Sophos XG Firewall - License activation unavailable (error XG-00151). See KB-000043485 for the latest updates.

ÌPSEC Site-2-Site XGS / FritzBox - No network access possible

Hi,

I just switched from the UTM to XGS.

After some trial the IPSec connection is successfully established, tunnel shown green on both sides. Firewall rules auto created, but I also tried to create manual ones.

Unfortunately no traffic is possible between the two networks. 
Looking at the Firewall rules there is Inbound traffic on the VPN Rule, but no Outbound.
Looking at Reports / VPN connection the issue seems to be that there is no "Local Gateway" available.

It's probably a small thing, but what do I need to configure besides creating the IPSEC connection and creating the firewall rules?

Thanks, Olaf



Added TAGs
[edited by: emmosophos at 8:50 PM (GMT -7) on 22 Oct 2021]
  • Hi Olaf / Eva Hintz,
    Possible there is another/better way for the traffic than through the tunnel ...?
    Try traceroute and check if traffic really is going through the tunnel.
    A screenshot of VPN-config and FW-rule would be helpful.


    Dirk

    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Dirk,

    Traceroute shows that traffic reaches the Gateway, then nothing anymore. 

    Attached the configs (Dyndns urls replaced):

    Also on that side it seems that traffic reaches the tunnel, but does not go through.

    Tunnel is shown as ok:

    VPN Config on Fritz:

    Regards, Olaf

    Strongswan.log:

