Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 5 subscribers
  • Views 3265 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN tunnel between UTM and USG issue

Davroc Ltd

Hello guys,

Trying to get a IPSec tunnel between our HO UTM and a USG we got for testing. Currently have it on my home network, seeing if I can get a IPSec tunnel going.

In logs, I keep getting: "MyWANIP":500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

As far as I can tell, everything seems to be okay. Here's what I have configured on the UTM:

On the USG side, here is what is configured:

I think I might need a fresh set of eyes on this, I can't figure out the issue. I was initially thinking it might have been ports 4500 and 500 being blocked, but can't see any entries on the firewall log pointing to that. We also have L2TP over IPSec enabled, with users remoting in. The above message is what shows up on the IPSec VPN log for the UTM that relates to my home WAN IP.

Thank you



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    As mentioned USG is connected to your home network right now. Have you added a port forwarding rule for UDP port 500/4500 on the gateway device(router/modem) to USG?

    Please share IPsec log events of UTM here or via PM.

    Login to shell and run below command.

    utm:/root # tail -f /var/log/ipsec.log | grep -i "ToUSGShane"

  • 0 in reply to FormerMember

    Hi Yash,

    Thank you for your response. I've got ports 500 and 4500 forwarded to the IP of the USG on my home network, I was testing tunnels with PFSense earlier in the week, and have changed the IP it forwards to, to where the USG sits on my home network now. 

    Running the tails command, has come up blank, so I disabled and re-enabled the site-to-site rule, and it spat out the following:

    2021:03:18-10:25:21 utm1-1 pluto[14631]: "S_REF_IpsSitTousgshane_0": deleting connection
    2021:03:18-10:25:21 utm1-1 pluto[14631]: "S_REF_IpsSitTousgshane_0" #222: deleting state (STATE_MAIN_I1)
    2021:03:18-10:25:22 utm1-2 pluto[28625]: "S_REF_IpsSitTousgshane_0": deleting connection
    2021:03:18-10:25:23 utm1-1 pluto[14631]: added connection description "S_REF_IpsSitTousgshane_0"
    2021:03:18-10:25:23 utm1-1 pluto[14631]: "S_REF_IpsSitTousgshane_0" #225: initiating Main Mode
    2021:03:18-10:25:24 utm1-2 pluto[28625]: added connection description "S_REF_IpsSitTousgshane_0"

    The only other place I can think of with logs that relate to this is on the UI under logging and reporting, and the IPSec logs. However the only thing that shows there that relates to the tunnel I'm trying to create is what's in the above. 

    2021:03:18-10:33:13 utm1-1 pluto[14631]: packet from HomeWANIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2021:03:18-10:33:53 utm1-1 pluto[14631]: packet from HomeWANIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2021:03:18-10:34:33 utm1-1 pluto[14631]: packet from HomeWANIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2021:03:18-10:35:13 utm1-1 pluto[14631]: packet from HomeWANIP:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    It's really odd and I'm out of ideas.
    Thanks
  • FormerMember
    0 FormerMember in reply to Davroc Ltd

    Is NAT-T enabled at USG end?

    Can you please take a packet capture on HomeWANIP and share it via PM. I'd like to check the payload information received from USG.

    Follow the steps mentioned in the article below to capture packets.

    support.sophos.com/.../KB-000038909

    =================================================

    You can also check the log messages on USG router by executing below command.

    # swanctl --log

    help.ui.com/.../360002668854

Reply Children
No Data
Unfiltered HTML