Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 627 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Tunnel between Azure-XG to AWS-SG

ciwan

Hi Guys

 

Another issue with IPSec Tunnel now I am facing. I've followed this documantation form sophos community to set up ipsec tunnel on both XG and SG. UTM is not connecting for a strange reason

https://community.sophos.com/kb/en-us/126628

I have enabled DPD on both FWs

2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588084: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588084: starting keying attempt 6 of an unlimited number
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: initiating Main Mode to replace #588084
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: received Vendor ID payload [XAUTH]
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: received Vendor ID payload [Dead Peer Detection]
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: ignoring Vendor ID payload [Cisco-Unity]
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: received Vendor ID payload [RFC 3947]
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: enabling possible NAT-traversal with method 3
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: NAT-Traversal: Result using RFC 3947: both are NATed
2020:03:13-09:43:43 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: ignoring informational payload, type AUTHENTICATION_FAILED
2020:03:13-09:44:53 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588087: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

Any idea what it might be? I have a several IPSec Tunnels running on UTM with different PSKs. 



This thread was automatically locked due to age.
  • 0

    Hi  

    Are you using "*" in the remote gateway configuration in UTM or XG?

    In UTM, please go to Advanced settings and enable probe PSK option.

    Please also check the PFS configuration in XG and UTM.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Are you using "*" in the remote gateway configuration in UTM or XG?

    No. I use FW's Public IP.

    In UTM, please go to Advanced settings and enable probe PSK option.
    I have it enabled already


    Please also check the PFS configuration in XG and UTM.

    PFS config on both are same. I followed the config settings as per the document

  • 0 in reply to ciwan

    getting this error now (after fixing the LAN IP)

    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: received Vendor ID payload [XAUTH]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: received Vendor ID payload [Dead Peer Detection]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: ignoring Vendor ID payload [Cisco-Unity]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: received Vendor ID payload [RFC 3947]
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: enabling possible NAT-traversal with method 3
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: NAT-Traversal: Result using RFC 3947: both are NATed
    2020:03:13-12:14:58 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588646: ignoring informational payload, type AUTHENTICATION_FAILED
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: responding to Main Mode
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: NAT-Traversal: Result using RFC 3947: both are NATed
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: Peer ID is ID_IPV4_ADDR: '10.10.254.4'
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: no suitable connection for peer '10.10.254.4'
    2020:03:13-12:15:22 MyUTM-int-v1-utm2 pluto[19244]: "S_SG_To_Azure_XG" #588648: sending encrypted notification INVALID_ID_INFORMATION to 51.107.79.75:4500

     

    10.10.254.4 is the XG's private IP. Should i use this as VPNID on both FWs? What could the the issue? 51.107.79.75 is the XG's public IP.

Unfiltered HTML