Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 2610 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG to Cisco ASA Site to site phase 2 issue

PeteH

Can anyone help me get my site to site up between a XGS116 and a Cisco ASA5506.

I am pretty sure its an issue with phase 2 as I can see the vpn on the cisco asdm vpn monitoring but it looks like its showing phase 1 but not phase 2.  Also the sophos logs is showing an issue with phase 2 policy although the log message makes no sense to me.

The part that doesnt make sense is all those things listed.   I dont have them selected in the Sophos or the Cisco.   

This is what i have on the sophos

And this is what I have on the Cisco

So what doesnt make sense to me is why the Sophos error log is showing loads of Encryptions when I havent got them selected anywhere so its not helping me work out why phase 2 isnt working.

If anyone could help me sort this it would be appreciated.

For extra info this is what cisco shows in VPN monitoring



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Erick Jan

    Hi thanks.  yes thats the guide i first followed and I have been through the troubleshooting guide as well

  • 0 in reply to PeteH

    Hi,

    Can you share a screenshot of your configuration for phase 2 on your Sophos and Cisco.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Both screenshots are in my original post

    cheers

  • 0 in reply to PeteH

    Hi,

    were you able to fix this? I ran into the same issue.

    cheers

  • +1 in reply to PeteH

    Hi PeteH,

    Also, kindly share the following output.

    • Sh run crypto ikev2
    • sh crypto ikev2 proposal

    and re-check the following guidelines for Phase2 on your Cisco configuration.

    • Check the proposal encryption algorithm, authentication algorithm or hash, and lifetime.
    • Check VPN Encryption Domain (Local and remote subnet) should be identical.
    • Check correct ACL should binding with Crypto Map

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to TorstenS

    Hi Torsten.  No not working yet.

  • 0 in reply to Erick Jan

    Result of the command: "sh run crypto ikev2"

    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 14400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable WAN

    invalid command for sh crypto ikev2 proposal.

    This is acl and crypto map 

    access-list WAN_cryptomap_3 extended permit ip object PWDHC object ValkyrsLAN 
    crypto map IPSEC 5 match address WAN_cryptomap_3
crypto map IPSEC 5 set peer x.x.x.x.
crypto map IPSEC 5 set ikev2 ipsec-proposal AES256 3DES AES AES192 DES
crypto map IPSEC 5 set security-association lifetime seconds 3600

    Also got this from sh crypto ikev2 sa

    IKEv2 SAs:

    Session-id:48370, Status:UP-IDLE, IKE count:1, CHILD count:0

    Tunnel-id Local                                                          Remote               Status                         Role
    2540911775 x.x.x.x/500                                             x.x.x.x/500         READY                RESPONDER
             Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
             Life/Active Time: 14400/10563 sec

    What do you mean by this bit ?

    • Check VPN Encryption Domain (Local and remote subnet) should be identical.

    Cheers

Unfiltered HTML