VPN tunnel between UTM and USG issue

Question

Hello guys, 
 Trying to get a IPSec tunnel between our HO UTM and a USG we got for testing. Currently have it on my home network, seeing if I can get a IPSec tunnel going. 
 In logs, I keep getting: "MyWANIP" :500: ignoring informational payload, type NO_PROPOSAL_CHOSEN 
 As far as I can tell, everything seems to be okay. Here's what I have configured on the UTM:

On the USG side, here is what is configured:

I think I might need a fresh set of eyes on this, I can't figure out the issue. I was initially thinking it might have been ports 4500 and 500 being blocked, but can't see any entries on the firewall log pointing to that. We also have L2TP over IPSec enabled, with users remoting in. The above message is what shows up on the IPSec VPN log for the UTM that relates to my home WAN IP. 
 
 Thank you

PhilippRusch · Accepted Answer

Hello, 
 so far we know this: 
 at the USG end you have a router with one end having a public IP and a private transfer-net to the "external" USG-interface. 
 The easiest setup would be to send any packet that arrives at your router from external to the interface of the USG. This is normally called an "exposed host" or "DMZ". Try to set this up with your router an report back. Only DNAT is not sufficient. 
 Background info besides UPD ports 500 and 4500 you need a separate protocol called ESP (this is protocol 50, not "port"!). 
 The other end has a Sophos SG with public IP direct at its external interface, right?

FormerMember · Answer

As mentioned, you put another machine in the USG network and verified that the communication is working both ways. 
 (+) IPSec tunnel from UTM to USG only working one way - VPN: Site to Site and Remote Access - UTM Firewall - Sophos Community

VPN tunnel between UTM and USG issue

Top Replies