Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 30 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 6491 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN Issues

Alan Spark

I am testing a new XGS 136 (SFOS 20.0.0 GA-Build222) offsite to replace an onsite XG 135 (SFOS 19.0.2 MR-2-Build472). The backup of the XG 135 was used to setup the XGS 136.

We have never used the IPsec Site-to-Site connection before but may have a use for it further down the line. Therefore, before I put the new unit into production I thought I would take the opportunity to test the Site-to-Site feature. However, I cannot initiate the connection. Here are the settings that I have (note that the local and remote ID are the same email address on both ends).

Head Office Settings on XG 135

Branch Office Settings

I can successfully activate both ends of the connection.

However, when I try to connect on either end, I get the following error.

I checked /log/strongswan.log on the branch end and got the following "KE payload missing in message" and UNSUPPORTED_CRITICAL_PAYLOAD errors:

2024-04-10 07:55:02Z 06[CFG] vici initiate 'Test-1'
2024-04-10 07:55:02Z 15[IKE] <Test-1|55> ### queue_child invoking quick_mode_create
2024-04-10 07:55:02Z 15[IKE] <Test-1|55> ### quick_mode_create: 0x7fe3a4002650 config 0x7fe3bc0038c0
2024-04-10 07:55:02Z 15[IKE] <Test-1|55> initiating Main Mode IKE_SA Test-1[55] to HEAD_OFFICE_IP_ADDRESS
2024-04-10 07:55:02Z 15[ENC] <Test-1|55> generating ID_PROT request 0 [ SA V V V V V V ]
2024-04-10 07:55:02Z 15[NET] <Test-1|55> sending packet: from BRANCH_IP_ADDRESS[500] to HEAD_OFFICE_IP_ADDRESS[500] (548 bytes)
2024-04-10 07:55:02Z 17[NET] <56> received packet: from BRANCH_IP_ADDRESS[500] to HEAD_OFFICE_IP_ADDRESS[500] (548 bytes)
2024-04-10 07:55:02Z 17[ENC] <56> parsed ID_PROT request 0 [ SA V V V V V V ]
2024-04-10 07:55:02Z 17[IKE] <56> received XAuth vendor ID
2024-04-10 07:55:02Z 17[IKE] <56> received DPD vendor ID
2024-04-10 07:55:02Z 17[IKE] <56> received Cisco Unity vendor ID
2024-04-10 07:55:02Z 17[IKE] <56> received FRAGMENTATION vendor ID
2024-04-10 07:55:02Z 17[IKE] <56> received NAT-T (RFC 3947) vendor ID
2024-04-10 07:55:02Z 17[IKE] <56> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2024-04-10 07:55:02Z 17[IKE] <56> BRANCH_IP_ADDRESS is initiating a Main Mode IKE_SA
2024-04-10 07:55:02Z 17[ENC] <56> generating ID_PROT response 0 [ SA V V V V V ]
2024-04-10 07:55:02Z 17[NET] <56> sending packet: from HEAD_OFFICE_IP_ADDRESS[500] to BRANCH_IP_ADDRESS[500] (180 bytes)
2024-04-10 07:55:02Z 16[NET] <56> received packet: from HEAD_OFFICE_IP_ADDRESS[500] to BRANCH_IP_ADDRESS[500] (180 bytes)
2024-04-10 07:55:02Z 16[ENC] <56> parsed ID_PROT request 0 [ SA V V V V V ]
2024-04-10 07:55:02Z 16[IKE] <56> received XAuth vendor ID
2024-04-10 07:55:02Z 16[IKE] <56> received DPD vendor ID
2024-04-10 07:55:02Z 16[IKE] <56> received Cisco Unity vendor ID
2024-04-10 07:55:02Z 16[IKE] <56> received FRAGMENTATION vendor ID
2024-04-10 07:55:02Z 16[IKE] <56> received NAT-T (RFC 3947) vendor ID
2024-04-10 07:55:02Z 16[IKE] <56> KE payload missing in message
2024-04-10 07:55:02Z 16[ENC] <56> generating INFORMATIONAL_V1 request 102214803 [ N(CRIT) ]
2024-04-10 07:55:02Z 16[NET] <56> sending packet: from BRANCH_IP_ADDRESS[500] to HEAD_OFFICE_IP_ADDRESS[500] (56 bytes)
2024-04-10 07:55:02Z 27[NET] <Test-1|55> received packet: from BRANCH_IP_ADDRESS[500] to HEAD_OFFICE_IP_ADDRESS[500] (56 bytes)
2024-04-10 07:55:02Z 27[ENC] <Test-1|55> parsed INFORMATIONAL_V1 request 102214803 [ N(CRIT) ]
2024-04-10 07:55:02Z 27[IKE] <Test-1|55> informational: received UNSUPPORTED_CRITICAL_PAYLOAD error notify
2024-04-10 07:55:02Z 27[IKE] <Test-1|55> ### destroy: 0x7fe3a4002650

Can anyone spot any obvious issues?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Vivek Jagad

    Hi Vivek,

    I have configured the custom profiles and that seemed to get a bit further.

