Hi, The main purpose of this question is to filter and find the most recent and working solution for implementing a virtual network gateway between Azure ans Sophos UTM, because i have been following multiples guides with similar configuration and yet, i don't have any success so far. Guides followed: https://techstat.net/azure-sophos-utm-site-site-vpn-ipsec-settings-ikev1-policy-based/ https://community.sophos.com/kb/en-us/126995 Currently, without much experience on Sophos UTM and following the first and second guide, i was able to have a connection working between our networks but the connection is always dropping, so my main question would be how could i find a more recent and working guide for setting up one or multiples gateways between azure and sophos UTM ? Thanks in advance.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What's the standard procedure for implementing a Policy based Ipsec Connection between Azure and Sophos UTM v9.601-5 ?

Hi,

The main purpose of this question is to filter and find the most recent and working solution for implementing a virtual network gateway between Azure ans Sophos UTM, because i have been following multiples guides with similar configuration and yet, i don't have any success so far.

Guides followed:

Currently, without much experience on Sophos UTM and following the first and second guide, i was able to have a connection working between our networks but the connection is always dropping, so my main question would be how could i find a more recent and working guide for setting up one or multiples gateways between azure and sophos UTM ?

Thanks in advance.

This thread was automatically locked due to age.

0 Dread over 4 years ago

Bumping this one - having the exact same issue. Trying to setup an IPSEC Site to Site VPN between my On-Prem environment behind an SG230 and Microsoft Azure. Followed those latest guides to the letter and every suggestion I could find on these forums and all I am getting is:

2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]

2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]

2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]

2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]

2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]

2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]

2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]

2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK

Tried setting it to Respond Only (and changed the Azure end to match etc) and exactly the same messages. Tried playing with Policy settings other people have said worked for them in other threads here - same results. Tried Probing of Pre-Shared Keys. Tried enabling NAT Traversal. Just keep getting the same message: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK

Any clues, tips or hints are greatly appreciated - as usual ;)
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to Dread

If you followed https://community.sophos.com/kb/en-us/126995 exactly, it should work. I would definitely select Probing and NAT-T and use an "Initiate connection" Remote Gateway. You do have a public IP on the UTM - right? Please show a picture of the Edit of the IPsec Policy you're using.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Thales over 4 years ago in reply to BAlfson

Hi,

Currently we have a stable connection between azure regardint http, https and ssh transfer, but also have a unstable RDP connection, which currently its terrible ( drops 1/2 times every 60 seconds ).

Our current ipsec policy is the same provided on the guide:

Regarding the public IP, yes, we have multiple connections across the globe, but currently, since we have some servers on azure, we are facing some issues regarding this matter
Cancel
Vote Up 0 Vote Down

Cancel

0 Dread over 4 years ago in reply to BAlfson

Cheers for the Reply Bob ;)

I have followed it to the letter (before experimenting with other suggestions.

And adding IPSEC Logs without Debug and with:

Fullscreen 8880.IPSEC IKE Log.txt Download

2019:05:03-11:08:27 KYA-FW-SG230 ipsec_starter[667]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2019:05:03-11:08:27 KYA-FW-SG230 ipsec_starter[667]: no default route - cannot cope with %defaultroute!!!
2019:05:03-11:08:27 KYA-FW-SG230 pluto[685]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2019:05:03-11:08:27 KYA-FW-SG230 ipsec_starter[676]: pluto (685) started after 20 ms
2019:05:03-11:08:27 KYA-FW-SG230 pluto[685]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2019:05:03-11:08:27 KYA-FW-SG230 pluto[685]: including NAT-Traversal patch (Version 0.6c)
2019:05:03-11:08:27 KYA-FW-SG230 pluto[685]: Using Linux 2.6 IPsec interface code
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading ca certificates from '/etc/ipsec.d/cacerts'
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading aa certificates from '/etc/ipsec.d/aacerts'
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: Changing to directory '/etc/ipsec.d/crls'
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading attribute certificates from '/etc/ipsec.d/acerts'
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface ppp0/ppp0 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface ppp0/ppp0 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface ppp1/ppp1 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface ppp1/ppp1 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface br0/br0 10.0.50.253:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface br0/br0 10.0.50.253:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth0/eth0 10.0.10.250:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth0/eth0 10.0.10.250:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface lo/lo 127.0.0.1:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface lo/lo 127.0.0.1:4500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface lo/lo ::1:500
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading secrets from "/etc/ipsec.secrets"
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loaded PSK secret for x.x.x.x x.x.x.x
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: listening for IKE messages
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: added connection description "S_mydomain to Azure Cloud"
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: "S_mydomain to Azure Cloud" #1: initiating Main Mode
2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: added connection description "S_mydomain to Azure Cloud"
2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK
2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK
2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK
2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK

8880.IPSEC with Debug.txt

0 m.novelli over 4 years ago in reply to Dread

Maybe we need IKEv2 on Sophos SG? [;)]

Marco
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to Dread

I can only guess that the PSKs don't match.

This configuration avoids using IKEv2.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Dread over 4 years ago in reply to BAlfson

Reporting back in - after a long weekend here ...

I have an IPSEC Connection up and running successfully and it seems to be stable (so far). I decided to delete all of the IPSEC components on the SG and re-enter them all and it worked. Nothing was different as far as I could see ... my current config is identical to the screenshots posted above. Ah well, at least it is working now ;)

Now I just get to start working on having traffic pass from the VM I created in Azure on its network (10.100.0.x/24) hit my On-Prem server vLAN 10 (10.0.10.x/24) and vice versa ;)

Cheers for the Assist Bob ;)
Cancel
Vote Up 0 Vote Down

Cancel
0 Thales over 4 years ago in reply to Dread

And you have stable RDP connections after that? I might just try right now and report back in a few minutes.
Cancel
Vote Up 0 Vote Down

Cancel