                                                                                
    XGS116_XN01_SFOS 18.5.1 MR-1-Build326# tail -f /log/strongswan.log              
    2021-10-23 10:04:53 17[CFG] deleted connection 'FritzWaldstr-1'                 
    2021-10-23 10:04:54 28[CFG] rereading secrets                                   
    2021-10-23 10:04:54 28[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'   
    2021-10-23 10:04:54 28[CFG] get_nsg_context tblvpnconnection:ipsec              
    2021-10-23 10:04:54 28[CFG] expanding file expression '/_conf/ipsec/connections/
    *.secrets' failed                                                               
    2021-10-23 10:04:54 27[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d
    /cacerts'                                                                       
    2021-10-23 10:04:54 27[LIB] stat() on '/_conf/ipsec/ipsec.d/cacerts/External cer
    tificate.pem' failed: No such file or directory                                 
    no files found matching '/_conf/ipsec/connections/*.conf'                       
    2021-10-23 10:06:03 19[JOB] <44> deleting half open IKE_SA with 217.227.216.226 
    after timeout                                                                   
    2021-10-23 10:06:03 19[DMN] <44> [GARNER-LOGGING] (child_alert) ALERT: IKE_SA ti
    med out before it could be established                                          
    2021-10-23 10:07:04 19[CFG] rereading secrets                                   
    2021-10-23 10:07:04 19[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'   
    2021-10-23 10:07:04 19[CFG] get_nsg_context tblvpnconnection:ipsec              
    2021-10-23 10:07:04 19[CFG] loading secrets from '/_conf/ipsec/connections/Fritz
    Waldstr.secrets'                                                                
    2021-10-23 10:07:04 19[CFG] get_nsg_context tblvpnconnection:FritzWaldstr       
    2021-10-23 10:07:04 19[CFG] NSGENC decrypt timetaken 0.001154 seconds           
    2021-10-23 10:07:04 19[CFG]   loaded IKE secret for 192.168.3.3 "HOME-DYNDNS"   
    2021-10-23 10:07:04 19[CFG] NSGENC decrypt timetaken 0.001096 seconds           
    2021-10-23 10:07:04 19[CFG]   loaded IKE secret for "OFFICE DYNDNS" "HOME DYNDNS"
    2021-10-23 10:07:04 22[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d
    /cacerts'                                                                       
    2021-10-23 10:07:04 22[LIB] stat() on '/_conf/ipsec/ipsec.d/cacerts/External cer
    tificate.pem' failed: No such file or directory                                 
    2021-10-23 10:07:04 08[CFG] received stroke: add connection 'FritzWaldstr-1'    
    2021-10-23 10:07:04 08[CFG] added configuration 'FritzWaldstr-1'                
    2021-10-23 10:07:04 18[CFG] received stroke: initiate 'FritzWaldstr-1'          
    2021-10-23 10:07:04 18[IKE] <FritzWaldstr-1|45> ### queue_child invoking quick_m
    ode_create                                                                      
    2021-10-23 10:07:04 18[IKE] <FritzWaldstr-1|45> ### quick_mode_create: 0x7f5cc80
    02da0 config 0x7f5cec003690                                                     
    2021-10-23 10:07:04 18[IKE] <FritzWaldstr-1|45> initiating Main Mode IKE_SA Frit
    zWaldstr-1[45] to 217.227.216.226                                               
    2021-10-23 10:07:04 18[ENC] <FritzWaldstr-1|45> generating ID_PROT request 0 [ S
    A V V V V V V ]                                                                 
    2021-10-23 10:07:04 18[NET] <FritzWaldstr-1|45> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (548 bytes)                                       
    2021-10-23 10:07:04 20[NET] <FritzWaldstr-1|45> received packet: from 217.227.21
    6.226[500] to 192.168.3.3[500] (152 bytes)                                      
    2021-10-23 10:07:04 20[ENC] <FritzWaldstr-1|45> parsed ID_PROT response 0 [ SA N
    ((24576)) V V ]                                                                 
    2021-10-23 10:07:04 20[IKE] <FritzWaldstr-1|45> received XAuth vendor ID        
    2021-10-23 10:07:04 20[IKE] <FritzWaldstr-1|45> received DPD vendor ID          
    2021-10-23 10:07:04 20[ENC] <FritzWaldstr-1|45> generating ID_PROT request 0 [ K
    E No ]                                                                          
    2021-10-23 10:07:04 20[NET] <FritzWaldstr-1|45> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (324 bytes)                                       
    2021-10-23 10:07:06 12[NET] <FritzWaldstr-1|45> received packet: from 217.227.21
    6.226[500] to 192.168.3.3[500] (308 bytes)                                      
    2021-10-23 10:07:06 12[ENC] <FritzWaldstr-1|45> parsed ID_PROT response 0 [ KE N
    o ]                                                                             
    2021-10-23 10:07:06 12[ENC] <FritzWaldstr-1|45> generating ID_PROT request 0 [ I
    D HASH ]                                                                        
    2021-10-23 10:07:06 12[NET] <FritzWaldstr-1|45> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (92 bytes)                                        
    2021-10-23 10:07:06 27[NET] <46> received packet: from 217.227.216.226[500] to 1
    92.168.3.3[500] (220 bytes)                                                     
    2021-10-23 10:07:06 27[ENC] <46> parsed ID_PROT request 0 [ SA V V ]            
    2021-10-23 10:07:06 27[IKE] <46> received XAuth vendor ID                       
    2021-10-23 10:07:06 27[IKE] <46> received DPD vendor ID                         
    2021-10-23 10:07:06 27[IKE] <46> 217.227.216.226 is initiating a Main Mode IKE_S
    A                                                                               
    2021-10-23 10:07:06 27[ENC] <46> generating ID_PROT response 0 [ SA V V V ]     
    2021-10-23 10:07:06 27[NET] <46> sending packet: from 192.168.3.3[500] to 217.22
    7.216.226[500] (136 bytes)                                                      
    2021-10-23 10:07:06 29[NET] <FritzWaldstr-1|45> received packet: from 217.227.21
    6.226[500] to 192.168.3.3[500] (108 bytes)                                      
    2021-10-23 10:07:06 29[ENC] <FritzWaldstr-1|45> parsed ID_PROT response 0 [ ID H
    ASH N(INITIAL_CONTACT) ]                                                        
    2021-10-23 10:07:06 29[IKE] <FritzWaldstr-1|45> IKE_SA FritzWaldstr-1[45] establ
    ished between 192.168.3.3["OFFICE DYNDNS"]...217.227.216.226["HOME DYNDNS"]                                                                          
    2021-10-23 10:07:06 29[IKE] <FritzWaldstr-1|45> scheduling rekeying in 11616s   
    2021-10-23 10:07:06 29[IKE] <FritzWaldstr-1|45> maximum IKE_SA lifetime 12156s  
    2021-10-23 10:07:06 29[IKE] <FritzWaldstr-1|45> ### build_i: 0x7f5cc8002da0 QM_I
    NIT                                                                             
    2021-10-23 10:07:06 29[ENC] <FritzWaldstr-1|45> generating QUICK_MODE request 42
    47103502 [ HASH SA No KE ID ID ]                                                
    2021-10-23 10:07:06 29[NET] <FritzWaldstr-1|45> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (508 bytes)                                       
    2021-10-23 10:07:06 16[NET] <FritzWaldstr-1|45> received packet: from 217.227.21
    6.226[500] to 192.168.3.3[500] (844 bytes)                                      
    2021-10-23 10:07:06 16[ENC] <FritzWaldstr-1|45> parsed QUICK_MODE request 332849
    0662 [ HASH SA No KE ID ID ]                                                    
    2021-10-23 10:07:06 16[IKE] <FritzWaldstr-1|45> ### process_request invoking qui
    ck_mode_create                                                                  
    2021-10-23 10:07:06 16[IKE] <FritzWaldstr-1|45> ### quick_mode_create: 0x7f5c880
    008d0 config (nil)                                                              
    2021-10-23 10:07:06 16[IKE] <FritzWaldstr-1|45> ### process_r: 0x7f5c880008d0 QM
    _INIT                                                                           
    2021-10-23 10:07:06 16[IKE] <FritzWaldstr-1|45> received 3600s lifetime, configu
    red 5400s                                                                       
    2021-10-23 10:07:06 16[IKE] <FritzWaldstr-1|45> ### build_r: 0x7f5c880008d0 QM_I
    NIT                                                                             
    2021-10-23 10:07:06 16[ENC] <FritzWaldstr-1|45> generating QUICK_MODE response 3
    328490662 [ HASH SA No KE ID ID ]                                               
    2021-10-23 10:07:06 16[NET] <FritzWaldstr-1|45> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (444 bytes)                                       
    2021-10-23 10:07:07 32[NET] <46> received packet: from 217.227.216.226[500] to 1
    92.168.3.3[500] (308 bytes)                                                     
    2021-10-23 10:07:07 32[ENC] <46> parsed ID_PROT request 0 [ KE No ]             
    2021-10-23 10:07:07 32[ENC] <46> generating ID_PROT response 0 [ KE No ]        
    2021-10-23 10:07:07 32[NET] <46> sending packet: from 192.168.3.3[500] to 217.22
    7.216.226[500] (324 bytes)                                                      
    2021-10-23 10:07:08 21[NET] <FritzWaldstr-1|45> received packet: from 217.227.21
    6.226[500] to 192.168.3.3[500] (444 bytes)                                      
    2021-10-23 10:07:08 21[ENC] <FritzWaldstr-1|45> parsed QUICK_MODE response 42471
    03502 [ HASH SA No KE ID ID N((24576)) ]                                        
    2021-10-23 10:07:08 21[IKE] <FritzWaldstr-1|45> ### process_i: 0x7f5cc8002da0 QM
    _INIT                                                                           
    2021-10-23 10:07:08 21[IKE] <FritzWaldstr-1|45> CHILD_SA FritzWaldstr-1{32} esta
    blished with SPIs c4f1f935_i 33a45805_o and TS 192.168.2.0/24 === 192.168.1.0/24
    2021-10-23 10:07:08 21[APP] <FritzWaldstr-1|45> [SSO] (sso_invoke_once) SSO is d
    isabled.                                                                        
    2021-10-23 10:07:08 21[APP] <FritzWaldstr-1|45> [COP-UPDOWN] (ref_counting) ref_
    count: 1 to 2 ++ up ++ (192.168.2.0/24#192.168.1.0/24)                          
    2021-10-23 10:07:08 21[APP] <FritzWaldstr-1|45> [COP-UPDOWN] (ref_counting_remot
    e) ref_count_remote: 1 to 2 ++ up ++ (192.168.3.3#217.227.216.226)              
    2021-10-23 10:07:08 21[APP] <FritzWaldstr-1|45> [COP-UPDOWN] (cop_updown_invoke_
    once) UID: 45 Net: Local 192.168.3.3 Remote 217.227.216.226 Connection: FritzWal
    dstr Fullname: FritzWaldstr-1                                                   
    2021-10-23 10:07:08 21[APP] <FritzWaldstr-1|45> [COP-UPDOWN] (cop_updown_invoke_
    once) Tunnel: User '' Peer-IP '' my-IP '' up-client                             
    2021-10-23 10:07:08 21[IKE] <FritzWaldstr-1|45> ### build_i: 0x7f5cc8002da0 QM_N
    EGOTIATED                                                                       
    2021-10-23 10:07:08 21[IKE] <FritzWaldstr-1|45> ### destroy: 0x7f5cc8002da0     
    2021-10-23 10:07:08 21[ENC] <FritzWaldstr-1|45> generating QUICK_MODE request 42
    47103502 [ HASH ]                                                               
    2021-10-23 10:07:08 21[NET] <FritzWaldstr-1|45> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (60 bytes)                                        
    2021-10-23 10:07:08 33[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'FritzWald
    str' result --> id: '2', mode: 'ntn', tunnel_type: '0', subnet_family:'0'       
    2021-10-23 10:07:08 33[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IP
    sec IKE for remotes (192.168.3.3 to 217.227.216.226) already set up             
    2021-10-23 10:07:08 33[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IP
    sec SA for subnet (192.168.2.0/24 to 192.168.1.0/24) already set up             
    2021-10-23 10:07:09 11[NET] <FritzWaldstr-1|45> received packet: from 217.227.21
    6.226[500] to 192.168.3.3[500] (60 bytes)                                       
    2021-10-23 10:07:09 11[ENC] <FritzWaldstr-1|45> parsed QUICK_MODE request 332849
    0662 [ HASH ]                                                                   
    2021-10-23 10:07:09 11[IKE] <FritzWaldstr-1|45> ### process_r: 0x7f5c880008d0 QM
    _NEGOTIATED                                                                     
    2021-10-23 10:07:09 11[IKE] <FritzWaldstr-1|45> CHILD_SA FritzWaldstr-1{33} esta
    blished with SPIs c5aa536c_i 3275eb20_o and TS 192.168.2.0/24 === 192.168.1.0/24
    2021-10-23 10:07:09 11[APP] <FritzWaldstr-1|45> [SSO] (sso_invoke_once) SSO is d
    isabled.                                                                        
    2021-10-23 10:07:09 11[APP] <FritzWaldstr-1|45> [COP-UPDOWN] (ref_counting) ref_
    count: 2 to 3 ++ up ++ (192.168.2.0/24#192.168.1.0/24)                          
    2021-10-23 10:07:09 11[APP] <FritzWaldstr-1|45> [COP-UPDOWN] (ref_counting_remot
    e) ref_count_remote: 2 to 3 ++ up ++ (192.168.3.3#217.227.216.226)              
    2021-10-23 10:07:09 11[APP] <FritzWaldstr-1|45> [COP-UPDOWN] (cop_updown_invoke_
    once) UID: 45 Net: Local 192.168.3.3 Remote 217.227.216.226 Connection: FritzWal
    dstr Fullname: FritzWaldstr-1                                                   
    2021-10-23 10:07:09 11[APP] <FritzWaldstr-1|45> [COP-UPDOWN] (cop_updown_invoke_
    once) Tunnel: User '' Peer-IP '' my-IP '' up-client                             
    2021-10-23 10:07:09 11[IKE] <FritzWaldstr-1|45> ### destroy: 0x7f5c880008d0     
    2021-10-23 10:07:09 11[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'FritzWald
    str' result --> id: '2', mode: 'ntn', tunnel_type: '0', subnet_family:'0'       
    2021-10-23 10:07:09 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IP
    sec IKE for remotes (192.168.3.3 to 217.227.216.226) already set up             
    2021-10-23 10:07:09 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IP
    sec SA for subnet (192.168.2.0/24 to 192.168.1.0/24) already set up             
    2021-10-23 10:07:09 26[NET] <46> received packet: from 217.227.216.226[500] to 1
    92.168.3.3[500] (92 bytes)                                                      
    2021-10-23 10:07:09 26[ENC] <46> parsed ID_PROT request 0 [ ID HASH ]           
    2021-10-23 10:07:09 26[CFG] <46> looking for pre-shared key peer configs matchin
    g 192.168.3.3...217.227.216.226["HOME DYNDNS"]                            
    2021-10-23 10:07:09 26[CFG] <46> selected peer config "FritzWaldstr-1"          
    2021-10-23 10:07:09 26[IKE] <FritzWaldstr-1|46> IKE_SA FritzWaldstr-1[46] establ
    ished between 192.168.3.3["OFFICE DYNDNS"]...217.227.216.226["HOME DYNDNS"]                                                                          
    2021-10-23 10:07:09 26[IKE] <FritzWaldstr-1|46> scheduling rekeying in 12041s   
    2021-10-23 10:07:09 26[IKE] <FritzWaldstr-1|46> maximum IKE_SA lifetime 12581s  
    2021-10-23 10:07:09 26[ENC] <FritzWaldstr-1|46> generating ID_PROT response 0 [ 
    ID HASH ]                                                                       
    2021-10-23 10:07:09 26[NET] <FritzWaldstr-1|46> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (92 bytes)                                        
    2021-10-23 10:07:09 23[IKE] <FritzWaldstr-1|45> detected reauth of existing IKE_
    SA, adopting 2 children, 0 child tasks, and 0 virtual IPs                       
    2021-10-23 10:07:09 23[IKE] <FritzWaldstr-1|46> ike FritzWaldstr-1[46] adopted 0
     children in REKEYING state                                                     
    2021-10-23 10:07:19 29[IKE] <FritzWaldstr-1|45> deleting IKE_SA FritzWaldstr-1[4
    5] between 192.168.3.3["OFFICE DYNDNS"]...217.227.216.226["HOME DYNDNS"]                                                                             
    2021-10-23 10:07:19 29[IKE] <FritzWaldstr-1|45> sending DELETE for IKE_SA FritzW
    aldstr-1[45]                                                                    
    2021-10-23 10:07:19 29[ENC] <FritzWaldstr-1|45> generating INFORMATIONAL_V1 requ
    est 302147409 [ HASH D ]                                                        
    2021-10-23 10:07:19 29[NET] <FritzWaldstr-1|45> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (92 bytes)                                        
    2021-10-23 10:07:39 24[IKE] <FritzWaldstr-1|46> sending DPD request             
    2021-10-23 10:07:39 24[ENC] <FritzWaldstr-1|46> generating INFORMATIONAL_V1 requ
    est 4135095125 [ HASH N(DPD) ]                                                  
    2021-10-23 10:07:39 24[NET] <FritzWaldstr-1|46> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (92 bytes)                                        
    2021-10-23 10:07:39 28[NET] <FritzWaldstr-1|46> received packet: from 217.227.21
    6.226[500] to 192.168.3.3[500] (92 bytes)                                       
    2021-10-23 10:07:39 28[ENC] <FritzWaldstr-1|46> parsed INFORMATIONAL_V1 response
     4135095125 [ HASH N(DPD_ACK) ]                                                 
    2021-10-23 10:08:09 14[IKE] <FritzWaldstr-1|46> sending DPD request             
    2021-10-23 10:08:09 14[ENC] <FritzWaldstr-1|46> generating INFORMATIONAL_V1 requ
    est 309895513 [ HASH N(DPD) ]                                                   
    2021-10-23 10:08:09 14[NET] <FritzWaldstr-1|46> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (92 bytes)                                        
    2021-10-23 10:08:09 17[NET] <FritzWaldstr-1|46> received packet: from 217.227.21
    6.226[500] to 192.168.3.3[500] (92 bytes)                                       
    2021-10-23 10:08:09 17[ENC] <FritzWaldstr-1|46> parsed INFORMATIONAL_V1 response
     309895513 [ HASH N(DPD_ACK) ]                                                  
    2021-10-23 10:08:39 09[IKE] <FritzWaldstr-1|46> sending DPD request             
    2021-10-23 10:08:39 09[ENC] <FritzWaldstr-1|46> generating INFORMATIONAL_V1 requ
    est 2279261444 [ HASH N(DPD) ]                                                  
    2021-10-23 10:08:39 09[NET] <FritzWaldstr-1|46> sending packet: from 192.168.3.3
    [500] to 217.227.216.226[500] (92 bytes)                                        
    2021-10-23 10:08:39 17[NET] <FritzWaldstr-1|46> received packet: from 217.227.21
    6.226[500] to 192.168.3.3[500] (92 bytes)                                       
    2021-10-23 10:08:39 17[ENC] <FritzWaldstr-1|46> parsed INFORMATIONAL_V1 response
     2279261444 [ HASH N(DPD_ACK) ]                                                 
                                          

