Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Subscribers 41 subscribers
  • Views 6155 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN between Sophos XG 115w and TPLink Archer VR1600v possible?

Aaron Berger

Hey guys,

I'm looking to send my Shadowprotect backup files from site A to site B which has a Qnap NAS. Shadowprotect Imagemanager supports Intelligent FTP to do the transfer.

I figure for security an IPSEC VPN between the sites would be the way to go (instead of opening up FTP ports on site B).

Site A is behind a Sophos XG 115w. Site B with the Qnap is behind a TPLink Archer VR1600v.

The  TPLink Archer VR1600v appears to have IPSEC capability, but whenever I try to join the sites, the Sophos XG has timeout errors in the logs and the TPLink does not appear to log VPN stuff at all.

So, does anyone know if Sophos XG's is able to successfully create IPSEC VPN connections to TPLink Archer VR1600v modems? If not, is there another secure method I could use without needing to drop in another Sophos XG at site B?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Keyur

    Hi Keyur 

    Thank you again for your help. :)

    From my understanding, ID is optional?

    In the XG: local ID I set it to Gateway IP of XG,  and for the remote ID I set to the Gateway IP of the TPLink.

    In the TPLink: When I set the ID to IP address, the option to manually type ID IP or name is greyed out. I assume setting ID to IP is all we need anyway?

     

    Here is the screenshot of the VPN config from the XG

     

    Also let me know if you need the 2x VPN firewall rules too. I'll extract the logs and add to a 2nd post

  • 0 in reply to Aaron Berger

    Hi  

    Please remove Local ID and remote ID from the IPsec configuration at Sophos XG side.

    As per the logs, phase -1 is getting established, make sure that you are using IKEv1.

    Please try to disable PFS at the both end and check,

    What is the local and remote identifier in TP-Link?

    In the XG Local ID and Remote ID are different parameter than Local Gateway and Remote Gateway, Those parameters are used with a Preshared key mechanism


    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Hi Keyur,


    Please remove Local ID and remote ID from the IPsec configuration at Sophos XG side.

    > Local and remote ID have been removed from the IPsec config on the XG side.


    As per the logs, phase -1 is getting established, make sure that you are using IKEv1.

    > XG is configured with IKEv1.

    > TPLink there is the choice of Auto (IKE) or Manual. It doesn't seem to specify which version of IKE is used. But I would assume it would be IKEv1.

    Please try to disable PFS at the both end and check,

    > XG VPN>IPSec Policies>Policy Used for this VPN>Phase 2>PFS Group (DH Group)> Disabled.

    > TPLink>Advanced>VPN>IPSec VPN>Perfect Forward Secrecy>Disabled.


    What is the local and remote identifier in TP-Link?

    > In the TPLink, the option for for the identifies is:

    >> Local Identifier> Have the choice of Local Wan IP or FQDN. No option to disable. Currently have it set to default, which is Local Wan IP. The Local Wan IP field can not be filled out or changed.

    >> Remote Identifier> Have the choice of Remote Wan IP or FQDN. No option to disable. Currently have it set to default, which is Remote Wan IP. The Remote Wan IP field can not be filled out or changed.

     

     Also, here are the logs after these changes:

    7444.IPSEC_VPN_CLI_Logs2.txt

  • 0 in reply to Aaron Berger

    Hi  

    From the logs provided it appears the TP Link side is not responding to the XG initiate request.  It would be great if we could see whats going on with that device.  I do recommend maybe looking at a "RED/SD-WAN" device that we offer that will sit behind the TP Link and form a secure, encrypted connection back to the XG.

    It also appears that both are initiating the connection.  Try change the XG to "respond" and the DPD settings to "disconnect". 

    I do recommend having the local and remote IDs filled out as this helps identify the connections better.

    Thanks!

    KingChris
    Community Support | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to KingChris

    Hi KingChris,

     

    Many thanks for your help.

    I modified the settings in the XG to "respond" and the DPD settings to "disconnect". Also tried similar settings on the TPLink side too. But unfortunately no go.

    I set the logging in the TPLink to full but sadly it doesn't log any VPN stuff.

     

    For a RED/SD-WAN, would a Sophos RED 15 device do the trick? Do you know if you need to buy any licences for the device?

  • +1 in reply to Aaron Berger

    Hi  

    A RED15 device will work in this situation.

    No extra licensing required for this.

    Thanks!

    KingChris
    Community Support | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Unfiltered HTML