Hi, We are presenting an inconvenience to establish the session between a Mikrotik router that is located in the main office as a remote connection router for the different remote locations which XG FIREWALL would have as a client to establish the connection. The connections are as follows: MIKROTIK HEADOFFICE IP PUBLIC STATIC . SERVER RECEIVING CONNECTIONS. XG FIREWALL IP PUBLIC DYNAMICS . SERVER THAT ESTABLISH THE CONNECTIONS TO THE MAIN SITE. Error message from the MIKROTIK side: FEB/05/2020 22:32:57 MEMORY IPSEC, INFO RESPOND NEW PHASE 1 (IDENTITY PROTECTION): 190.XXX.XXX.217[500]<=>200.XXX.XXX.154[500] FEB/05/2020 22:32:57 MEMORY IPSEC, INFO NO SUITABLE PROPOSAL FOUND FEB/05/2020 22:32:57 MEMORY IPSEC, INFO 200.XXX.XXX.154 FAILED TO GET VALID PROPOSAL. FEB/05/2020 22:32:57 MEMORY IPSEC, INFO 200.XXX.XXX.154 FAILED TO PRE-PROCESS PH1 PACKET (SIDE: 1, STATUS 1). FEB/05/2020 22:32:57 MEMORY IPSEC, INFO 200.XXX.XXX.154 PHASE 1 NEGOTIATION FAILED. Error message from the XG FIREWALL side: XG CONFIGURATIONS: IPSEC POLICIES: key schange: IKEv1 Authentication: Main mode key negotiation tries: 5 Re-key connection: ON PHASE1: key life: 5400 Re-key margin: 360 Randomize re-keying margin: 100 DH GROUP: 14 DH2048 Encryption: AES128 Authentication: SHA1 Encryption: 3DES Authentication: SHA1 PHASE2: PFS GROUP: 14 DH2048 Key life: 5400 Encryption: AES192 Authentication: SHA1 Encryption: AES128 Authentication: SHA1 Encryption: AES256 Authentication: SHA1 DEAD PEER DETECTION: Check peer after: 30 Wait for response up: 120 When Peer unreach: Disconnect IPSEC CONNECTION: Genral Settings: Connection type: Host to Host Gateway type: Initiate the connection Encryption: Policy: XXXXXXXX_MK Authentication type: Preshared key Gateway Settings: Local gateway Interface: Port3: 200.XXX.XXX.154 (NO ROUTER NAT) Local ID Type: N/A Local Subnet: N/A Remote Gateway Address: 190.XXX.XXX.217 Remote ID Type: N/A Advanced: User authentication mode: As Client Username: Sophos1234 Pass: Sophos1234 MIKROTIK CONFIGURATION: PHASE 1: PHASE 2: The MIKROTIK ROUTER its behind a NAT Router with static pubic ip. I follow all this URL https://community.sophos.com/products/xg-firewall/f/vpn/89428/ipsec-site-to-site-tunnel-between-mirkotik-xg105-failing-second-phase-peer-did-not-accept-any-proposal-sent and we still have problems. I try with ipsec site to site with IKEv2. Thanks

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MIKROTIK SERVER AND XG AS CLIENT L2TP/IPSEC

Hi,

We are presenting an inconvenience to establish the session between a Mikrotik router that is located in the main office as a remote connection router for the different remote locations which XG FIREWALL would have as a client to establish the connection.

The connections are as follows:

MIKROTIK HEADOFFICE IP PUBLIC STATIC. SERVER RECEIVING CONNECTIONS.
XG FIREWALL IP PUBLIC DYNAMICS. SERVER THAT ESTABLISH THE CONNECTIONS TO THE MAIN SITE.

