Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 5 subscribers
  • Views 3246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN tunnel between UTM and USG issue

Davroc Ltd

Hello guys,

Trying to get a IPSec tunnel between our HO UTM and a USG we got for testing. Currently have it on my home network, seeing if I can get a IPSec tunnel going.

In logs, I keep getting: "MyWANIP":500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

As far as I can tell, everything seems to be okay. Here's what I have configured on the UTM:

On the USG side, here is what is configured:

I think I might need a fresh set of eyes on this, I can't figure out the issue. I was initially thinking it might have been ports 4500 and 500 being blocked, but can't see any entries on the firewall log pointing to that. We also have L2TP over IPSec enabled, with users remoting in. The above message is what shows up on the IPSec VPN log for the UTM that relates to my home WAN IP.

Thank you



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    As mentioned USG is connected to your home network right now. Have you added a port forwarding rule for UDP port 500/4500 on the gateway device(router/modem) to USG?

    Please share IPsec log events of UTM here or via PM.

    Login to shell and run below command.

    utm:/root # tail -f /var/log/ipsec.log | grep -i "ToUSGShane"

  • 0 in reply to FormerMember

    Hi Yash,

    Thank you for your response. I've got ports 500 and 4500 forwarded to the IP of the USG on my home network, I was testing tunnels with PFSense earlier in the week, and have changed the IP it forwards to, to where the USG sits on my home network now. 

    Running the tails command, has come up blank, so I disabled and re-enabled the site-to-site rule, and it spat out the following:

    2021:03:18-10:25:21 utm1-1 pluto[14631]: "S_REF_IpsSitTousgshane_0": deleting connection
    2021:03:18-10:25:21 utm1-1 pluto[14631]: "S_REF_IpsSitTousgshane_0" #222: deleting state (STATE_MAIN_I1)
    2021:03:18-10:25:22 utm1-2 pluto[28625]: "S_REF_IpsSitTousgshane_0": deleting connection
    2021:03:18-10:25:23 utm1-1 pluto[14631]: added connection description "S_REF_IpsSitTousgshane_0"
    2021:03:18-10:25:23 utm1-1 pluto[14631]: "S_REF_IpsSitTousgshane_0" #225: initiating Main Mode
    2021:03:18-10:25:24 utm1-2 pluto[28625]: added connection description "S_REF_IpsSitTousgshane_0"

    The only other place I can think of with logs that relate to this is on the UI under logging and reporting, and the IPSec logs. However the only thing that shows there that relates to the tunnel I'm trying to create is what's in the above. 

    2021:03:18-10:33:13 utm1-1 pluto[14631]: packet from HomeWANIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2021:03:18-10:33:53 utm1-1 pluto[14631]: packet from HomeWANIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2021:03:18-10:34:33 utm1-1 pluto[14631]: packet from HomeWANIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2021:03:18-10:35:13 utm1-1 pluto[14631]: packet from HomeWANIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    It's really odd and I'm out of ideas.
    Thanks
  • FormerMember
    0 FormerMember in reply to Davroc Ltd

    Is NAT-T enabled at USG end?

    Can you please take a packet capture on HomeWANIP and share it via PM. I'd like to check the payload information received from USG.

    Follow the steps mentioned in the article below to capture packets.

    support.sophos.com/.../KB-000038909

    =================================================

    You can also check the log messages on USG router by executing below command.

    # swanctl --log

    help.ui.com/.../360002668854

  • 0 in reply to Davroc Ltd

    Hi and welcome to the UTM Community!

    The parts of the IPsec log that you're showing give no indication of the issue unless the connection attempt failed right after "initiating Main Mode."  That would indicate that either the UTM and/or the USG is behind a NATting router.  If that is the case, which?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

    Yeah, what I got from the live logs seem pretty vague and not very informative.

    The USG is behind my home router at the moment, virgin media supplied standard box. The VMDG505 I believe. 

    If it has the ability, are you suggesting making DNAT rules on it for external traffic over ports 4500 and 500 be "translated", sent to the IP of the USG?

    The UTM is the main gateway at the office, any NAT-ing it does will be to itself? -- If that makes sense?  

  • +1 in reply to Davroc Ltd

    Hello,

    so far we know this:

    at the USG end you have a router with one end having a public IP and a private transfer-net to the "external" USG-interface.

    The easiest setup would be to send any packet that arrives at your router from external to the interface of the USG. This is normally called an "exposed host" or "DMZ". Try to set this up with your router an report back. Only DNAT is not sufficient.

    Background info  besides UPD ports 500 and 4500 you need a separate protocol called ESP (this is protocol 50, not "port"!).

    The other end has a Sophos SG with public IP direct at its external interface, right?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hi jprusch

    Yes, so the USG end, I have my home router in front, then the USG attached as a LAN device onto that.

    I'll try adding it onto a DMZ since the home router allows me to create one.

    The Office end, there is a UTM that is the main gateway with multiple external IP addresses, one of which is being used for this testing.

    Not too sure on allowing Protocol 50, how it's done?

  • 0

    Hi Guys,

    Quick update, I have managed to get the tunnel up.

    As suggested by @jprusch the USG is now on a DMZ on my home network.

    The "Local WAN IP" on the USG is now 192.168.0.59, which is it's WAN IP that it got assigned from my main home router.

    The "Peer WAN IP" is the main IP, since we have a /28 subnet of external IP's at work, I set it to be the first one.

    On the UTM, in "Remote Gateways", I set the "VPN ID (optional)" to be 192.168.0.59 and that's seemed to get the tunnel up.

    Now, I got another couple of issues, which I assume and hope will be something simple.

    Connections seem to work from the USG to the UTM, but not the other way round.

    Thanks guys, really appreciated.

  • FormerMember
    +1 FormerMember in reply to Davroc Ltd

    As mentioned, you put another machine in the USG network and verified that the communication is working both ways.

    (+) IPSec tunnel from UTM to USG only working one way - VPN: Site to Site and Remote Access - UTM Firewall - Sophos Community

Unfiltered HTML