Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 2656 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site Preshared key - no such file or directory

Gernot Innthaler

Hi community,

I'm trying to setup site to site IPSec connection with a preshared key between two XG 125. Both are running SFOS 18.5.2 MR-2-Build380.

I setup the connection according to https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/VPNCreateSiteToSiteIPsecVPN/index.html#add-a-firewall-rule_1

I can active the IPSec connectin on both sides but when trying to connect from Branch office I simply get the error message IPsec connection could not be established.

Checking the logs I find this in strongswan.log:

2022-01-22 23:16:14Z 26[APP] [COP-UPDOWN][STATUS] (db_status_update) conn_name: Wiesham_to_HQ count: 0
2022-01-22 23:16:30Z 09[CFG] rereading secrets
2022-01-22 23:16:30Z 09[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2022-01-22 23:16:30Z 09[CFG] get_nsg_context tblvpnconnection:ipsec
2022-01-22 23:16:30Z 09[CFG] expanding file expression '/_conf/ipsec/connections/*.secrets' failed
2022-01-22 23:16:30Z 10[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
expanding file pattern '/_conf/ipsec/connections/*.conf' failed: No such file or directory
2022-01-22 23:16:31Z 18[CFG] vici initiate 'Wiesham_to_HQ-1'

This seems to me that there are missing config files. When are they created?

What do I have to do in order to fix this?

Any help would be highly appreciated!

Thanks,

Gernot



This thread was automatically locked due to age.
Parents
  • 0

    Try not to use * (Wildcard) for IPsec Site to Site connections. 

    Use a DDNS / Fixed IP as remote gateway. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hey guys,

    thanks a lot for your feedback. I followed your instructions.
    I created a new preshared key and made sure it is the same on both sides. Furthermore I followed the instructions step by step in the linked article.

    As far as I understand ports 500 and 4500 are open although I don't see any connection.

    I'm also using a fixed IP as remote gateway.

    However I'm still getting the same results.

    This is the output of tail -f /log/strongswan.log on the branch office side:

    Is it ok that there are *.conf files found?

    I don't see any hint that the XG is trying to establish a connection. To me it seems that it even stops before building the connection because of a missing configuration. Am I understanding this wrong?

    Thanks,

    Gernot

  • 0 in reply to Gernot Innthaler

    Hi Gernot

    please share logs on

    go to SSH  select option 4 and execute below command 

     tcpdump 'port 500 or 4500 

    further check share the snapshot for PROTECT —> intrusion prevention DOS attack settings

    Logon to CLI Console via Telnetor SSH. You can also access the CLI Console by clicking  on the upper right corner of the Web Admin Console screen. 

    Note:

     

    From firmware version 10.6.1 onwards, the Consolebutton is visible to the Super Administrator ONLY.

        
     

    1. From the Main Menu, choose Option 6. VPN Management.

     

     

     

    1. From the VPN Management Menu, choose Option 2 – Restart VPN Service. Type y and press Enter.  

     

     

                   The above configuration restarts VPN service

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi Bharat,

    this is what I get for tcpdump 'port 500 or 4500:

    console> tcpdump 'port 500 or 4500
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    l

    Here are the intrusion prevention settings:

    Best Regards,
    Gernot

  • 0 in reply to Gernot Innthaler

    Hi Gernot 

    Please navigate Configure—> network —> interfaces

    and share the snapshot for assist you 

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi Bharat,

    please see the settings:

  • +1 in reply to Gernot Innthaler

    Thanks a lot Bharat for discussing this via chat and screensharing!

    For those who might be interested in the cause of this issue:
    The issue is that the Headquarter XG is behind a FritzBox acting as modem. The problem is that my static public IP is assigned to the FritzBox and the XG has a local IP. Therefore IPSEC is not working.

    Since the reason seems to be found I consider this thread as closed.

    Thanks a lot for all you help!

    Best Regards,
    Gernot

  • 0 in reply to Gernot Innthaler

    Hi Gernot 

    for security reason please delete the shared snapshots 

    And logs

    thanks

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data
Unfiltered HTML