Error message from the MIKROTIK side:

FEB/05/2020 22:32:57 MEMORY IPSEC, INFO RESPOND NEW PHASE 1 (IDENTITY PROTECTION): 190.XXX.XXX.217[500]<=>200.XXX.XXX.154[500]
FEB/05/2020 22:32:57 MEMORY IPSEC, INFO NO SUITABLE PROPOSAL FOUND
FEB/05/2020 22:32:57 MEMORY IPSEC, INFO 200.XXX.XXX.154 FAILED TO GET VALID PROPOSAL.
FEB/05/2020 22:32:57 MEMORY IPSEC, INFO 200.XXX.XXX.154 FAILED TO PRE-PROCESS PH1 PACKET (SIDE: 1, STATUS 1).
FEB/05/2020 22:32:57 MEMORY IPSEC, INFO 200.XXX.XXX.154 PHASE 1 NEGOTIATION FAILED.

Error message from the XG FIREWALL side:

XG CONFIGURATIONS:

IPSEC POLICIES:

key schange: IKEv1
Authentication: Main mode
key negotiation tries: 5
Re-key connection: ON
PHASE1:
key life: 5400
Re-key margin: 360
Randomize re-keying margin: 100
DH GROUP: 14 DH2048
Encryption: AES128 Authentication: SHA1
Encryption: 3DES Authentication: SHA1
PHASE2:
PFS GROUP: 14 DH2048
Key life: 5400
Encryption: AES192 Authentication: SHA1
Encryption: AES128 Authentication: SHA1
Encryption: AES256 Authentication: SHA1
DEAD PEER DETECTION:
Check peer after: 30
Wait for response up: 120
When Peer unreach: Disconnect

IPSEC CONNECTION:

Genral Settings:
Connection type: Host to Host
Gateway type: Initiate the connection
Encryption:
Policy: XXXXXXXX_MK
Authentication type: Preshared key
Gateway Settings:
Local gateway Interface: Port3: 200.XXX.XXX.154 (NO ROUTER NAT)
Local ID Type: N/A
Local Subnet: N/A
Remote Gateway Address: 190.XXX.XXX.217
Remote ID Type: N/A
Advanced:
User authentication mode: As Client
Username: Sophos1234
Pass: Sophos1234

MIKROTIK CONFIGURATION:

PHASE 1:

PHASE 2:

The MIKROTIK ROUTER its behind a NAT Router with static pubic ip.

I follow all this URL https://community.sophos.com/products/xg-firewall/f/vpn/89428/ipsec-site-to-site-tunnel-between-mirkotik-xg105-failing-second-phase-peer-did-not-accept-any-proposal-sent and we still have problems. I try with ipsec site to site with IKEv2.

Thanks

This thread was automatically locked due to age.

Parents

0 lferrara over 4 years ago

Irvin,

you have issue with Phase 1. Check the Key Lifetime. If I am not mistaken, the key lifetime of 1d:00:00:00 corresponds to 86400 seconds.
Cancel
Vote Up 0 Vote Down

Cancel
0 Irvin Rosario1 over 4 years ago in reply to lferrara

can you confirm if i need to put it on PH1 and PH2 as well?
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 4 years ago in reply to Irvin Rosario1

Both phases if you are using always 1D:00:00:00
Cancel
Vote Up 0 Vote Down

Cancel
0 Irvin Rosario1 over 4 years ago in reply to lferrara

tail -f /log/strongswan.log

tail -f /log/ipsec_mk.log

IPSEC POLICIE:

LOG VIEWER: SYSTEM
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Irvin Rosario1 over 4 years ago in reply to lferrara

tail -f /log/strongswan.log

tail -f /log/ipsec_mk.log

IPSEC POLICIE:

LOG VIEWER: SYSTEM
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Irvin Rosario1 over 4 years ago in reply to Irvin Rosario1
hi, just a quick update for this thread.

We validated that the configuration was correct. The tunnel could be established but only ipsec (site to site or host to host) and not l2tp / ipsec.

SOPHOS:

MIKROTIK PEER:

In our infrastructure we have different routers or firewalls of different manufacturers MIKROTIK, FORTIGATE, UBIQUITI, CISCO, among others. Several XG106 devices were recently acquired to be deployed in different locations as a client.

We have MIKROTIK as a connection server between the different locations which must comply with the IPSEC algorithms and authentication methods, additionally they must be authenticated as windows, linux, among others with user / password to allow the sending of traffic through the tunnel.

