I have to create a tunnel between our sophos utm 9 and a remote linux libreswan. Here is a table with the proposal from the remote site (libreswan on the left) and which setting I tried to match on our side (sophos on the right) libreswan sophos utm 9 public ip addres 195.x.x.x created a ipsec remote gateway... type: initiate connection gateway: used the 195.x.x.x address auth type: preshared key key: same key used on both sites remote subnet 10.x.x.x our subnet 192.168.x.x added subnet to gateway/remote networks list and our subnet in the IPSec Connection entry in "Local networks" where also automatic firewall rules are OFF - I need to define those later strict routing is OFF Phase 1 : o Mode : main o Encrypt Algorithm: AES256 o Hash Algorithm : SHA256 o IKE Version : Version 1 o Diffie-Hellman Group : Group 5 o Life time (sec) : 86400 Phase 2 : o Protocol : EAP o Encrypt Algorithm : AES256 o Hash Algorithm : SHA256 o Perfect Forward Secrecy : Enable o Diffie-Hellman Group : Group 5 o Life time (sec) : 43200 Created IPsec Policy... IKE encryption algorithm: AES 256 IKE authentication algorithm: SHA2 256 IKE SA lifetime: 86400 IKE DH group: Group 5: MODP 1536 IPsec encryption algorithm: AES 256 IPsec authentication algorithm: SHA2 256 IPsec SA lifetime; 43200 IPsec PFS group: Group 5: MODP 1536 Strict policy: disabled Compression: disabled ..don't know if the parameters: "mode:main" "IKE version" "Protocol: EAP" are relevant and/or can be matched to a setting in Sophos That is the best match of the proposal I could do on our side but it desn't work. The global status on the "Site-ti-site VPN" for this tunnel says: "XXX Tunnel [0 of X IPsec SAs established" Is there any libreswan setting that looks incompatible with utm 9 ipsec? Should I rather ask the remote site to change a setting in theird libreswan configuration? What would be the best strategy to find a reasonable compromise for ipsec settings?

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipsec site-2-site tunnel between sophos utm 9 and libreswan

I have to create a tunnel between our sophos utm 9 and a remote linux libreswan.

Here is a table with the proposal from the remote site (libreswan on the left) and which setting I tried to match on our side (sophos on the right)

libreswan	sophos utm 9
public ip addres 195.x.x.x	created a ipsec remote gateway... type: initiate connection gateway: used the 195.x.x.x address auth type: preshared key key: same key used on both sites
remote subnet 10.x.x.x our subnet 192.168.x.x	added subnet to gateway/remote networks list and our subnet in the IPSec Connection entry in "Local networks" where also automatic firewall rules are OFF - I need to define those later strict routing is OFF
Phase 1 : o Mode : main o Encrypt Algorithm: AES256 o Hash Algorithm : SHA256 o IKE Version : Version 1 o Diffie-Hellman Group : Group 5 o Life time (sec) : 86400 Phase 2 : o Protocol : EAP o Encrypt Algorithm : AES256 o Hash Algorithm : SHA256 o Perfect Forward Secrecy : Enable o Diffie-Hellman Group : Group 5 o Life time (sec) : 43200	Created IPsec Policy... IKE encryption algorithm: AES 256 IKE authentication algorithm: SHA2 256 IKE SA lifetime: 86400 IKE DH group: Group 5: MODP 1536 IPsec encryption algorithm: AES 256 IPsec authentication algorithm: SHA2 256 IPsec SA lifetime; 43200 IPsec PFS group: Group 5: MODP 1536 Strict policy: disabled Compression: disabled ..don't know if the parameters: "mode:main" "IKE version" "Protocol: EAP" are relevant and/or can be matched to a setting in Sophos

That is the best match of the proposal I could do on our side but it desn't work.

The global status on the "Site-ti-site VPN" for this tunnel says:
"XXX Tunnel [0 of X IPsec SAs established"

Is there any libreswan setting that looks incompatible with utm 9 ipsec?
Should I rather ask the remote site to change a setting in theird libreswan configuration?
What would be the best strategy to find a reasonable compromise for ipsec settings?

This thread was automatically locked due to age.

0 BAlfson over 5 years ago

That looks good to me, Chris. Do you have DPD and NAT-T enabled on both ends?

To improve the odds of someone being able to help, post a relevant extract of the IPsec log:

1. Confirm that Debug is not enabled.
2. Disable the IPsec Connection.
3. Start the IPsec Live Log and wait for it to begin to populate.
4. Enable the IPsec Connection.
5. Show us about 60 lines from enabling through the error.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 ChrisSoukup over 5 years ago in reply to BAlfson

Hi Bob,

thank you for your quick answer. Actually on the next day in the beginning of the next configuration session the admin of the other site "restarted" his service and the vpn tunnel went online immediately. The settings were pretty right in sophos.

One interesting fact we noticed: Even the tunnel was up and the firewall rules on both sides were configured I was not able to do a ping towards any of his servers. He had to do the first ping to my sophos-gateway's subnet address. After it seems the routes have been configured and a ping in both directions was possible.

Could it be that I should select one of the ipsec options like "strict routing" or "bind to ..." ?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to ChrisSoukup

"No" to your last question, Chris. Look at the Help for that page to see what those options do.

Pinging is regulated on the 'ICMP' tab of 'Firewall'. Enabling pinging there creates firewall Allow rules that take precedence over any that you create manually. See #2 in Rulz.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel