This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG IPSec Remote Access <-> NCP Secure Entry Client

Hello,

in the last weeks i try to connect our NCP Secure Entry Clients with the Remote Access VPN (IPSec) of our XGs.

Connection via Sophos Connect Client is successfull, but we need to use both - Sophos Connect for internal users and NCP for an external user. I dont want to build an separate ipsec legacy vpn because i think OTP is not working there.

We checked all values in Phase1 and Phase2, these are 100% correct. I think the problem is that i can not set any Peer-ID in NCP Secure Client. 

When Sophos Connect Client is connected the Peer-ID (Remote IKE-ID) will be shown as 192.168.0.5 (the ipv4 of wan-interface). As lokal-ID the local IPv4-address of network interface from the client is use.

Anyone successfully built an IPSec Connection to an XG (19.0) with NCP Secure Client and can help me to configure? The NCP Support unfortunately also found no solution.

Log of the strongswan (anonymized client public ip):

2022-06-27 05:18:55Z 05[NET] <129> received packet: from 5.147.223.xxx[10952] to
 192.168.0.5[500] (364 bytes)                                                   
2022-06-27 05:18:55Z 05[ENC] <129> parsed ID_PROT request 0 [ SA V V V V V V V V
 V V V ]                                                                        
2022-06-27 05:18:55Z 05[ENC] <129> received unknown vendor ID: da:8e:93:78:80:01
:00:00                                                                          
2022-06-27 05:18:55Z 05[IKE] <129> received XAuth vendor ID                     
2022-06-27 05:18:55Z 05[IKE] <129> received draft-ietf-ipsec-nat-t-ike-03 vendor
 ID                                                                             
2022-06-27 05:18:55Z 05[IKE] <129> received draft-ietf-ipsec-nat-t-ike-02\n vend
or ID                                                                           
2022-06-27 05:18:55Z 05[IKE] <129> received draft-ietf-ipsec-nat-t-ike-00 vendor
 ID                                                                             
2022-06-27 05:18:55Z 05[IKE] <129> received NAT-T (RFC 3947) vendor ID          
2022-06-27 05:18:55Z 05[IKE] <129> received DPD vendor ID                       
2022-06-27 05:18:55Z 05[ENC] <129> received unknown vendor ID: eb:4c:1b:78:8a:fd
:4a:9c:b7:73:0a:68:d5:6d:08:8b                                                  
2022-06-27 05:18:55Z 05[ENC] <129> received unknown vendor ID: c6:1b:ac:a1:f1:a6
:0c:c1:08:00:00:00:00:00:00:00                                                  
2022-06-27 05:18:55Z 05[IKE] <129> received FRAGMENTATION vendor ID             
2022-06-27 05:18:55Z 05[IKE] <129> received Cisco Unity vendor ID               
2022-06-27 05:18:55Z 05[IKE] <129> 5.147.223.xxx is initiating a Main Mode IKE_S
A                                                                               
2022-06-27 05:18:55Z 05[ENC] <129> generating ID_PROT response 0 [ SA V V V V V 
]                                                                               
2022-06-27 05:18:55Z 05[NET] <129> sending packet: from 192.168.0.5[500] to 5.14
7.223.163[10952] (180 bytes)                                                    
2022-06-27 05:18:55Z 28[NET] <129> received packet: from 5.147.223.xxx[10952] to
 192.168.0.5[500] (344 bytes)                                                   
2022-06-27 05:18:55Z 28[ENC] <129> parsed ID_PROT request 0 [ KE No NAT-D NAT-D 
]                                                                               
2022-06-27 05:18:55Z 28[IKE] <129> local host is behind NAT, sending keep alives
2022-06-27 05:18:55Z 28[IKE] <129> remote host is behind NAT                    
2022-06-27 05:18:55Z 28[ENC] <129> generating ID_PROT response 0 [ KE No NAT-D N
AT-D ]                                                                          
2022-06-27 05:18:55Z 28[NET] <129> sending packet: from 192.168.0.5[500] to 5.14
7.223.163[10952] (336 bytes)                                                    
2022-06-27 05:18:55Z 11[NET] <129> received packet: from 5.147.223.xxx[10954] to
 192.168.0.5[4500] (140 bytes)                                                  
2022-06-27 05:18:55Z 11[ENC] <129> parsed ID_PROT request 0 [ ID HASH N(INITIAL_
CONTACT) ]                                                                      
2022-06-27 05:18:55Z 11[CFG] <129> looking for HybridInitRSA peer configs matchi
ng 192.168.0.5...5.147.223.xxx[]                                                
2022-06-27 05:18:55Z 11[IKE] <129> found 1 matching config, but none allows Hybr
idInitRSA authentication using Main Mode                                        
2022-06-27 05:18:55Z 11[ENC] <129> generating INFORMATIONAL_V1 request 514859236
 [ HASH N(AUTH_FAILED) ]                                                        
2022-06-27 05:18:55Z 11[NET] <129> sending packet: from 192.168.0.5[4500] to 5.1
47.223.163[10954] (140 bytes)                                                    
2022-06-27 05:19:05Z 11[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE 
message with invalid SPI (B2AB2514) from the remote gateway.                    
2022-06-27 05:19:09Z 25[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE 
message with invalid SPI (B2AB2514) from the remote gateway.                    
2022-06-27 05:19:13Z 05[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE 
message with invalid SPI (B2AB2514) from the remote gateway.                    
2022-06-27 05:19:17Z 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: Received IKE 
message with invalid SPI (B2AB2514) from the remote gateway. 



This thread was automatically locked due to age.