Hello everyone,I can't get an IPsec NAT Site-to_site tunnel to work. I get"IKE message (9C0134C0) retransmission to VPN.GATEWAY.ADRESSE.HERE timed out. Check if the remote gateway is reachable."(i can ping it)we have the following:I try to establish an IPSec Site-to-site tunnel accross the globe. It needs to be nat'ed, since our local net is already in use at the destination.we've decided that we use 192.168.16.0/24 for our side.The Xg on our side does not have direct internet connection. it is connected to the ISPs router
LOCAL Network: 192.168.0.0 / 24LOCAL NAT: 192.168.16.0 /24REMOTE NAT: 172.19.48.0 / 23Remote Gateway: 1.2.3.4 (obviously not going to post it here)Sophos Port 2 (WAN) internal IP: say: 192.168.178.23 (i chose a random number for the discussion)The admin also provided me with the internal IP of their router: lets say: 192.168.230.1I configured the IPsec policy according to the admins criteria. (we are going to be the iniator)in VPN / site-to-site I configured:The ikev2 Profile with pre shared keylistening device is port 2 (where the ISP router is connected) (firewall on the router is konfigured wiuth 500,4500,1500 UDP)typed in the gateway address"local id" is set to default (already tried the actuall IP adress aswell as 0.0.0.0)"remote id" is set to the internal IP adress 192.168.230.1under "local subnet" i set the "local nat" 192.168.16.0"remote subnet" is 172.19.48.0i ticked the nat box and set the "original subnet" to 192.168.0.0and created an automated firewall.Since the firewall log doesnt show anything, I assume I need to setup some sort of SNAT / DNAT rule to route, but since I do setups like this onbly like once a year....I would be glad if anyone could help :-)
Hi Rene Böhres
Hope you have refer Sophos Firewall: IPsec troubleshooting and most common errors :
https://support.sophos.com/support/s/article/KB-000038566?language=en_US
Thanks and Regards
"Sophos Partner: Infrassist Technologies Pvt Ltd".
If a post solves your question please use the 'Verify Answer' button.
That response was not very helpfull since I already stated, that I can not connect to the VPN Gateway and I suspect routing issues on my side.The Sophos articles in the knowledgebase about IPSEC with NAT and SNAT / DNAT did not help me to solve the problemThe Firewall does not even log anything with the destination adress.Thats why I posted all the networks that were createdHere are the log entries again:
We might require more details to investigate the issue
Please post the current tunnel status on Sophos Firewall with tunnel setting and VPN Policy configured as well as configured done on remote end router with existing configuration and VPN policy used
Please make sure you have forwarded the private WAN IP of Sophos Firewall on the upstream router.
Suspecting an issue with the configuration from the remote end router.
I have written some E-Mails with the administrator of the remote gateway.His Firewall rejects the connection.The Reason is: (log of his gateway)"Unkown IKv2 negotiation aborted due to ERROR: Recieved no proposal chosen notifiy"I sent him a screenshots with our IPSEC settings and he confirmed that our settings match the settings on his gateway.I googled this issue a lot and it comes up A LOT with sophos connections.I would guess that some setting on our side causes this problem.Dead Peer Detection is deactivated, since I read that it causes a lot of problems.