    Head Office

    Branch Office

    Here is the latest strongswan.log from the branch:

    2024-04-10 09:45:31Z 06[CFG] vici initiate 'Test-1'
    2024-04-10 09:45:31Z 04[IKE] <Test-1|14> initiating IKE_SA Test-1[14] to HEAD_OFFICE_IP_ADDRESS
    2024-04-10 09:45:31Z 04[ENC] <Test-1|14> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2024-04-10 09:45:31Z 04[NET] <Test-1|14> sending packet: from BRANCH_IP_ADDRESS[500] to HEAD_OFFICE_IP_ADDRESS[500] (858 bytes)
    2024-04-10 09:45:31Z 13[NET] <15> received packet: from BRANCH_IP_ADDRESS[500] to HEAD_OFFICE_IP_ADDRESS[500] (858 bytes)
    2024-04-10 09:45:31Z 13[ENC] <15> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2024-04-10 09:45:31Z 13[IKE] <15> no IKE config found for HEAD_OFFICE_IP_ADDRESS...BRANCH_IP_ADDRESS, sending NO_PROPOSAL_CHOSEN
    2024-04-10 09:45:31Z 13[ENC] <15> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    2024-04-10 09:45:31Z 13[NET] <15> sending packet: from HEAD_OFFICE_IP_ADDRESS[500] to BRANCH_IP_ADDRESS[500] (36 bytes)
    2024-04-10 09:45:31Z 15[NET] <Test-1|14> received packet: from HEAD_OFFICE_IP_ADDRESS[500] to BRANCH_IP_ADDRESS[500] (36 bytes)
    2024-04-10 09:45:31Z 15[ENC] <Test-1|14> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
    2024-04-10 09:45:31Z 15[IKE] <Test-1|14> received NO_PROPOSAL_CHOSEN notify error
    2024-04-10 09:45:31Z 15[DMN] <Test-1|14> [GARNER-LOGGING] (child_alert) ALERT: IKE SA proposals don't match. Check the phase 1 policy settings on both devices: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
    2024-04-10 09:45:31Z 15[IKE] <Test-1|14> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
    2024-04-10 09:45:31Z 15[IKE] <Test-1|14> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

  • 0 in reply to Alan Spark

    based on the logs -  NO_PROPOSAL_CHOSEN : looks there is a mismatch of proposals during phase 1 or phase 2 negotiation between a site-to-site VPN.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thanks  . What do you think could be the cause of the mismatch? I am sure I made the profiles exactly the same.

  • 0 in reply to Alan Spark

    what about the pre-shared key, can you double check that too ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

     I re-entered the preshared key at both ends and double checked that they match. No difference.

  • 0 in reply to Alan Spark

    Still it shows the same error in the strongswan logs ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Yes, still the same:

    2024-04-10 13:07:40Z 09[CFG] vici initiate 'Test-1'
    2024-04-10 13:07:40Z 29[IKE] <Test-1|85> initiating IKE_SA Test-1[85] to HEAD_OFFICE_IP
    2024-04-10 13:07:40Z 29[ENC] <Test-1|85> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2024-04-10 13:07:40Z 29[NET] <Test-1|85> sending packet: from BRANCH_OFFICE_IP[500] to HEAD_OFFICE_IP[500] (858 bytes)
    2024-04-10 13:07:40Z 02[NET] <86> received packet: from BRANCH_OFFICE_IP[500] to HEAD_OFFICE_IP[500] (858 bytes)
    2024-04-10 13:07:40Z 02[ENC] <86> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    2024-04-10 13:07:40Z 02[IKE] <86> no IKE config found for HEAD_OFFICE_IP...BRANCH_OFFICE_IP, sending NO_PROPOSAL_CHOSEN
    2024-04-10 13:07:40Z 02[ENC] <86> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    2024-04-10 13:07:40Z 02[NET] <86> sending packet: from HEAD_OFFICE_IP[500] to BRANCH_OFFICE_IP[500] (36 bytes)
    2024-04-10 13:07:40Z 06[NET] <Test-1|85> received packet: from HEAD_OFFICE_IP[500] to BRANCH_OFFICE_IP[500] (36 bytes)
    2024-04-10 13:07:40Z 06[ENC] <Test-1|85> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
    2024-04-10 13:07:40Z 06[IKE] <Test-1|85> received NO_PROPOSAL_CHOSEN notify error
    2024-04-10 13:07:40Z 06[DMN] <Test-1|85> [GARNER-LOGGING] (child_alert) ALERT: IKE SA proposals don't match. Check the phase 1 policy settings on both devices: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
    2024-04-10 13:07:40Z 06[IKE] <Test-1|85> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
    2024-04-10 13:07:40Z 06[IKE] <Test-1|85> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

  • 0 in reply to Alan Spark

    Hi  ,

    Based on the logs if we refer -  IPsec troubleshooting and most common errors.

    2024-04-10 13:07:40Z 06[IKE] <Test-1|85> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
    2024-04-10 13:07:40Z 06[IKE] <Test-1|85> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec


    Problem #1
    The problem appears to be a mismatch between Phase 1 acceptable proposals between the two peers.

    Encryption, Authentication, and DH group must match in order for the VPN to come up, peer IP must also match.

    You have to investigate the configuration on both peers and make sure they match the settings. If they match the settings, the remote peer administrator has to investigate the problem on his side, since the remote firewall is refusing the connection.


    Problem #2
    In this case, the negotiation of the Authentication/Encryption algorithms and DH group is completed successfully. However, we failed to authenticate against the remote peer, and the remote peer is reporting this situation back to us.

    The problem here is related to the Peer ID the remote peer expects, for example, it was configured to expect a DNS name but we are sending our IP as Peer ID.

    Remote appliance logs have to be investigated to determine the exact error, but it's likely that a simple comparison between the expected Peer ID on the remote side and the configured Peer ID on our side will bring up the mismatch issue. Configure the Peer ID on the remote or on the local side in order to match.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thanks  

    I have double checked the profiles and cannot see any mismatch. I posted the screenshots above so you can review.

    I have also been experimenting with site-to-site SSL VPN but could not get that working either. I created the following server profile and a corresponding client on the branch side. It indicated that the connection was success ful but I see 5 SSL authentication failure in the branch logs (initiated from the head office IP). I then get an email saying that access has been blocked for 5 minutes.

  • 0 in reply to Alan Spark

    You can check finally the port status on ipfingerprints enable the UDP scan and enter the details below:

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML