Site to site vpn

I've been trying to build a site to site vpn between my Sophos SG230 and my Sonicwall TZ350. I was able to get the vpn up and connected for about half a day, until the electricity went out for a few hours. Now I can't seem to get both firewalls to connect again. I have spoken with both Sophos and Sonicwall techs multiple times and they both assure me that it is set up correctly. I've called the ISP to make sure nothing is being blocked and there isn't. I've included screenshots of both firewalls as well as the error message I'm getting Both techs I talked told me it was an issue with the pre-shared key, but I have changed that several times and made sure that they are the same on both.

Basically, the error I keep running into is:

2022:06:17-14:34:43 74 pluto[22458]: packet from [remote site IP]:500: initial Main Mode message received on [HQ IP]:500 but no connection has been authorized with policy=PSK
 


Formatting
[edited by: nmw748 at 6:37 PM (GMT -7) on 17 Jun 2022]
  • Sounds frustrating!  Try the following:

         1. Confirm that Debug is not enabled.
         2. Disable the IPsec Connection.
         3. Start the IPsec Live Log and wait for it to begin to populate.
         4. Enable the IPsec Connection.
         5. Copy here about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 2022:06:20-08:14:36 74 pluto[29443]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2022:06:20-08:14:36 74 pluto[29443]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2022:06:20-08:14:36 74 pluto[29443]: Changing to directory '/etc/ipsec.d/crls'
    2022:06:20-08:14:36 74 pluto[29443]: "S_Site to Site": deleting connection
    2022:06:20-08:14:41 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [5b362bc820f60007]
    2022:06:20-08:14:41 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [RFC 3947]
    2022:06:20-08:14:41 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2022:06:20-08:14:41 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2022:06:20-08:14:41 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2022:06:20-08:14:41 74 pluto[29443]: packet from 71.112.199.234:500: initial Main Mode message received on 71.112.199.226:500 but no connection has been authorized with policy=PSK
    2022:06:20-08:14:45 74 pluto[29443]: forgetting secrets
    2022:06:20-08:14:45 74 pluto[29443]: loading secrets from "/etc/ipsec.secrets"
    2022:06:20-08:14:45 74 pluto[29443]: loaded private key from 'nwilliams (X509 User Cert).pem'
    2022:06:20-08:14:45 74 pluto[29443]: loaded PSK secret for 71.112.199.226 %any
    2022:06:20-08:14:45 74 pluto[29443]: listening for IKE messages
    2022:06:20-08:14:45 74 pluto[29443]: forgetting secrets
    2022:06:20-08:14:45 74 pluto[29443]: loading secrets from "/etc/ipsec.secrets"
    2022:06:20-08:14:45 74 pluto[29443]: loaded private key from 'nwilliams (X509 User Cert).pem'
    2022:06:20-08:14:45 74 pluto[29443]: loaded PSK secret for 71.112.199.226 %any
    2022:06:20-08:14:45 74 pluto[29443]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2022:06:20-08:14:45 74 pluto[29443]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2022:06:20-08:14:45 74 pluto[29443]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2022:06:20-08:14:45 74 pluto[29443]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2022:06:20-08:14:45 74 pluto[29443]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2022:06:20-08:14:45 74 pluto[29443]: Changing to directory '/etc/ipsec.d/crls'
    2022:06:20-08:14:45 74 pluto[29443]: added connection description "S_Site to Site"
    2022:06:20-08:14:47 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [5b362bc820f60007]
    2022:06:20-08:14:47 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [RFC 3947]
    2022:06:20-08:14:47 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2022:06:20-08:14:47 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2022:06:20-08:14:47 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2022:06:20-08:14:47 74 pluto[29443]: packet from 71.112.199.234:500: initial Main Mode message received on 71.112.199.226:500 but no connection has been authorized with policy=PSK
    2022:06:20-08:14:57 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [5b362bc820f60007]
    2022:06:20-08:14:57 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [RFC 3947]
    2022:06:20-08:14:57 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2022:06:20-08:14:57 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2022:06:20-08:14:57 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2022:06:20-08:14:57 74 pluto[29443]: packet from 71.112.199.234:500: initial Main Mode message received on 71.112.199.226:500 but no connection has been authorized with policy=PSK
    2022:06:20-08:15:15 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [5b362bc820f60007]
    2022:06:20-08:15:15 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [RFC 3947]
    2022:06:20-08:15:15 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2022:06:20-08:15:15 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2022:06:20-08:15:15 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2022:06:20-08:15:15 74 pluto[29443]: packet from 71.112.199.234:500: initial Main Mode message received on 71.112.199.226:500 but no connection has been authorized with policy=PSK
    2022:06:20-08:15:50 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [5b362bc820f60007]
    2022:06:20-08:15:50 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [RFC 3947]
    2022:06:20-08:15:50 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2022:06:20-08:15:50 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2022:06:20-08:15:50 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2022:06:20-08:15:50 74 pluto[29443]: packet from 71.112.199.234:500: initial Main Mode message received on 71.112.199.226:500 but no connection has been authorized with policy=PSK
    2022:06:20-08:15:56 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [5b362bc820f60007]
    2022:06:20-08:15:56 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [RFC 3947]
    2022:06:20-08:15:56 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2022:06:20-08:15:56 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2022:06:20-08:15:56 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2022:06:20-08:15:56 74 pluto[29443]: packet from 71.112.199.234:500: initial Main Mode message received on 71.112.199.226:500 but no connection has been authorized with policy=PSK
    2022:06:20-08:16:07 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [5b362bc820f60007]
    2022:06:20-08:16:07 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [RFC 3947]
    2022:06:20-08:16:07 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2022:06:20-08:16:07 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2022:06:20-08:16:07 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2022:06:20-08:16:07 74 pluto[29443]: packet from 71.112.199.234:500: initial Main Mode message received on 71.112.199.226:500 but no connection has been authorized with policy=PSK
    2022:06:20-08:16:26 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [5b362bc820f60007]
    2022:06:20-08:16:26 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [RFC 3947]
    2022:06:20-08:16:26 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2022:06:20-08:16:26 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2022:06:20-08:16:26 74 pluto[29443]: packet from 71.112.199.234:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2022:06:20-08:16:26 74 pluto[29443]: packet from 71.112.199.234:500: initial Main Mode message received on 71.112.199.226:500 but no connection has been authorized with policy=PSK
  • The first PSK failure is at 14:40:41.  I would have expected more lines ahead of that - no?

    Is either VPN endpoint behind a NATting router?  If so, the NATted side should be the side to initiate the connection and the receiving side should have a public IP.  If that's not the case, insert a picture of the 'Preshared Key Settings' and a picture of the Edit of the Remote Gateway.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I was able to figure it out by changing the gateway from 'Respond Only' to 'Initiate connection'. Not sure why, but that seemed to fix it. Thanks for your replies.

  • Both the Sophos and Sonicwall techs should have known that the other reason for such a Main Mode message failure is that the message is "signed" with the IP of the interface and the receiving side checks that the IP is the same as the one from which the message came.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA