no chance to get IPSEC Site to Site - XG 17. MR1 to SG330 9.506-2 up

I applied the V17 update to my XG 16-MR8,

 

after this, no chance to get the ipsec connection up again ?

also tested

- entering PSK again

- switching to RSA Key


Tried EVERY Phase 1 / 2 setting / Combination- nothing works?

Our SG has several Tunnels to Cisco Asa and XG`s (16MR8) up - so everything is fine there.

 

Is this a Mayor known Bug ?

 

Can anyone please HELP

 

This is the Only Message our XG shows

 

 

Thank you

 

Rolemole

  • Having the same issue between XG135 v17.MR1 and Fortigate v5.4.4 UTMs. IPSec worked fine on v16 and stopped working upon v17 and v17.MR1 upgrades.

     

    For reference, we are using IKEv1.

  • In reply to Richard Fenoglio:

    we are also using IKEv1 !

    Sophos UTM 9.5 doesn`t support Ikev2 yet.

    did you also get IKE messages with invalid Spi`s ?

     

    Mayby some XG Expert will take a look at this please.

  • In reply to RoleMole:

    I'v sent you a PM with some further questions to clarify the situation.

  • In reply to RoleMole:

    Yeah, we are also getting the SPI errors as well.

  • In reply to RoleMole:

    RoleMole

    we are also using IKEv1 !

    Sophos UTM 9.5 doesn`t support Ikev2 yet.

     

    RoleMole

    As a work around for now. Have you tried building a RED tunnel between your XG and your UTM? I currently have 2 RED tunnels configured on my Home UTM running 9.5006-2 to support my parents computers w/o having to use some third party. One of the RED endpoints is an XG running 17 MR1 and the other is running the same version of UTM as I am.

    For now this will allow you to setup your security policy using the RED as the transport til the IPSec stuff shakes out a little better.  (crossing fingers for 17 MR2)

    -Ron

  • In reply to RoleMole:

    RoleMole

    Sophos UTM 9.5 doesn`t support Ikev2 yet.

    did you also get IKE messages with invalid Spi`s ?

     

    Mayby some XG Expert will take a look at this please.

    Hi RoleMole,

    after investigating the issue on your system, i can tell that the root cause is likely special characters in the Preshared Key.

    This is a known issue (Ticket NC-23039) which will be fixed in v17MR2 (pretty soon).

    As a workaround, please choose a PSK which does not contain characters like '#' or 'space'.

  • In reply to dna:

    DNA has solved the Problen,

     

    The first Thing was that the PSK cannot contain special characters in V17.MR1 / will be fixed in MR2 :-)

    second, in Phase 2 to set the Auth to SHA2 256 with 96 bit trunkation.

     

    with this settings; now it works like a charm :-)

     



     

    Thank you

     

    best regards

    RoleMole

  • In reply to RoleMole:

    RoleMole
    second, in Phase 2 to set the Auth to SHA2 256 with 96 bit trunkation.

    This needs some correction. Theoretically you can choose whichever hash function you like, but you need to ensure that if it is SHA2 256bit, that both ends of the tunnel do the trunction with the same amount of bits. Choosing anything else but not SHA2 256bit avoids this confusion.

  • In reply to dna:

    dna

     

     
    RoleMole

    Sophos UTM 9.5 doesn`t support Ikev2 yet.

    did you also get IKE messages with invalid Spi`s ?

     

    Mayby some XG Expert will take a look at this please.

     

     

    Hi RoleMole,

    after investigating the issue on your system, i can tell that the root cause is likely special characters in the Preshared Key.

    This is a known issue (Ticket NC-23039) which will be fixed in v17MR2 (pretty soon).

    As a workaround, please choose a PSK which does not contain characters like '#' or 'space'.

     

     

    (Ticket NC-23039) -- was this ever resolved??!!!?? I looked through all of the release notes for 17.0.2 MR2 and 17.0.3 MR3 and I don't see the fix listed in EITHER release notes.... and I had a special character in the pre-shared key and battled MR-3 until I had to downgrade to 16.5 in which IPSEC vpn worked with the same PSK.

  • In reply to apalm123:

    apalm123
    (Ticket NC-23039) -- was this ever resolved??!!!?? I

    Yes, its contained in 17.0.2 MR2. Maybe you are affected by another issue we found in 17.0.3 MR3 (unfortunatly) with setups that have multiple IPsec PSK connections configured.

    This is getting fixed with the next MR release. Due to that issue sometimes the wrong PSK is chosen. There are two possible workarounds:

    1. change your configuration to use the more secure certificate authentication

    2. use the same PSK for all connections as workaround until fix is release

    I'd definitively suggest you to choose Option 1.

  • In reply to dna:

    Good to know thank you, I just didn't see it when I looked and also did CTRL + F on the release notes page.

    I did not know about that other PSK bug in 17.0.3 MR3. Is there a single location that I could review occasionally with known and new bugs discovered?

  • In reply to apalm123:

    apalm123
    Is there a single location that I could review occasionally with known and new bugs discovered?

    Severe issues are often covered by a KBA article.

    community.sophos.com/kb