Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
We are presenting an inconvenience to establish the session between a Mikrotik router that is located in the main office as a remote connection router for the different remote locations which XG FIREWALL would have as a client to establish the connection.
The connections are as follows:
Error message from the MIKROTIK side:
Error message from the XG FIREWALL side:
The MIKROTIK ROUTER its behind a NAT Router with static pubic ip.
I follow all this URL https://community.sophos.com/products/xg-firewall/f/vpn/89428/ipsec-site-to-site-tunnel-between-mirkotik-xg105-failing-second-phase-peer-did-not-accept-any-proposal-sent and we still have problems. I try with ipsec site to site with IKEv2.
you have issue with Phase 1. Check the Key Lifetime. If I am not mistaken, the key lifetime of 1d:00:00:00 corresponds to 86400 seconds.
In reply to lferrara:
can you confirm if i need to put it on PH1 and PH2 as well?
In reply to Irvin Rosario1:
Both phases if you are using always 1D:00:00:00
tail -f /log/strongswan.log
tail -f /log/ipsec_mk.log
LOG VIEWER: SYSTEM
hi, just a quick update for this thread.
We validated that the configuration was correct. The tunnel could be established but only ipsec (site to site or host to host) and not l2tp / ipsec.
In our infrastructure we have different routers or firewalls of different manufacturers MIKROTIK, FORTIGATE, UBIQUITI, CISCO, among others. Several XG106 devices were recently acquired to be deployed in different locations as a client.
We have MIKROTIK as a connection server between the different locations which must comply with the IPSEC algorithms and authentication methods, additionally they must be authenticated as windows, linux, among others with user / password to allow the sending of traffic through the tunnel.
When trying to enable the IPSEC as client with username / password the tunnel is not enabled but without this it is possible to establish the tunnel but the traffic does not pass since it depends on the L2TP authentication.
ALL CONFIG MIKROTIK SIDE:
CONFIG SOPHOS XG:
With the configuration i put in here the tunnel works fine.
When i try to add the user for authentication as L2TP for get traffic from the headoffice and permit to send traffic in the tunnel as well it doesn't work.
The MikroTic shows the message that the proposal is not the same and don't work. But if a disable this the tunnel start but i have the issue that the router (XG FIREWALL) needs to authenticate.
Log STRONGSWAN from the CLI SOPHOS. Command: service strongswan:debug -dsnosync
Updating strongSwan IPsec configuration...kill -9 6636 > /dev/null 2>&1terminate IKE SA 'MT_test-1 #3 - ok2020-02-06 21:36:15 - swanctl --initiate --timeout 15 --child MT_test-1initiate failed: CHILD_SA 'MT_test-1' not established after 15000ms[IKE] ### queue_child invoking quick_mode_create[IKE] ### quick_mode_create: 0x7f8300001450 config 0x7f832c0029c0[IKE] found queued QUICK_MODE task with identical child config[IKE] ### destroy: 0x7f83240025e0[IKE] sending retransmit 2 of request message ID 0, seq 1[NET] sending packet: from 192.168.1.101 to 188.8.131.52 (272 bytes)kill -9 7020 > /dev/null 2>&12020-02-06 21:36:30 - initiate timeout for MT_test-12020-02-06 21:36:30 - Operation fails status: 255
Someone told to read this thread but is not there anymore https://community.sophos.com/kb/en-us/123358
This is XG firewall workings as standalone without HA.
i open a support case for this thread i am updating.