When trying to enable the IPSEC as client with username / password the tunnel is not enabled but without this it is possible to establish the tunnel but the traffic does not pass since it depends on the L2TP authentication.

ALL CONFIG MIKROTIK SIDE:

PPP

L2TP USER: Menu PPP > SECRETS > User: sophos1234 Pass: sophos1234

PROFILE: Menu PPP > PROFILES > L2TP (This profile assigns an IP address of the configured pool to the authenticated router / firewall).

IPSEC

IPSEC POLICIES: IP > IPSEC > POLICIES

PEER: IP > IPSEC > PEERS

PHASE 1 PROFILE: IP > IPSEC > PROFILES

PHASE 2 PROPOSALS: IP > IPSEC > PROPOSALS

PRE-SHARED KEY IDENTITIES: IP > IPSEC > IDENTITIES

GROUPS POLICIES: IP > IPSEC > GROUPS

CONFIG SOPHOS XG:

IPSEC POLICIES:

key schange: IKEv1

Authentication: Main mode

key negotiation tries: 5

Re-key connection: ON

PHASE1:

key life: 86400

Re-key margin: 360

Randomize re-keying margin: 100

DH GROUP: 14 DH2048

Encryption: AES256 Authentication: SHA256

PHASE2:

PFS GROUP: 14 DH2048

Key life: 86400

Encryption: AES256 Authentication: SHA256

DEAD PEER DETECTION:

Check peer after: 30

Wait for response up: 120

When Peer unreach: Disconnect

IPSEC CONNECTION:

Genral Settings:

Connection type: Host to Host or site to site

Gateway type: Initiate the connection

Encryption:

Policy: XXXXXXXX_MK

Authentication type: Preshared key

Gateway Settings:

Local gateway Interface: Port3: 200.XXX.XXX.154 (NO ROUTER NAT)

Local ID Type: LOCAL IP OF THE FIREWALL XG

Local Subnet: SAME INFORMATION AS LOCAL ID TYPE

Remote Gateway Address: 190.XXX.XXX.217

Remote ID Type: REMOTE IP OF THE DESTINATION (PUBLIC OR LOCAL)

Remote Subnet: SAME INFORMATION AS REMOTE ID TYPE

With the configuration i put in here the tunnel works fine.

When i try to add the user for authentication as L2TP for get traffic from the headoffice and permit to send traffic in the tunnel as well it doesn't work.

Advanced:

User authentication mode: As Client

Username: sophos1234

Pass: sophos1234

The MikroTic shows the message that the proposal is not the same and don't work. But if a disable this the tunnel start but i have the issue that the router (XG FIREWALL) needs to authenticate.

Log STRONGSWAN from the CLI SOPHOS. Command: service strongswan:debug -dsnosync

Updating strongSwan IPsec configuration...
kill -9 6636 > /dev/null 2>&1
terminate IKE SA 'MT_test-1 #3 - ok
2020-02-06 21:36:15 - swanctl --initiate --timeout 15 --child MT_test-1
initiate failed: CHILD_SA 'MT_test-1' not established after 15000ms
[IKE] ### queue_child invoking quick_mode_create
[IKE] ### quick_mode_create: 0x7f8300001450 config 0x7f832c0029c0
[IKE] found queued QUICK_MODE task with identical child config
[IKE] ### destroy: 0x7f83240025e0
[IKE] sending retransmit 2 of request message ID 0, seq 1
[NET] sending packet: from 192.168.1.101[500] to 190.94.87.217[500] (272 bytes)
kill -9 7020 > /dev/null 2>&1
2020-02-06 21:36:30 - initiate timeout for MT_test-1
2020-02-06 21:36:30 - Operation fails status: 255

Someone told to read this thread but is not there anymore https://community.sophos.com/kb/en-us/123358

This is XG firewall workings as standalone without HA.

i open a support case for this thread i am updating.
Cancel
Vote Up 0 Vote Down

Cancel