This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN between UTM9 and Ubiquiti Unifi Security Gateway

Hi folks,

I'm not able to establish a site-to-site IPSec connection between UTM9 (BO) and my USG (HO).

The USG is able to handle the following properties:

IKEv1, AES-256, SHA1

The Diffle Hellman Group is adjustable

The last error message at the UTM9 was:

packet from :500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Has anyone an idea which properties I must use to get the connection working?

Regards,

Philipp



This thread was automatically locked due to age.
  • ok I got the tunnel working. Connection is established.

    But I can't access hosts in the foreign network.

    Must I set a static route to the foreign network? 

    In the Firewall are no entries to the vpn destination while I'm testing.

  • Hallo Philipp and welcome to the UTM Community!

    Please show a picture of the Edits of your IPsec Connection and your Remote Gateway.  Also, say if DPD and NAT-T are enabled on both sides.  Static Routing doesn't work inside an IPsec tunnel - it only works when the tunnel is bound to the interface.

    Are you saying that the Firewall log doesn't show any lines where an IP in your BO LAN was blocked from reaching an IP in the HO LAN?

    Do we know that the hosts in the HO have the other IPsec endpoint as their default gateway?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, 

    my UTM9 config:

     

     

     

     

    Config Homeoffice (Ubiquiti USG3):

    The VPN type is IPSec (not shown in the screenshots)

    Both gateways are direct attached to the internet. Without NAT.

    thanks in advance

     

    Philipp

  • First some comments about how to build a configuration that fits better with the "culture" around this tool, Philipp.  Firewall rule #5 has no effect since WebAdmin builds that rule implicitly and the implicit rule is considered before your manual rule (see #2 in Rulz).  If you select 'Automatic firewall rules' in the IPsec Connection, rules #6 and #7 become likewise redundant.

    Since you say you have an established connection, I assume the following questions are answered "yes" ...  We can't see if DPD and NAT-T are enabled on both sides - are they?  We can see the Phase 1 settings for the other side, but not the IKE SA and IPsec SA lifetimes - do those correspond to the Policy chosen in WebAdmin?

    At the top of the other configuration, we see "! //192.168.178.178:8443" - what does that represent?  This makes me think that there's an error in the definition of the local subnet in the Ubiquiti.  If that's not it, do the following in the UTM:

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Show us about 60 lines from enabling through any error or the end of the establishment of the tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    the IP shown in the black screenshots "192.168.178.178:8443" is the Controllersoftware of 
    my Ubiquiti Security Gateway at my HomeOffice. 192.168.178.0/24 is my subnet at home.

    Company subnet where the UTM9 is running: 192.168.2.0/24

    I can't configure the  IKE SA and IPsec SA Lifetimes in my Unifi Security Gateway.
    But they should be the ones which I configured in the UTM9

    Thanks! 

    Philipp

     

    Live Log:

