Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

---

This recommended read explains how to understand troubleshooting steps and fixes the most common IPsec issues encountered using the Sophos Firewall IPsec VPN(site-to-site) feature.

Ipsec Logs

The following files in /log to trace the IPsec events:

• strongswan.log: IPsec VPN service log
• charon.log: IPsec VPN charon (IKE daemon) log
• strongswan-monitor.log: IPsec daemon monitoring log
• dgd.log: Dead Gateway Detection (DGD) and VPN failover log

Sophos uses Strongswan to provide IPSec functionality. We’ll put the Strongswan service in debugging while troubleshooting IPsec VPN issues.

Debugging Strongswan log

Steps to put the strongswan service in debug:

• SSH into the Sophos firewall by following this KBA: Sophos Firewall: SSH to the firewall using the PuTTY utility
  • To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
  • Select option 5: Device Management.
  • Select option 3: Advanced Shell.
• To put the strongswan service in debugging, type the following command: service strongswan:debug -ds nosync
  • Output
    • # service strongswan:debug -ds nosync
      200 OK
• Run the following command to check the status of the service: service -S | grep strongswan
  • Output
    
    • # service -S | grep strongswan
      strongswan RUNNING,DEBUG
      strongswan-ctl UNTOUCHED
• Note: Run the same command to remove the service from the debug.

• To check the live logs, run the following command from Advanced Shell: tail -f /log/strongswan.log
• The less command allows you to parse through the static log files. You can also match keywords within the logs by entering /<keyword or string>
  • less /log/strongswan.log
• The grep command applies a search filter for the keyword within the logs.
  • grep ‘<Keyword/String>’ /log/strongswan.log 
  • You could filter logs with the tunnel name if multiple IPsec tunnels exist.

Issues and troubleshooting steps

Incorrect traffic selectors (SA)

Verify networks being presented by both local and remote ends match

This issue may occur if the networks being negotiated on either end of the tunnels don’t match on both ends. Verify that the network objects on either end match exactly to the correct subnets and individual addresses.

2020-09-20 00:25:13 05[NET] <Azure_to_Sophos-1|9> received packet: from 72.138.xx.xx[4500] to 10.0.0.4[4500] (1168 bytes)

2020-09-20 00:25:13 05[ENC] <Azure_to_Sophos-1|9> parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]

2020-09-20 00:25:13 05[CFG] <Azure_to_Sophos-1|9> looking for a child config for 10.0.1.0/24 === 172.16.19.0/24

2020-09-20 00:25:13 05[IKE] <Azure_to_Sophos-1|9> traffic selectors 10.0.1.0/24 === 172.16.19.0/24 inacceptable

2020-09-20 00:25:13 05[DMN] <Azure_to_Sophos-1|9> [GARNER-LOGGING] (child_alert) ALERT: the received traffic selectors didn’t match: 172.16.19.0/24 === 10.0.1.0/24 << Local and remote network did not match.

2020-09-20 00:25:13 05[IKE] <Azure_to_Sophos-1|9> failed to establish CHILD_SA, keeping IKE_SA

No IKE config found

Verify the configured IKE version on policies. This issue may occur if the IKE version mismatches with the configured policy of the firewalls

Logs on remote(respond only) Sophos firewall

2020-09-24 18:51:19 13[NET] <100> received packet: from 72.138.xx.xx1[500] to 10.0.0.4[500] (872 bytes)

2020-09-24 18:51:19 13[ENC] <100> parsed ID_PROT request 0 [ SA V V V V V V ]

2020-09-24 18:51:19 13[CFG] <100> looking for an ike config for 10.0.0.4...72.138.xx.xx

2020-09-24 18:51:19 13[IKE] <100> no IKE config found for 10.0.0.4...72.138.xx.xx, sending NO_PROPOSAL_CHOSEN

2020-09-24 18:51:19 13[ENC] <100> generating INFORMATIONAL_V1 request 1316998708 [ N(NO_PROP) ]

2020-09-24 18:51:19 13[NET] <100> sending packet: from 10.0.0.4[500] to 72.138.107.211[500] (40 bytes)

2020-09-24 18:51:19 13[IKE] <100> IKE_SA (unnamed)[100] state change: CREATED => DESTROYING

Logs on Local(Initiator) Sophos firewall

2020-09-24 09:50:54 06[NET] <To_Azure_Sophos-1|108> received packet: from 40.84.xx.xx [500] to 192.168.1.16[500] (40 bytes)

2020-09-24 09:50:54 06[ENC] <To_Azure_Sophos-1|108> parsed INFORMATIONAL_V1 request 1316998708 [ N(NO_PROP) ]

2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> informational: received NO_PROPOSAL_CHOSEN error notify

2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER

2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> flush_queue(IKE_MOBIKE)

2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> ### destroy: 0x7f9b88001f80

2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> flush_queue(IKE_NATD)

2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> flush_queue(IKE_INIT)

2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

2020-09-24 09:50:54 06[IKE] <To_Azure_Sophos-1|108> IKE_SA To_Azure_Sophos-1[108] state change: CONNECTING => DESTROYING

ALERT: peer authentication failed

Check the configured remote and local connection ID. This issue may occur if a mismatched local and remote connection ID is configured.

The message “no matching peer config found” indicated that the connection ID wasn’t configured to match on both sites. The remote ID has to match the configured ID, or phase 1 won’t come up, and thus, the IPsec VPN won’t work.

2020-09-20 00:29:42 22[NET] <10> received packet: from 72.138.xx.xx[4500] to 10.0.0.4[4500] (464 bytes)

2020-09-20 00:29:42 22[ENC] <10> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

2020-09-20 00:29:42 22[CFG] <10> looking for peer configs matching 10.0.0.4[10.0.0.1]...72.138.xx.xx[72.138.xx.xx]

2020-09-20 00:29:42 22[CFG] <10> no matching peer config found

2020-09-20 00:29:42 22[DMN] <10> [GARNER-LOGGING] (child_alert) ALERT: peer authentication failed

2020-09-20 00:29:42 22[ENC] <10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

2020-09-20 00:29:42 22[NET] <10> sending packet: from 10.0.0.4[4500] to 72.138.xx.xx[4500] (96 bytes)

2020-09-20 00:29:42 22[IKE] <10> IKE_SA (unnamed)[10] state change: CONNECTING => DESTROYING

2020-09-20 00:29:42 04[NET] sending packet: from 10.0.0.4[4500] to xx.xx[4500]

Traffic does not pass through the IPsec VPN Tunnel

Sophos Firewall: Troubleshooting steps when traffic is not passing through the VPN tunnel

If traffic  isn’t passing through, kindly verify the following:

• IPsec configuration.
• If firewall rules are created to allow VPN traffic.
• The priority of VPN and static routes.
• Traffic from LAN hosts passes through the Sophos Firewall.
• IPsec connection status with the following command: “Ipsec statusall”

# ipsec statusall

Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.14.22, x86_64):

uptime: 4 hours, since Oct 27 05:11:10 2020

malloc: sbrk 4927488, mmap 0, used 550176, free 4377312

worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5

loaded plugins: charon aes des rc2 sha2 sha3 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem  openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici xauth-generic xauth-access-server ippool-access-server cop-updown garner-logging error-notify unity

Listening IP addresses:

  169.254.xx.xx

  172.16.19.16

  192.168.1.16

  10.255.0.1

  10.81.235.10

  2001:db8::1:0

Connections:

To_Azure_Sophos-1:  192.168.1.16...xxxxxx.eastus2.cloudapp.azure.com  IKEv2, dpddelay=30s

To_Azure_Sophos-1:   local:  [72.138.XX.XX] uses pre-shared key authentication

To_Azure_Sophos-1:   remote: [10.0.0.4] uses pre-shared key authentication

To_Azure_Sophos-1:   child:  172.16.19.0/24 === 10.0.1.0/24 TUNNEL, dpdaction=restart

Security Associations (1 up, 0 connecting):

To_Azure_Sophos-1[11]: ESTABLISHED 6 minutes ago, 192.168.1.16[72.138.xx.xx]...52.179.xx.xx[10.0.0.4]

To_Azure_Sophos-1[11]: IKEv2 SPIs: de12479abd022538_i* e9aa15057931f8d2_r, rekeying in 77 minutes

To_Azure_Sophos-1[11]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/CURVE_25519

To_Azure_Sophos-1{11}:  INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c2a06117_i ce6446d0_o

To_Azure_Sophos-1{11}:  AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes

To_Azure_Sophos-1{11}:   172.16.19.0/24 === 10.0.1.0/24

• Verify the IPsec route by running the following command: “Ip route show table 220”

# ip route show table 220

10.0.1.0/24 dev ipsec0  scope link  src 172.16.19.16

Invalid HASH_V1 payload length, decryption failed? & Parsed IKE_AUTH response1[N(AUTH_FAILED)]

Verify the pre-shared key on both firewalls. This issue may occur if the Preshared Key mismatch for the configured IPsec connection.

Logs using IKEv1 for the key exchange.

Initiator:

2020-11-13 04:55:06 17[NET] <To_Azure_Sophos-1|134> received packet: from 20.36.xxx.xxx[500] to 192.168.1.16[500] (124 bytes)

2020-11-13 04:55:06 17[ENC] <To_Azure_Sophos-1|134> invalid HASH_V1 payload length, decryption failed?

2020-11-13 04:55:06 17[ENC] <To_Azure_Sophos-1|134> could not decrypt payloads

2020-11-13 04:55:06 17[IKE] <To_Azure_Sophos-1|134> message parsing failed

2020-11-13 04:55:06 17[IKE] <To_Azure_Sophos-1|134> ignore malformed INFORMATIONAL request

2020-11-13 04:55:06 17[IKE] <To_Azure_Sophos-1|134> INFORMATIONAL_V1 request with message ID 2070455846 processing failed

2020-11-13 04:55:06 17[DMN] <To_Azure_Sophos-1|134> [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 20.36.xxx.xxx[500] failed

2020-11-13 04:55:10 19[IKE] <To_Azure_Sophos-1|134> sending retransmit 1 of request message ID 0, seq 3

Respond only:

2020-11-13 13:56:39 12[NET] <5> received packet: from 72.138.xxx.xxx[4500] to 10.0.0.4[4500] (124 bytes)

2020-11-13 13:56:39 12[ENC] <5> invalid ID_V1 payload length, decryption failed?

2020-11-13 13:56:39 12[ENC] <5> could not decrypt payloads

2020-11-13 13:56:39 12[IKE] <5> message parsing failed

2020-11-13 13:56:39 12[ENC] <5> generating INFORMATIONAL_V1 request 2070455846 [ HASH N(PLD_MAL) ]

2020-11-13 13:56:39 12[NET] <5> sending packet: from 10.0.0.4[500] to 72.138.xxx.xxx[500] (124 bytes)

2020-11-13 13:56:39 12[IKE] <5> ID_PROT request with message ID 0 processing failed

2020-11-13 13:56:39 04[NET] sending packet: from 10.0.0.4[500] to 72.138.xxx.xxx[500]

2020-11-13 13:56:39 12[DMN] <5> [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 72.138.xxx.xxx[4500] failed

Logs using IKEv2 for the key exchange.

Initiator:

2020-11-03 04:17:03 03[NET] <To_Azure_Sophos-1|123> received packet: from 40.75.xxx.xxx[4500] to 192.168.1.16[4500] (96 bytes)

2020-11-03 04:17:03 03[ENC] <To_Azure_Sophos-1|123> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

2020-11-03 04:17:03 03[IKE] <To_Azure_Sophos-1|123> received AUTHENTICATION_FAILED notify error

2020-11-03 04:17:03 03[DMN] <To_Azure_Sophos-1|123> [GARNER-LOGGING] (child_alert) ALERT: creating local authentication data failed

2020-11-03 04:17:03 03[IKE] <To_Azure_Sophos-1|123> IKE_SA AUTHENTICATION_FAILED set_condition COND_START_OVER 

2020-11-03 04:17:03 03[IKE] <To_Azure_Sophos-1|123> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec

2020-11-03 04:17:03 03[CHD] <To_Azure_Sophos-1|123> CHILD_SA To_Azure_Sophos-1{191} state change: CREATED => DESTROYING

2020-11-03 04:17:03 03[IKE] <To_Azure_Sophos-1|123> IKE_SA To_Azure_Sophos-1[123] state change: CONNECTING => DESTROYING

Responder:

2020-11-03 13:18:07 21[NET] <136> received packet: from 72.138.xxx.xxx[4500] to 10.0.0.4[4500] (464 bytes)

2020-11-03 13:18:07 21[ENC] <136> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

2020-11-03 13:18:07 21[CFG] <136> looking for peer configs matching 10.0.0.4[10.0.0.4]...72.138.xxx.xxx[72.138.xxx.xxx]

2020-11-03 13:18:07 21[CFG] <136>   candidate "Azure_to_Sophos-1", match: 20/20/1052 (me/other/ike)

2020-11-03 13:18:07 21[CFG] <Azure_to_Sophos-1|136> selected peer config 'Azure_to_Sophos-1'

2020-11-03 13:18:07 21[IKE] <Azure_to_Sophos-1|136> tried 2 shared keys for '10.0.0.4' - '72.138.xxx.xxx', but MAC mismatched

2020-11-03 13:18:07 21[DMN] <Azure_to_Sophos-1|136> [GARNER-LOGGING] (child_alert) ALERT: peer authentication failed

2020-11-03 13:18:07 21[ENC] <Azure_to_Sophos-1|136> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

2020-11-03 13:18:07 21[NET] <Azure_to_Sophos-1|136> sending packet: from 10.0.0.4[4500] to 72.138.xxx.xxx[4500] (96 bytes)

2020-11-03 13:18:07 21[IKE] <Azure_to_Sophos-1|136> IKE_SA Azure_to_Sophos-1[136] state change: CONNECTING => DESTROYING

IPsec VPN's most common Error

• Sophos Firewall: IPsec troubleshooting and most common errors

Related links

• Create a policy-based IPsec VPN using a pre-shared key
• Add an IPsec profile
• Add an IPsec connection
• Configure a policy-based IPsec VPN connection using digital certificates
• Routing and NAT for IPsec tunnels
• Sophos Firewall: How to configure an IPsec VPN connection with multiple endpoints
• Sophos Firewall: How to create a hub and spoke IPsec VPN
• Sophos Firewall: Troubleshooting steps when traffic is not passing through the VPN tunnel
• Sophos Firewall: How to allow Remote Access SSL VPN traffic over existing IPsec tunnel without modifying the IPsec tunnel
• Sophos Firewall: How to configure access for SSL VPN remote users over an IPsec VPN
• Sophos Firewall: Route Based VPN
• Best practice for site-to-site policy-based IPsec VPN
• Sophos Firewall: How to establish a Site-to-Site IPsec VPN to Microsoft Azure
• Sophos Firewall: How to configure a site-to-site IPsec VPN with multiple SAs to a route-based Azure VPN gateway
  

---

Revamped RR
[edited by: Erick Jan at 1:21 AM (GMT -7) on 9 Oct 2024]