This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN between Sophos XG 115w and TPLink Archer VR1600v possible?

Hey guys,

I'm looking to send my Shadowprotect backup files from site A to site B which has a Qnap NAS. Shadowprotect Imagemanager supports Intelligent FTP to do the transfer.

I figure for security an IPSEC VPN between the sites would be the way to go (instead of opening up FTP ports on site B).

Site A is behind a Sophos XG 115w. Site B with the Qnap is behind a TPLink Archer VR1600v.

The TPLink Archer VR1600v appears to have IPSEC capability, but whenever I try to join the sites, the Sophos XG has timeout errors in the logs and the TPLink does not appear to log VPN stuff at all.

So, does anyone know if Sophos XG's is able to successfully create IPSEC VPN connections to TPLink Archer VR1600v modems? If not, is there another secure method I could use without needing to drop in another Sophos XG at site B?

This thread was automatically locked due to age.

Parents

0 Keyur over 4 years ago

Hi Aaron Berger

Please refer the articles for IPsec configuration for Sophos XG firewall and TPlink

For TPlink, please use the manual which has IPsec configuration - https://setuprouter.com/router/tp-link/archer-vr1600v/manual-2515.pdf

For Sophos XG - https://community.sophos.com/kb/en-us/123140

Please configure Phase -1 and Phase -2 parameters and match them in both the device.

For Logs in Sophos XG - https://community.sophos.com/kb/en-us/123310

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Aaron Berger over 4 years ago in reply to Keyur

Hi Keyur,

Thank you for your reply :)

I did configure Phase -1 and Phase -2 parameters and match them in both the devices. But maybe I missed something. I'll follow the links you provided and try again. Many thanks.

Aaron
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Aaron Berger

Hi Aaron Berger

Sure, please let us know if you require any further help, you may share the logs using the command in the given article to verify.

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Aaron Berger over 4 years ago in reply to Keyur

Hi Keyur,

I've double checked and rebuilt the phase1 and phase2 VPN settings on both ends, but I keep getting this error when I try to establish the connection: "received IKE message with invalid SPI (56E4DE3F) from other side". I figure that means there's a missmatch? Here are the settings I'm using on both ends:

SiteA

SiteB

Any idea what I might be missing?
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Aaron Berger

Hi Aaron Berger

Did you add local ID and remote ID in the IPsec connection used for this tunnel?

When you initiate the connection, please capture the logs using the link I have shared in the first response.

Please share screenshot of IPsec connection configuration as well

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Aaron Berger over 4 years ago in reply to Keyur

Hi Keyur

Thank you again for your help. :)

From my understanding, ID is optional?

In the XG: local ID I set it to Gateway IP of XG, and for the remote ID I set to the Gateway IP of the TPLink.

In the TPLink: When I set the ID to IP address, the option to manually type ID IP or name is greyed out. I assume setting ID to IP is all we need anyway?

Here is the screenshot of the VPN config from the XG

Also let me know if you need the 2x VPN firewall rules too. I'll extract the logs and add to a 2nd post
Cancel
Vote Up 0 Vote Down

Cancel
0 Aaron Berger over 4 years ago in reply to Aaron Berger

Here are the CLI VPN logs.

3021.IPSEC_VPN_CLI_Logs.txt
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Aaron Berger

Hi Aaron Berger

Please remove Local ID and remote ID from the IPsec configuration at Sophos XG side.

As per the logs, phase -1 is getting established, make sure that you are using IKEv1.

Please try to disable PFS at the both end and check,

What is the local and remote identifier in TP-Link?

In the XG Local ID and Remote ID are different parameter than Local Gateway and Remote Gateway, Those parameters are used with a Preshared key mechanism

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Aaron Berger over 4 years ago in reply to Keyur

Hi Keyur,

Please remove Local ID and remote ID from the IPsec configuration at Sophos XG side.

> Local and remote ID have been removed from the IPsec config on the XG side.

As per the logs, phase -1 is getting established, make sure that you are using IKEv1.

> XG is configured with IKEv1.

> TPLink there is the choice of Auto (IKE) or Manual. It doesn't seem to specify which version of IKE is used. But I would assume it would be IKEv1.

Please try to disable PFS at the both end and check,

> XG VPN>IPSec Policies>Policy Used for this VPN>Phase 2>PFS Group (DH Group)> Disabled.

> TPLink>Advanced>VPN>IPSec VPN>Perfect Forward Secrecy>Disabled.

What is the local and remote identifier in TP-Link?

> In the TPLink, the option for for the identifies is:

>> Local Identifier> Have the choice of Local Wan IP or FQDN. No option to disable. Currently have it set to default, which is Local Wan IP. The Local Wan IP field can not be filled out or changed.

>> Remote Identifier> Have the choice of Remote Wan IP or FQDN. No option to disable. Currently have it set to default, which is Remote Wan IP. The Remote Wan IP field can not be filled out or changed.

Also, here are the logs after these changes:

7444.IPSEC_VPN_CLI_Logs2.txt
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Aaron Berger over 4 years ago in reply to Keyur

Hi Keyur,

Please remove Local ID and remote ID from the IPsec configuration at Sophos XG side.

> Local and remote ID have been removed from the IPsec config on the XG side.

As per the logs, phase -1 is getting established, make sure that you are using IKEv1.

> XG is configured with IKEv1.

> TPLink there is the choice of Auto (IKE) or Manual. It doesn't seem to specify which version of IKE is used. But I would assume it would be IKEv1.

Please try to disable PFS at the both end and check,

> XG VPN>IPSec Policies>Policy Used for this VPN>Phase 2>PFS Group (DH Group)> Disabled.

> TPLink>Advanced>VPN>IPSec VPN>Perfect Forward Secrecy>Disabled.

What is the local and remote identifier in TP-Link?

> In the TPLink, the option for for the identifies is:

>> Local Identifier> Have the choice of Local Wan IP or FQDN. No option to disable. Currently have it set to default, which is Local Wan IP. The Local Wan IP field can not be filled out or changed.

>> Remote Identifier> Have the choice of Remote Wan IP or FQDN. No option to disable. Currently have it set to default, which is Remote Wan IP. The Remote Wan IP field can not be filled out or changed.

Also, here are the logs after these changes:

7444.IPSEC_VPN_CLI_Logs2.txt
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 KingChris over 4 years ago in reply to Aaron Berger

Hi Aaron Berger

From the logs provided it appears the TP Link side is not responding to the XG initiate request. It would be great if we could see whats going on with that device. I do recommend maybe looking at a "RED/SD-WAN" device that we offer that will sit behind the TP Link and form a secure, encrypted connection back to the XG.

It also appears that both are initiating the connection. Try change the XG to "respond" and the DPD settings to "disconnect".

I do recommend having the local and remote IDs filled out as this helps identify the connections better.

Thanks!

KingChris
Community Support | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Aaron Berger over 4 years ago in reply to KingChris

Hi KingChris,

Many thanks for your help.

I modified the settings in the XG to "respond" and the DPD settings to "disconnect". Also tried similar settings on the TPLink side too. But unfortunately no go.

I set the logging in the TPLink to full but sadly it doesn't log any VPN stuff.

For a RED/SD-WAN, would a Sophos RED 15 device do the trick? Do you know if you need to buy any licences for the device?
Cancel
Vote Up 0 Vote Down

Cancel
+1 KingChris over 4 years ago in reply to Aaron Berger

Hi Aaron Berger

A RED15 device will work in this situation.

No extra licensing required for this.

Thanks!

KingChris
Community Support | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel