Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 1592 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to connect Digibox/Bintec Router to Sophos XG via IPsec

Michael Orthen

Hello,

I'm unable to connect a Telekom Digibox (branded Bintec Router) to a Sophos XG via IPsec VPN.

charon.log of the Sophos Firewall:

2024-02-16 12:26:17Z 28[NET] <9> received packet: from <branch ip>[500] to <head ip>[500] (512 bytes)
2024-02-16 12:26:17Z 28[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(REDIR_SUP) ]
2024-02-16 12:26:17Z 28[IKE] <9> <branch ip> is initiating an IKE_SA
2024-02-16 12:26:17Z 28[ENC] <9> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
2024-02-16 12:26:17Z 28[NET] <9> sending packet: from <head ip>[500] to <branch ip>[500] (440 bytes)
2024-02-16 12:26:17Z 30[NET] <9> received packet: from <branch ip>[500] to <head ip>[500] (512 bytes)
2024-02-16 12:26:17Z 30[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(REDIR_SUP) ]
2024-02-16 12:26:17Z 30[IKE] <9> received retransmit of request with ID 0, retransmitting response
2024-02-16 12:26:17Z 30[NET] <9> sending packet: from <head ip>[500] to <branch ip>[500] (440 bytes)
2024-02-16 12:26:18Z 14[NET] <9> received packet: from <branch ip>[500] to <head ip>[500] (512 bytes)
2024-02-16 12:26:18Z 14[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(REDIR_SUP) ]
2024-02-16 12:26:18Z 14[IKE] <9> received retransmit of request with ID 0, retransmitting response
2024-02-16 12:26:18Z 14[NET] <9> sending packet: from <head ip>[500] to <branch ip>[500] (440 bytes)
2024-02-16 12:26:20Z 21[NET] <9> received packet: from <branch ip>[500] to <head ip>[500] (512 bytes)
2024-02-16 12:26:20Z 21[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(REDIR_SUP) ]
2024-02-16 12:26:20Z 21[IKE] <9> received retransmit of request with ID 0, retransmitting response
2024-02-16 12:26:20Z 21[NET] <9> sending packet: from <head ip>[500] to <branch ip>[500] (440 bytes)
2024-02-16 12:26:24Z 22[NET] <9> received packet: from <branch ip>[500] to <head ip>[500] (512 bytes)
2024-02-16 12:26:24Z 22[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(REDIR_SUP) ]
2024-02-16 12:26:24Z 22[IKE] <9> received retransmit of request with ID 0, retransmitting response
2024-02-16 12:26:24Z 22[NET] <9> sending packet: from <head ip>[500] to <branch ip>[500] (440 bytes)
2024-02-16 12:26:27Z 08[JOB] <7> deleting half open IKE_SA with <branch ip> after timeout
2024-02-16 12:26:27Z 08[DMN] <7> [GARNER-LOGGING] (child_alert) ALERT: Couldn't establish IKE SA: Timed out. Remote gateway aborted the IKE exchange or the message was lost. Check the remote device logs.
2024-02-16 12:26:57Z 03[JOB] <8> deleting half open IKE_SA with <head ip> after timeout
2024-02-16 12:26:57Z 03[DMN] <8> [GARNER-LOGGING] (child_alert) ALERT: Couldn't establish IKE SA: Timed out. Remote gateway aborted the IKE exchange or the message was lost. Check the remote device logs.
2024-02-16 12:27:27Z 26[JOB] <9> deleting half open IKE_SA with <head ip> after timeout
2024-02-16 12:27:27Z 26[DMN] <9> [GARNER-LOGGING] (child_alert) ALERT: Couldn't establish IKE SA: Timed out. Remote gateway aborted the IKE exchange or the message was lost. Check the remote device logs.

Log of the Digibox:

1	2024-02-16	13:32:13	Information	IPSec	IKE_SA: peer 1 (<connection name>) sa 97 (I): delete ip <branch name> -> ip <head name>: Blocked
2	2024-02-16	13:32:13	Information	IPSec	IKE_SA: peer 1 (<connection name>) sa 0 (-): blocked for 15 seconds
3	2024-02-16	13:32:13	Information	IPSec	IKE_SA: peer 1 (<connection name>) sa 97 (I): failed id No Id -> ip <head name> ((null))
4	2024-02-16	13:32:13	Information	IPSec	Destroy Bundle 97 (Peer 1 Traffic -1)
5	2024-02-16	13:32:13	Information	IPSec	CHILD_SA: peer 1 (<connection name>) bundle 97 (I): deleted (0), Pkts: 0/0 Hb: 0/0 Bytes: 0(0)/0(0) rekeyed by 0
6	2024-02-16	13:31:58	Information	IPSec	CHILD_SA: peer 1 (<connection name>) traf 0 bundle 97 (I): created 0.0.0.0/0:0 < any > 0.0.0.0/0:0 rekeyed 0
7	2024-02-16	13:26:33	Information	IPSec	IKE_SA: peer 1 (<connection name>) sa 0 (-): reactivated

I replaced ip addresses by <head ip> and <branch ip> where Sophos is the head and Digibox the branch. The log are not perfectly time aligned but those entries repeat the whole time.

Local and Remote ID are set to the corresponding public IP addresses, both devices have a WAN interface which holds the public IP.

Does anyone have an idea what to check first?



This thread was automatically locked due to age.
Unfiltered HTML