Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Troubleshooting site to site IPsec VPN issues

FormerMember
FormerMember

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


This recommended read explains how to understand troubleshooting steps and fixes the most common IPsec issues encountered using the Sophos Firewall IPsec VPN(site-to-site) feature.

    Ipsec Logs

    The following files in /log to trace the IPsec events:

    • strongswan.log: IPsec VPN service log
    • charon.log: IPsec VPN charon (IKE daemon) log
    • strongswan-monitor.log: IPsec daemon monitoring log
    • dgd.log: Dead Gateway Detection (DGD) and VPN failover log

    Sophos uses Strongswan to provide IPSec functionality. We’ll put the Strongswan service in debugging while troubleshooting IPsec VPN issues.

    Debugging Strongswan log

    Steps to put the strongswan service in debug:

    • SSH into the Sophos firewall by following this KBA: Sophos Firewall: SSH to the firewall using the PuTTY utility
      • To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
      • Select option 5: Device Management.
      • Select option 3: Advanced Shell.
    • To put the strongswan service in debugging, type the following command: service strongswan:debug -ds nosync
      • Output
        • # service strongswan:debug -ds nosync
          200 OK
    • Run the following command to check the status of the service: service -S | grep strongswan
      • Output
        • # service -S | grep strongswan
          strongswan RUNNING,DEBUG
          strongswan-ctl UNTOUCHED
    • Note: Run the same command to remove the service from the debug.
    • To check the live logs, run the following command from Advanced Shell: tail -f /log/strongswan.log
    • The less command allows you to parse through the static log files. You can also match keywords within the logs by entering /<keyword or string>
      • less /log/strongswan.log
    • The grep command applies a search filter for the keyword within the logs.
      • grep ‘<Keyword/String>’ /log/strongswan.log 
      • You could filter logs with the tunnel name if multiple IPsec tunnels exist.

    Issues and troubleshooting steps

    Incorrect traffic selectors (SA)

    Verify networks being presented by both local and remote ends match

    This issue may occur if the networks being negotiated on either end of the tunnels don’t match on both ends. Verify that the network objects on either end match exactly to the correct subnets and individual addresses.

    2020-09-20 00:25:13 05[NET] <Azure_to_Sophos-1|9> received packet: from 72.138.xx.xx[4500] to 10.0.0.4[4500] (1168 bytes)

    2020-09-20 00:25:13 05[ENC] <Azure_to_Sophos-1|9> parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]

    2020-09-20 00:25:13 05[CFG] <Azure_to_Sophos-1|9> looking for a child config for 10.0.1.0/24 === 172.16.19.0/24

    2020-09-20 00:25:13 05[IKE] <Azure_to_Sophos-1|9> traffic selectors 10.0.1.0/24 === 172.16.19.0/24 inacceptable

    2020-09-20 00:25:13 05[DMN] <Azure_to_Sophos-1|9> [GARNER-LOGGING] (child_alert) ALERT: the received traffic selectors didn’t match: 172.16.19.0/24 === 10.0.1.0/24 << Local and remote network did not match.

    2020-09-20 00:25:13 05[IKE] <Azure_to_Sophos-1|9> failed to establish CHILD_SA, keeping IKE_SA

    No IKE config found

    Verify the configured IKE version on policies. This issue may occur if the IKE version mismatches with the configured policy of the firewalls

    Logs on remote(respond only) Sophos firewall

    2020-09-24 18:51:19 13[NET] <100> received packet: from 72.138.xx.xx1[500] to 10.0.0.4[500] (872 bytes)

    2020-09-24 18:51:19 13[ENC] <100> parsed ID_PROT request 0 [ SA V V V V V V ]

    2020-09-24 18:51:19 13[CFG] <100> looking for an ike config for 10.0.0.4...72.138.xx.xx

    2020-09-24 18:51:19 13[IKE] <100> no IKE config found for 10.0.0.4...72.138.xx.xx, sending NO_PROPOSAL_CHOSEN

    2020-09-24 18:51:19 13[ENC] <100> generating INFORMATIONAL_V1 request 1316998708 [ N(NO_PROP) ]

    2020-09-24 18:51:19 13[NET] <100> sending packet: from 10.0.0.4[500] to 72.138.107.211[500] (40 bytes)

    2020-09-24 18:51:19 13[IKE] <100> IKE_SA (unnamed)[100] state change: CREATED => DESTROYING

    Logs on Local(Initiator) Sophos firewall

    2020-09-24 09:50:54 06[NET] <To_Azure_Sophos-1|108> received packet: from 40.84.xx.xx [500] to 192.168.1.16[500] (40 bytes)

    2020-09-24 09:50:54 06[ENC] <To_Azure_Sophos-1|108> parsed INFORMATIONAL_V1 request 1316998708 [ N(NO_PROP) ]

    2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> informational: received NO_PROPOSAL_CHOSEN error notify

    2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER

    2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> flush_queue(IKE_MOBIKE)

    2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> ### destroy: 0x7f9b88001f80

    2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> flush_queue(IKE_NATD)

    2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> flush_queue(IKE_INIT)

    2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

    2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> IKE_SA To_Azure_Sophos-1[108] state change: CONNECTING => DESTROYING

    ALERT: peer authentication failed

    Check the configured remote and local connection ID. This issue may occur if a mismatched local and remote connection ID is configured.

    The message “no matching peer config found” indicated that the connection ID wasn’t configured to match on both sites. The remote ID has to match the configured ID, or phase 1 won’t come up, and thus, the IPsec VPN won’t work.

    2020-09-20 00:29:42 22[NET] <10> received packet: from 72.138.xx.xx[4500] to 10.0.0.4[4500] (464 bytes)

    2020-09-20 00:29:42 22[ENC] <10> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

    2020-09-20 00:29:42 22[CFG] <10> looking for peer configs matching 10.0.0.4[10.0.0.1]...72.138.xx.xx[72.138.xx.xx]

    2020-09-20 00:29:42 22[CFG] <10> no matching peer config found

    2020-09-20 00:29:42 22[DMN] <10> [GARNER-LOGGING] (child_alert) ALERT: peer authentication failed

    2020-09-20 00:29:42 22[ENC] <10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

    2020-09-20 00:29:42 22[NET] <10> sending packet: from 10.0.0.4[4500] to 72.138.xx.xx[4500] (96 bytes)

    2020-09-20 00:29:42 22[IKE] <10> IKE_SA (unnamed)[10] state change: CONNECTING => DESTROYING

    2020-09-20 00:29:42 04[NET] sending packet: from 10.0.0.4[4500] to xx.xx[4500]

    Traffic does not pass through the IPsec VPN Tunnel

    Sophos Firewall: Troubleshooting steps when traffic is not passing through the VPN tunnel

    If traffic  isn’t passing through, kindly verify the following:

    • IPsec configuration.
    • If firewall rules are created to allow VPN traffic.
    • The priority of VPN and static routes.
    • Traffic from LAN hosts passes through the Sophos Firewall.
    • IPsec connection status with the following command: “Ipsec statusall

    # ipsec statusall

    Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.14.22, x86_64):

    uptime: 4 hours, since Oct 27 05:11:10 2020

    malloc: sbrk 4927488, mmap 0, used 550176, free 4377312

    worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5

    loaded plugins: charon aes des rc2 sha2 sha3 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem  openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici xauth-generic xauth-access-server ippool-access-server cop-updown garner-logging error-notify unity

    Listening IP addresses:

      169.254.xx.xx

      172.16.19.16

      192.168.1.16

      10.255.0.1

      10.81.235.10

      2001:db8::1:0

    Connections:

    To_Azure_Sophos-1:  192.168.1.16...xxxxxx.eastus2.cloudapp.azure.com  IKEv2, dpddelay=30s

    To_Azure_Sophos-1:   local:  [72.138.XX.XX] uses pre-shared key authentication

    To_Azure_Sophos-1:   remote: [10.0.0.4] uses pre-shared key authentication

    To_Azure_Sophos-1:   child:  172.16.19.0/24 === 10.0.1.0/24 TUNNEL, dpdaction=restart

    Security Associations (1 up, 0 connecting):

    To_Azure_Sophos-1[11]: ESTABLISHED 6 minutes ago, 192.168.1.16[72.138.xx.xx]...52.179.xx.xx[10.0.0.4]

    To_Azure_Sophos-1[11]: IKEv2 SPIs: de12479abd022538_i* e9aa15057931f8d2_r, rekeying in 77 minutes

    To_Azure_Sophos-1[11]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/CURVE_25519

    To_Azure_Sophos-1{11}:  INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c2a06117_i ce6446d0_o

    To_Azure_Sophos-1{11}:  AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes

    To_Azure_Sophos-1{11}:   172.16.19.0/24 === 10.0.1.0/24

    • Verify the IPsec route by running the following command: “Ip route show table 220

    # ip route show table 220

    10.0.1.0/24 dev ipsec0  scope link  src 172.16.19.16

    Invalid HASH_V1 payload length, decryption failed? & Parsed IKE_AUTH response1[N(AUTH_FAILED)]

    Verify the pre-shared key on both firewalls. This issue may occur if the Preshared Key mismatch for the configured IPsec connection.

    Logs using IKEv1 for the key exchange.

    Initiator:

    2020-11-13 04:55:06 17[NET] <To_Azure_Sophos-1|134> received packet: from 20.36.xxx.xxx[500] to 192.168.1.16[500] (124 bytes)

    2020-11-13 04:55:06 17[ENC] <To_Azure_Sophos-1|134> invalid HASH_V1 payload length, decryption failed?

    2020-11-13 04:55:06 17[ENC] <To_Azure_Sophos-1|134> could not decrypt payloads

    2020-11-13 04:55:06 17[IKE] <To_Azure_Sophos-1|134> message parsing failed

    2020-11-13 04:55:06 17[IKE] <To_Azure_Sophos-1|134> ignore malformed INFORMATIONAL request

    2020-11-13 04:55:06 17[IKE] <To_Azure_Sophos-1|134> INFORMATIONAL_V1 request with message ID 2070455846 processing failed

    2020-11-13 04:55:06 17[DMN] <To_Azure_Sophos-1|134> [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 20.36.xxx.xxx[500] failed

    2020-11-13 04:55:10 19[IKE] <To_Azure_Sophos-1|134> sending retransmit 1 of request message ID 0, seq 3

    Respond only:

    2020-11-13 13:56:39 12[NET] <5> received packet: from 72.138.xxx.xxx[4500] to 10.0.0.4[4500] (124 bytes)

    2020-11-13 13:56:39 12[ENC] <5> invalid ID_V1 payload length, decryption failed?

    2020-11-13 13:56:39 12[ENC] <5> could not decrypt payloads

    2020-11-13 13:56:39 12[IKE] <5> message parsing failed

    2020-11-13 13:56:39 12[ENC] <5> generating INFORMATIONAL_V1 request 2070455846 [ HASH N(PLD_MAL) ]

    2020-11-13 13:56:39 12[NET] <5> sending packet: from 10.0.0.4[500] to 72.138.xxx.xxx[500] (124 bytes)

    2020-11-13 13:56:39 12[IKE] <5> ID_PROT request with message ID 0 processing failed

    2020-11-13 13:56:39 04[NET] sending packet: from 10.0.0.4[500] to 72.138.xxx.xxx[500]

    2020-11-13 13:56:39 12[DMN] <5> [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 72.138.xxx.xxx[4500] failed

    Logs using IKEv2 for the key exchange.

    Initiator:

    2020-11-03 04:17:03 03[NET] <To_Azure_Sophos-1|123> received packet: from 40.75.xxx.xxx[4500] to 192.168.1.16[4500] (96 bytes)

    2020-11-03 04:17:03 03[ENC] <To_Azure_Sophos-1|123> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

    2020-11-03 04:17:03 03[IKE] <To_Azure_Sophos-1|123> received AUTHENTICATION_FAILED notify error

    2020-11-03 04:17:03 03[DMN] <To_Azure_Sophos-1|123> [GARNER-LOGGING] (child_alert) ALERT: creating local authentication data failed

    2020-11-03 04:17:03 03[IKE] <To_Azure_Sophos-1|123> IKE_SA AUTHENTICATION_FAILED set_condition COND_START_OVER 

    2020-11-03 04:17:03 03[IKE] <To_Azure_Sophos-1|123> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

    2020-11-03 04:17:03 03[CHD] <To_Azure_Sophos-1|123> CHILD_SA To_Azure_Sophos-1{191} state change: CREATED => DESTROYING

    2020-11-03 04:17:03 03[IKE] <To_Azure_Sophos-1|123> IKE_SA To_Azure_Sophos-1[123] state change: CONNECTING => DESTROYING

    Responder:

    2020-11-03 13:18:07 21[NET] <136> received packet: from 72.138.xxx.xxx[4500] to 10.0.0.4[4500] (464 bytes)

    2020-11-03 13:18:07 21[ENC] <136> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

    2020-11-03 13:18:07 21[CFG] <136> looking for peer configs matching 10.0.0.4[10.0.0.4]...72.138.xxx.xxx[72.138.xxx.xxx]

    2020-11-03 13:18:07 21[CFG] <136>   candidate "Azure_to_Sophos-1", match: 20/20/1052 (me/other/ike)

    2020-11-03 13:18:07 21[CFG] <Azure_to_Sophos-1|136> selected peer config 'Azure_to_Sophos-1'

    2020-11-03 13:18:07 21[IKE] <Azure_to_Sophos-1|136> tried 2 shared keys for '10.0.0.4' - '72.138.xxx.xxx', but MAC mismatched

    2020-11-03 13:18:07 21[DMN] <Azure_to_Sophos-1|136> [GARNER-LOGGING] (child_alert) ALERT: peer authentication failed

    2020-11-03 13:18:07 21[ENC] <Azure_to_Sophos-1|136> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

    2020-11-03 13:18:07 21[NET] <Azure_to_Sophos-1|136> sending packet: from 10.0.0.4[4500] to 72.138.xxx.xxx[4500] (96 bytes)

    2020-11-03 13:18:07 21[IKE] <Azure_to_Sophos-1|136> IKE_SA Azure_to_Sophos-1[136] state change: CONNECTING => DESTROYING

    IPsec VPN's most common Error

    Related links




    Revamped RR
    [edited by: Erick Jan at 1:21 AM (GMT -7) on 9 Oct 2024]
    Parents Reply Children