Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Subscribers 5 subscribers
  • Views 2523 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems Sophos UTM9 IPsec to Juniper

Dominique der Weduwe

Hi,

we have an existing Ipsec VPN from oure Sophos to an customer with an Juniper device. No we have moved to an new location and also have an new provider (Vodafone). I changed the WAN IP where possible, and contacted our customer because they also needed to change my WAN IP. Somehow it doesnt work anymore,

Our Logfile says: NO_PROPOSAL_CHOSEN. On the Juniper site we get theres no IKE ID send from the Sophos device.

The policys are identical, i tried in the advanced to enable/ disable the DPD en also the NAT-T, no succes.

we have no idea what can be wrong.

See logfile below of the Sophos



2021:02:19-15:54:36 bic_term_srv pluto[11501]: | *received whack message
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | from whack: got --esp=aes256-sha2_256;modp2048
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | esp proposal: AES_CBC_256/HMAC_SHA2_256, _128; pfsgroup=MODP_2048;
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | from whack: got --ike=aes256-sha2_256-modp2048
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ike proposal: AES_CBC_256/HMAC_SHA2_256/MODP_2048,
2021:02:19-15:54:36 bic_term_srv pluto[11501]: added connection description "S_REF_IpsSitDhlapsecvp_0"
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | 10.11.12.0/24===93.117.220.27[93.117.220.27]...165.72.209.21[165.72.209.21]===198.141.240.0/22
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | next event EVENT_REINIT_SECRET in 3600 seconds
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | *received whack message
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | creating state object #1 at 0x9d50ce8
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ICOOKIE:  85 44 6b 2b  6c 4e 68 af
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | RCOOKIE:  00 00 00 00  00 00 00 00
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | peer:  a5 48 d1 15
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | state hash entry 27
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | Queuing pending Quick Mode with 165.72.209.21 "S_REF_IpsSitDhlapsecvp_0"
2021:02:19-15:54:36 bic_term_srv pluto[11501]: "S_REF_IpsSitDhlapsecvp_0" #1: initiating Main Mode
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | **emit ISAKMP Message:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    initiator cookie:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |   85 44 6b 2b  6c 4e 68 af
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    responder cookie:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |   00 00 00 00  00 00 00 00
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_SA
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    ISAKMP version: ISAKMP Version 1.0
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    exchange type: ISAKMP_XCHG_IDPROT
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    flags: none
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    message ID:  00 00 00 00
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ***emit ISAKMP Security Association Payload:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_VID
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    DOI: ISAKMP_DOI_IPSEC
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ****emit IPsec DOI SIT:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ike proposal: AES_CBC_256/HMAC_SHA2_256/MODP_2048,
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ****emit ISAKMP Proposal Payload:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_NONE
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    proposal number: 0
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    protocol ID: PROTO_ISAKMP
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    SPI size: 0
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    number of transforms: 1
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | *****emit ISAKMP Transform Payload (ISAKMP):
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_NONE
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    transform number: 0
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    transform ID: KEY_IKE
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ******emit ISAKMP Oakley attribute:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    af+type: OAKLEY_LIFE_TYPE
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    length/value: 1
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |     [1 is OAKLEY_LIFE_SECONDS]
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ******emit ISAKMP Oakley attribute:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    af+type: OAKLEY_LIFE_DURATION (variable length)
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting 4 raw bytes of long attribute value into ISAKMP Oakley attribute
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | long attribute value
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |   00 01 51 80
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting length of ISAKMP Oakley attribute: 4
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ******emit ISAKMP Oakley attribute:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    length/value: 7
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |     [7 is AES_CBC]
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ******emit ISAKMP Oakley attribute:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    af+type: OAKLEY_HASH_ALGORITHM
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    length/value: 4
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |     [4 is HMAC_SHA2_256]
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ******emit ISAKMP Oakley attribute:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    af+type: OAKLEY_KEY_LENGTH
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    length/value: 256
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ******emit ISAKMP Oakley attribute:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    length/value: 1
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |     [1 is pre-shared key]
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ******emit ISAKMP Oakley attribute:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    af+type: OAKLEY_GROUP_DESCRIPTION
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    length/value: 14
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |     [14 is MODP_2048]
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting length of ISAKMP Transform Payload (ISAKMP): 40
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting length of ISAKMP Proposal Payload: 48
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting length of ISAKMP Security Association Payload: 60
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | out_vendorid(): sending [strongSwan]
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ***emit ISAKMP Vendor ID Payload:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_VID
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | V_ID  88 2f e5 6d  6f d2 0d bc  22 51 61 3b  2e be 5b eb
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting length of ISAKMP Vendor ID Payload: 20
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | out_vendorid(): sending [Cisco-Unity]
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ***emit ISAKMP Vendor ID Payload:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_VID
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | V_ID  12 f5 f2 8c  45 71 68 a9  70 2d 9f e2  74 cc 01 00
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting length of ISAKMP Vendor ID Payload: 20
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | out_vendorid(): sending [XAUTH]
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ***emit ISAKMP Vendor ID Payload:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_VID
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | V_ID  09 00 26 89  df d6 b7 12
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting length of ISAKMP Vendor ID Payload: 12
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | out_vendorid(): sending [Dead Peer Detection]
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ***emit ISAKMP Vendor ID Payload:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_NONE
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | V_ID  af ca d7 13  68 a1 f1 c9  6b 86 96 fc  77 57 01 00
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting length of ISAKMP Vendor ID Payload: 20
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | emitting length of ISAKMP Message: 160
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | next event EVENT_RETRANSMIT in 10 seconds for #1
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | *received whack message
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | next event EVENT_RETRANSMIT in 10 seconds for #1
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | *received 102 bytes from 165.72.209.21:500 on eth1
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | **parse ISAKMP Message:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    initiator cookie:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |   85 44 6b 2b  6c 4e 68 af
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    responder cookie:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |   90 63 2e 18  f1 a7 58 9d
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_N
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    ISAKMP version: ISAKMP Version 1.0
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    exchange type: ISAKMP_XCHG_INFO
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    flags: none
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    message ID:  c9 8c d7 4b
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    length: 102
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ICOOKIE:  85 44 6b 2b  6c 4e 68 af
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | RCOOKIE:  90 63 2e 18  f1 a7 58 9d
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | peer:  a5 48 d1 15
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | state hash entry 11
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | state object not found
2021:02:19-15:54:36 bic_term_srv pluto[11501]: | ***parse ISAKMP Notification Payload:
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    next payload type: ISAKMP_NEXT_NONE
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    length: 74
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    DOI: ISAKMP_DOI_IPSEC
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    protocol ID: 1
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    SPI size: 16
2021:02:19-15:54:36 bic_term_srv pluto[11501]: |    Notify Message Type: NO_PROPOSAL_CHOSEN
2021:02:19-15:54:36 bic_term_srv pluto[11501]: packet from 165.72.209.21:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Hope someone have any ideas.

regards, Dominique



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    what did you set as“VPN-ID“ on the Sophos side?

    Or, better, could you post your config with screenshots?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Dear Philipp,

    Below the IPsec connection.

    The Remote gw where we tried different VPN IDs, also Hostname, but nothing works.

    IPsec Advanced, where we also tried to enter an VPN ID Hostname.

    Regards,

  • 0 in reply to Dominique der Weduwe

    I would then concentrate on the remote side (Juniper):

    Remote IKE IDs and Site-to-Site VPNs

    For site-to-site VPNs, the remote peer’s IKE ID can be the IP address of the egress network interface card, a loopback address, a hostname, or a manually configured IKE ID, depending on the configuration of the peer device.

    By default, SRX Series devices expect the remote peer’s IKE ID to be the IP address configured with the set security ike gateway gateway-name address configuration. If the remote peer’s IKE ID is a different value, you need to configure the remote-identity statement at the [edit security ike gateway gateway-name] hierarchy level.

    For example, an IKE gateway on the SRX Series devices is configured with the set security ike gateway remote-gateway address 203.0.113.1 command. However, the IKE ID sent by the remote peer is host.example.net. There is a mismatch between what the SRX Series device expects for the remote peer’s IKE ID (203.0.113.1) and the actual IKE ID (host.example.net) sent by the peer. In this case, IKE ID validation fails. Use the set security ike gateway remote-gateway remote-identity hostname host.example.net to match the IKE ID received from the remote peer.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Dear Philipp,

    thanks for your reply, but no matther what kind of ID we choose, the Juniper says its not receiving any IKE ID, its blank.  Thats the problem.

  • 0 in reply to Dominique der Weduwe

    Please put the new IP Address in there:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    We tried the IP from the VPN PEER, but in Juniper its blank.

  • 0 in reply to Dominique der Weduwe

    OH, that's wrong, you need to put YOUR IP here. Its your ID you are sending.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Dominique der Weduwe

    I made an dumpfile and the IKE ID is not there, it just doesnt send the ID. Even do i entered one in the config. Verry strange. 

    Regards,

  • +1 in reply to Dominique der Weduwe

    Hoi Dominique and welcome to the UTM Community!

    In fact, the NO_PROPOSAL_CHOSEN message is normal, so we can't see the problem in the log lines you posted.

    I've never seen a problem here that required having debug enabled in IPsec.  On the contrary, debug just makes finding the problem harder.

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Copy here about 60 lines from enabling through the error.

    Cheers - Bob
    PS Is either the Juniper or your UTM behind a NATting router.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to BAlfson

    Dear Phillip and Bob,

    I tried everything, we have another UTM9 so i changed the vpn to the second UTM with his WAN, same problem, then i made an ipsec between the 2 utm firewalls, works like a charm. Build everything back to the way it should be. Suddenly we get error messages in the log, not seen before. I put in the psk again, same as before and it works.. 

    Pretty sure problem was on Juniper site, but we dont ma age that, they say they didnt change anything.... strange times Grinning.

    Thanks for the support! Much appreciated. 

Reply
  • +1 in reply to BAlfson

    Dear Phillip and Bob,

    I tried everything, we have another UTM9 so i changed the vpn to the second UTM with his WAN, same problem, then i made an ipsec between the 2 utm firewalls, works like a charm. Build everything back to the way it should be. Suddenly we get error messages in the log, not seen before. I put in the psk again, same as before and it works.. 

    Pretty sure problem was on Juniper site, but we dont ma age that, they say they didnt change anything.... strange times Grinning.

    Thanks for the support! Much appreciated. 

Children
No Data
Unfiltered HTML