  • Hallo Olaf,

    Aktiviere mal auf beiden Seiten NAT-traversal. Mindestens eine Seite befindet sich ja hinter einem providerrouter/fritz-Box.
    An FB: use_nat_t = yes
    An XG: haken bei "NAT"

    Activate NAT traversal on both sides. At least one side is behind a provider router / fritz box.
    At FB: use_nat_t = yes
    At XG: check "NAT"


    Dirk

    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Dirk,

    gemacht auf beiden Seiten und Verbindung neu gestartet, es geht leider weiterhin nichts durch.

    Done on both sides, no change.

    VG, Olaf

  • evtl. passt an der FW rule noch etwas nicht ...
    ich würde auf den VPN-FW-Rules das logging aktivieren. dann ist mehr im logViewer zu finden.
    Auch die letzte "DROP-ANY" regel lege ich immer manuell mit aktiviertem logging noch mal an.

    possibly something does not fit in the FW rule ...
    I would activate the logging on the VPN FW rules. then you can find more in the logViewer.
    I always create the last "DROP-ANY" rule manually with activated logging.


    Dirk

    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Es läuft! Den Durchbruch hat ein gleichzeitiger Reboot beider Devices gebracht, danach läuft plötzlich der Traffic durch. Irgendwas hat gehakt...

    Danke für die Tipps!

    It finally works, after a reboot of both devices access between the networks is now working.