MIKROTIK SERVER AND XG AS CLIENT L2TP/IPSEC

Hi,

We are presenting an inconvenience to establish the session between a Mikrotik router that is located in the main office as a remote connection router for the different remote locations which XG FIREWALL would have as a client to establish the connection.

The connections are as follows:

  1. MIKROTIK HEADOFFICE IP PUBLIC STATIC. SERVER RECEIVING CONNECTIONS.
  2. XG FIREWALL IP PUBLIC DYNAMICS. SERVER THAT ESTABLISH THE CONNECTIONS TO THE MAIN SITE.

Error message from the MIKROTIK side: 

  • FEB/05/2020 22:32:57 MEMORY IPSEC, INFO              RESPOND NEW PHASE 1 (IDENTITY PROTECTION): 190.XXX.XXX.217[500]<=>200.XXX.XXX.154[500] 
  • FEB/05/2020 22:32:57 MEMORY IPSEC, INFO              NO SUITABLE PROPOSAL FOUND 
  • FEB/05/2020 22:32:57 MEMORY IPSEC, INFO              200.XXX.XXX.154 FAILED TO GET VALID PROPOSAL. 
  • FEB/05/2020 22:32:57 MEMORY IPSEC, INFO              200.XXX.XXX.154 FAILED TO PRE-PROCESS PH1 PACKET (SIDE: 1, STATUS 1). 
  • FEB/05/2020 22:32:57 MEMORY IPSEC, INFO              200.XXX.XXX.154 PHASE 1 NEGOTIATION FAILED. 

Error message from the XG FIREWALL side: 

 

XG CONFIGURATIONS: 

IPSEC POLICIES: 

  • key schange: IKEv1 
  • Authentication: Main mode
  • key negotiation tries: 5 
  • Re-key connection: ON
  • PHASE1: 
  • key life: 5400 
  • Re-key margin: 360 
  • Randomize re-keying margin: 100 
  • DH GROUP: 14 DH2048 
  • Encryption: AES128     Authentication: SHA1 
  • Encryption: 3DES     Authentication: SHA1 
  • PHASE2: 
  • PFS GROUP: 14 DH2048 
  • Key life: 5400 
  • Encryption: AES192     Authentication: SHA1 
  • Encryption: AES128     Authentication: SHA1
  • Encryption: AES256     Authentication: SHA1
  • DEAD PEER DETECTION: 
  • Check peer after: 30 
  • Wait for response up: 120 
  • When Peer unreach: Disconnect 

IPSEC CONNECTION: 

  • Genral Settings: 
  • Connection type: Host to Host 
  • Gateway type: Initiate the connection 
  • Encryption:
  • Policy: XXXXXXXX_MK
  • Authentication type: Preshared key  
  • Gateway Settings: 
  • Local gateway Interface: Port3: 200.XXX.XXX.154 (NO ROUTER NAT) 
  • Local ID Type: N/A 
  • Local Subnet: N/A 
  • Remote Gateway Address: 190.XXX.XXX.217 
  • Remote ID Type: N/A 
  • Advanced: 
  • User authentication mode: As Client 
  • Username: Sophos1234
  • Pass: Sophos1234

 

MIKROTIK CONFIGURATION: 

PHASE 1: 

 

PHASE 2: 

 

 

The MIKROTIK ROUTER its behind a NAT Router with static pubic ip. 

I follow all this URL https://community.sophos.com/products/xg-firewall/f/vpn/89428/ipsec-site-to-site-tunnel-between-mirkotik-xg105-failing-second-phase-peer-did-not-accept-any-proposal-sent and we still have problems. I try with ipsec site to site with IKEv2. 

 

Thanks 

 

  • Irvin,

    you have issue with Phase 1. Check the Key Lifetime. If I am not mistaken, the key lifetime of 1d:00:00:00 corresponds to 86400 seconds.

  • In reply to lferrara:

    can you confirm if i need to put it on PH1 and PH2 as well? 

  • In reply to Irvin Rosario1:

    Both phases if you are using always 1D:00:00:00

  • In reply to lferrara:

    tail -f /log/strongswan.log 

     

    tail -f /log/ipsec_mk.log

     

    IPSEC POLICIE: 

     

     

    LOG VIEWER: SYSTEM 

     

  • In reply to Irvin Rosario1:

    hi, just a quick update for this thread.

    We validated that the configuration was correct. The tunnel could be established but only ipsec (site to site or host to host) and not l2tp / ipsec. 

    SOPHOS: 

    MIKROTIK PEER: 

    In our infrastructure we have different routers or firewalls of different manufacturers MIKROTIK, FORTIGATE, UBIQUITI, CISCO, among others. Several XG106 devices were recently acquired to be deployed in different locations as a client. 

    We have MIKROTIK as a connection server between the different locations which must comply with the IPSEC algorithms and authentication methods, additionally they must be authenticated as windows, linux, among others with user / password to allow the sending of traffic through the tunnel. 

    When trying to enable the IPSEC as client with username / password the tunnel is not enabled but without this it is possible to establish the tunnel but the traffic does not pass since it depends on the L2TP authentication.

     

    ALL CONFIG MIKROTIK SIDE: 

    PPP

    • L2TP USER: Menu PPP > SECRETS > User: sophos1234 Pass: sophos1234
    • PROFILE: Menu PPP > PROFILES > L2TP (This profile assigns an IP address of the configured pool to the authenticated router / firewall). 

    IPSEC 

    • IPSEC POLICIES: IP > IPSEC > POLICIES 

    • PEER: IP > IPSEC > PEERS 

    • PHASE 1 PROFILE: IP > IPSEC > PROFILES 

    • PHASE 2 PROPOSALS: IP > IPSEC > PROPOSALS 

    • PRE-SHARED KEY IDENTITIES: IP > IPSEC > IDENTITIES 

    • GROUPS POLICIES: IP > IPSEC > GROUPS 

     

    CONFIG SOPHOS XG: 

    IPSEC POLICIES: 

    • key schange: IKEv1 
    • Authentication: Main mode
    • key negotiation tries: 5 
    • Re-key connection: ON
    • PHASE1: 
    • key life: 86400 
    • Re-key margin: 360 
    • Randomize re-keying margin: 100 
    • DH GROUP: 14 DH2048 
    • Encryption: AES256     Authentication: SHA256 
    • PHASE2: 
    • PFS GROUP: 14 DH2048 
    • Key life: 86400 
    • Encryption: AES256     Authentication: SHA256 
    • DEAD PEER DETECTION: 
    • Check peer after: 30 
    • Wait for response up: 120 
    • When Peer unreach: Disconnect 

    IPSEC CONNECTION: 

    • Genral Settings: 
    • Connection type: Host to Host or site to site
    • Gateway type: Initiate the connection 
    • Encryption:
    • Policy: XXXXXXXX_MK
    • Authentication type: Preshared key  
    • Gateway Settings: 
    • Local gateway Interface: Port3: 200.XXX.XXX.154 (NO ROUTER NAT) 
    • Local ID Type: LOCAL IP OF THE FIREWALL XG
    • Local Subnet: SAME INFORMATION AS LOCAL ID TYPE
    • Remote Gateway Address: 190.XXX.XXX.217 
    • Remote ID Type: REMOTE IP OF THE DESTINATION (PUBLIC OR LOCAL) 
    • Remote Subnet: SAME INFORMATION AS REMOTE ID TYPE 

    With the configuration i put in here the tunnel works fine. 

     

    When i try to add the user for authentication as L2TP for get traffic from the headoffice and permit to send traffic in the tunnel as well it doesn't work. 

    • Advanced: 
    • User authentication mode: As Client 
    • Username: sophos1234
    • Pass: sophos1234

     

    The MikroTic shows the message that the proposal is not the same and don't work. But if a disable this the tunnel start but i have the issue that the router (XG FIREWALL) needs to authenticate.

    Log STRONGSWAN from the CLI SOPHOS. Command: service strongswan:debug -dsnosync

    Updating strongSwan IPsec configuration...
    kill -9 6636 > /dev/null 2>&1
    terminate IKE SA 'MT_test-1 #3 - ok
    2020-02-06 21:36:15 - swanctl --initiate --timeout 15 --child MT_test-1
    initiate failed: CHILD_SA 'MT_test-1' not established after 15000ms
    [IKE] ### queue_child invoking quick_mode_create
    [IKE] ### quick_mode_create: 0x7f8300001450 config 0x7f832c0029c0
    [IKE] found queued QUICK_MODE task with identical child config
    [IKE] ### destroy: 0x7f83240025e0
    [IKE] sending retransmit 2 of request message ID 0, seq 1
    [NET] sending packet: from 192.168.1.101[500] to 190.94.87.217[500] (272 bytes)
    kill -9 7020 > /dev/null 2>&1
    2020-02-06 21:36:30 - initiate timeout for MT_test-1
    2020-02-06 21:36:30 - Operation fails status: 255

     

    Someone told to read this thread but is not there anymore https://community.sophos.com/kb/en-us/123358 

    This is XG firewall workings as standalone without HA. 

    i open a support case for this thread i am updating.