This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't get IPsec Site-to-Site Tunnel with NAT to work

Hello everyone,
I can't get an IPsec NAT Site-to_site tunnel to work. I get
"IKE message (9C0134C0) retransmission to VPN.GATEWAY.ADRESSE.HERE timed out. Check if the remote gateway is reachable."
(i can ping it)

we have the following:

I try to establish an IPSec Site-to-site tunnel accross the globe. It needs to be nat'ed, since our local net is already in use at the destination.
we've decided that we use 192.168.16.0/24 for our side.

The Xg on our side does not have direct internet connection. it is connected to the ISPs router



LOCAL Network: 192.168.0.0 / 24
LOCAL NAT: 192.168.16.0 /24
REMOTE NAT: 172.19.48.0 / 23
Remote Gateway: 1.2.3.4 (obviously not going to post it here)
Sophos Port 2 (WAN) internal IP: say: 192.168.178.23 (i chose a random number for the discussion)
The admin also provided me with the internal IP of their router: lets say: 192.168.230.1

I configured the IPsec policy according to the admins criteria. (we are going to be the iniator)

in VPN / site-to-site I configured:

The ikev2 Profile with pre shared key

listening device is port 2 (where the ISP router is connected) (firewall on the router is konfigured wiuth 500,4500,1500 UDP)
typed in the gateway address
"local id" is set to default (already tried the actuall IP adress aswell as 0.0.0.0)
"remote id" is set to the internal IP adress 192.168.230.1

under "local subnet" i set the "local nat" 192.168.16.0
"remote subnet" is 172.19.48.0

i ticked the nat box and set the "original subnet" to 192.168.0.0

and created an automated firewall.

Since the firewall log doesnt show anything, I assume I need to setup some sort of SNAT / DNAT rule to route, but since I do setups like this onbly like once a year....


I would be glad if anyone could help :-)




This thread was automatically locked due to age.
  • Hi Rene Böhres

    Hope  you have refer Sophos Firewall: IPsec troubleshooting and most common errors : 

    https://support.sophos.com/support/s/article/KB-000038566?language=en_US 

    Thanks and Regards

    "Sophos Partner: InfrassistTechnologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • That response was not very helpfull since I already stated, that I can not connect to the VPN Gateway and I suspect routing issues on my side.
    The Sophos articles in the knowledgebase about IPSEC with NAT and SNAT / DNAT did not help me to solve the problem
    The Firewall does not even log anything with the destination adress.
    Thats why I posted all the networks that were created

    Here are the log entries again:

    Remote gateway didn't respond to the initial message 944. Check if the remote gateway is reachable
    IKE message (8000B420) retransmission to GATEWAY_ADRESS timed out. Check if the remote gateway is reachable.
    .
  • Hi Rene Böhres

    We might require more details to investigate the issue 

    Please post the current tunnel status on Sophos Firewall with tunnel setting and VPN Policy configured as well as configured done on remote end router with existing configuration and VPN policy used

    Please make sure you have forwarded the private WAN IP of Sophos Firewall on the upstream router.

    Suspecting an issue with the configuration from the remote end router.

    Thanks and Regards

    "Sophos Partner: InfrassistTechnologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • I have written some E-Mails with the administrator of the remote gateway.
    His Firewall rejects the connection.
    The Reason is: (log of his gateway)
    "Unkown IKv2 negotiation aborted due to ERROR: Recieved no proposal chosen notifiy"
    I sent him a screenshots with our IPSEC settings and he confirmed that our settings match the settings on his gateway.
    I googled this issue a lot and it comes up A LOT with sophos connections.
    I would guess that some setting on our side causes this problem.
    Dead Peer Detection is deactivated, since I read that it causes a lot of problems.