    2018:07:06-08:42:04 vpn pluto[4084]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2018:07:06-08:42:04 vpn pluto[4084]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2018:07:06-08:42:04 vpn pluto[4084]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2018:07:06-08:42:04 vpn pluto[4084]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2018:07:06-08:42:04 vpn pluto[4084]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2018:07:06-08:42:04 vpn pluto[4084]: Changing to directory '/etc/ipsec.d/crls'
    2018:07:06-08:42:04 vpn pluto[4084]: "S_Mageo.IT": deleting connection
    2018:07:06-08:42:04 vpn pluto[4084]: "S_Mageo.IT" #513: deleting state (STATE_QUICK_R2)
    2018:07:06-08:42:04 vpn pluto[4084]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down"
    variant="ipsec" connection="Mageo.IT" address="217.92.166.123" local_net="192.168.2.0/24" remote_net="192.168.178.0/24"
    2018:07:06-08:42:04 vpn pluto[4084]: "S_Mageo.IT" #509: deleting state (STATE_MAIN_I4)
    2018:07:06-08:42:37 vpn pluto[4084]: forgetting secrets
    2018:07:06-08:42:37 vpn pluto[4084]: loading secrets from "/etc/ipsec.secrets"
    2018:07:06-08:42:37 vpn pluto[4084]: loaded PSK secret for 217.92.166.123 213.164.82.2
    2018:07:06-08:42:37 vpn pluto[4084]: loaded PSK secret for 217.92.166.123 37.24.37.86
    2018:07:06-08:42:37 vpn pluto[4084]: listening for IKE messages
    2018:07:06-08:42:37 vpn pluto[4084]: forgetting secrets
    2018:07:06-08:42:37 vpn pluto[4084]: loading secrets from "/etc/ipsec.secrets"
    2018:07:06-08:42:37 vpn pluto[4084]: loaded PSK secret for 217.92.166.123 213.164.82.2
    2018:07:06-08:42:37 vpn pluto[4084]: loaded PSK secret for 217.92.166.123 37.24.37.86
    2018:07:06-08:42:37 vpn pluto[4084]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2018:07:06-08:42:37 vpn pluto[4084]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2018:07:06-08:42:37 vpn pluto[4084]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2018:07:06-08:42:37 vpn pluto[4084]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2018:07:06-08:42:37 vpn pluto[4084]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2018:07:06-08:42:37 vpn pluto[4084]: Changing to directory '/etc/ipsec.d/crls'
    2018:07:06-08:42:37 vpn pluto[4084]: added connection description "S_Mageo.IT"
    2018:07:06-08:42:37 vpn pluto[4084]: "S_Mageo.IT" #514: initiating Main Mode
    2018:07:06-08:42:37 vpn pluto[4084]: "S_Mageo.IT" #514: received Vendor ID payload [XAUTH]
    2018:07:06-08:42:37 vpn pluto[4084]: "S_Mageo.IT" #514: received Vendor ID payload [Dead Peer Detection]
    2018:07:06-08:42:37 vpn pluto[4084]: "S_Mageo.IT" #514: received Vendor ID payload [RFC 3947]
    2018:07:06-08:42:37 vpn pluto[4084]: "S_Mageo.IT" #514: enabling possible NAT-traversal with method 3
    2018:07:06-08:42:37 vpn pluto[4084]: "S_Mageo.IT" #514: NAT-Traversal: Result using RFC 3947: no NAT detected
    2018:07:06-08:42:38 vpn pluto[4084]: "S_Mageo.IT" #514: Peer ID is ID_IPV4_ADDR: '37.24.37.86'
    2018:07:06-08:42:38 vpn pluto[4084]: "S_Mageo.IT" #514: ISAKMP SA established
    2018:07:06-08:42:38 vpn pluto[4084]: "S_Mageo.IT" #515: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#514}
    2018:07:06-08:42:38 vpn pluto[4084]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up"
    variant="ipsec" connection="Mageo.IT" address="217.92.166.123" local_net="192.168.2.0/24" remote_net="192.168.178.0/24"
    2018:07:06-08:42:38 vpn pluto[4084]: "S_Mageo.IT" #515: sent QI2, IPsec SA established {ESP=>0xcac7f93d <0x0972fcaf DPD}
     
     
  • That log looks like everything is fine, Philipp.

    I'm still concerned about the routes the UTM and the Ubiquity are building.  You said, "the IP shown in the black screenshots "192.168.178.178:8443" is the Controllersoftware of 
    my Ubiquiti Security Gateway at my HomeOffice. 192.168.178.0/24 is my subnet at home."  Are you sure that the Ubiquity has 192.168.178.0/24?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    sure!

    My subnet at home is 192.168.178.0/24
    The Controllersoftware (Ubiquiti CloudKey) = 192.168.178.178

    The Security Gateway LAN Port = 192.168.178.10
    The Security Gateway WAN Port = 37.24.37.86

    cheers

  • I still think the issue is in the Ubiquity because it complains "! //192.168.178.178:8443" at the top of both screens.  To completely rule out the UTM as the source of the problem, do #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    yesterday I've troubleshoot the issue with Ubiquiti Support and we've found the issue!

    The Sophos does not support dynamic routing!

    Turning dynamic routing off and traffic is being routet and everything works.

    Disgusting...

    So, this thread is solved!

    cheers

    Philipp

  • In fact, Philipp, the UTM does support OSPF, and it works well.  In this case, I agree that the simplest solution was to disable it on the Ubiquity for this connection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA