fu is turning up pages of older UTM/Astaro documentation/guides and some 'dealing with multilink paths' - but precious little about the simple setup scenario in the current UI (well, one of them is set to run some updates tonight).

 

Is there an idiots guide that I've missed, or do I need to just go digging in the logs to try and get more guidance...



This thread was automatically locked due to age.
Parents
  • +1

    1) You need to add the RSA key of UTM1 in the Remote Gateway configuration of UTM2 and vice-versa.

    2) I would also recommend setting the "VPN ID type" on the Tab "Local RSA Key" on both UTMs to "hostname" and enter the UTM2s hostname (doesn't have to be a FQDN) in UTM1's remote gateway configuration and vice-versa.

    3) Gateway has to be a publically reachable FQDN or IP of the remote station, NAT should not be involved on any site (meaning both UTMs are directly connected to the internet without another router in between)

    4) "Remote networks" is the network or the hosts at the other end of the tunnel (I would recommend using networks and filter by firewall rules if there is no reasonable cause to do other), keeps the VPN configuration simpler and creates only 1 SA.

    5) "Local networks" is the local interface XY (network) object. *


    The tunnel configurations on UTM1 and UTM2 should always include the same networks/host definitions (UTM1: local network matches "remote network" on UTM2), if there are differences the SA(s) can not be established.

    * If you have to 1:1 NAT the connections because of same subnet ob both sides be sure to enter the right network in the remote gateway of UTM1 as in the local network of UTM2 (the NATed network address has to be used here, not the "interface XY (network) object)

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired
    "2) I would also recommend setting the "VPN ID type" on the Tab "Local RSA Key" on both UTMs to "hostname" and enter the UTM2s hostname (doesn't have to be a FQDN) in UTM1's remote gateway configuration and vice-versa." That's the one - I had, for some reason, reversed the IDs here. Don't ask me why (something about saying where the connection was from in my mind??) 1/3) I had these done right 4/5) With three networks at one end and two at the other there are 6 SA's set up - but yes, I will be use firewall rules to deal with access control soon. It had connected before I'd had a chance to get back to the status page. Muchos Gracias!
Reply
  • 0 in reply to kerobra_retired
    "2) I would also recommend setting the "VPN ID type" on the Tab "Local RSA Key" on both UTMs to "hostname" and enter the UTM2s hostname (doesn't have to be a FQDN) in UTM1's remote gateway configuration and vice-versa." That's the one - I had, for some reason, reversed the IDs here. Don't ask me why (something about saying where the connection was from in my mind??) 1/3) I had these done right 4/5) With three networks at one end and two at the other there are 6 SA's set up - but yes, I will be use firewall rules to deal with access control soon. It had connected before I'd had a chance to get back to the status page. Muchos Gracias!
Children
No Data
Unfiltered HTML