Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Not Answered
  • Replies 7 replies
  • Subscribers 0 subscribers
  • Views 2091 views
  • Users 0 members are here
Options
Suggested

[7.390] Can't Add IPSec Remote Gateway with PSK

Paul Dengate
Hi All,

Don't think I've seen this one elsewhere in the forum, but apologies if it is a dupe. Fairly simple error, but stopping me from creating VPNs.

To repeat:

[LIST=1]
  • Go to Site-to-site VPN -> IPSec -> Remote Gateways.
  • Click New Remote Gateway.
  • Use Respond only and Preshared Key as the options.
  • Attempt to enter a PSK in the field (and repeat field).
  • When you click save, the "Key" box will flash red as if it hasn't been entered. But if you delete the text from it, you'll get an error that the fields don't match
[/LIST]

Screen shot of the options I was using is attached. Note: in the example I haven't entered a Remote Network, but entering one doesn't seem to matter.

You can edit existing gateways OK, just not create new ones.

Let me know if you need more info.

Thanks
Parents
  • 0
    This isn't a bug, rather a "feature" of IPSec.  It's a "mistake" that I've made personally, so you aren't alone!

    You can only have a single PSK for all Respond-Only IPSec VPNs; that's the reason it wouldn't accept the PSK you tried to assign.  If you have already defined a PSK in Remote Access for IPSec or L2TP over IPSec, just use the same one here.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thanks Bob. I am trying to replicate the functionality we have on our SnapGear router, which lets you do this using Agressive Mode and VPN IDs. I note the Astaro appears to only use Main mode.

    I was able to add additional gateways using the same PSK, as suggested. Thanks for the tip. Would be nice if an error message was given, but at least I know now.

    Next thing to try will be whether multiple respond only IPSec VPNs will work using PSK. Perhaps they will need the IP address to distinguish them?

    Appreciate your help - my knowledge of IPsec is only fairly basic.
  • 0 in reply to Paul Dengate
    Well, I'm no guru with IPSec, but I have done battle with it several times.  It turns out that Aggressive mode is less secure because the key is exchanged in clear text (at least, that's what I recall), I suspect that's why Astaro doesn't support it.

    They also suggest using certificates as preferable for site-to-site because that provides better security.  If you are working with a fixed site, maybe you can setup DynDNS so that you can use 'initiate connection' instead of 'Respond only'.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thanks Bob,

    Once I get migrated from the SnapGear and existing stuff working, I'm going to look into doing certificates for better security.

    Cya
  • 0 in reply to Paul Dengate
    Astaro doesn't support Aggressive mode due to various security vulnerabilities in that implementation.  As you migrate to Astaro, I do recommend you look at RSA keys or Certs for Security.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Hi,
    I had a look and don't think the Billion routers we have at remote sites support anything other thank PSK. Thankfully I have the Astaro doing more than one tunnel, using a single PSK. So it works, but sounds like not perfect from the security stand point.
  • 0 in reply to Paul Dengate
    Since these are fixed, remote sites, I'd recommend you get hooked up with DynDNS (up to five hosts is free) and use 'Initiate connection' mode so you can have different keys for different sites.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Paul Dengate
    Since these are fixed, remote sites, I'd recommend you get hooked up with DynDNS (up to five hosts is free) and use 'Initiate connection' mode so you can have different keys for different sites.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML