This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What's the standard procedure for implementing a Policy based Ipsec Connection between Azure and Sophos UTM v9.601-5 ?

Hi,

 

The main purpose of this question is to filter and find the most recent and working solution for implementing a virtual network gateway between Azure ans Sophos UTM, because i have been following multiples guides with similar configuration and yet, i don't have any success so far.

Guides followed:

 

Currently, without much experience on Sophos UTM and following the first and second guide, i was able to have a connection working between our networks but the connection is always dropping, so my main question would be how could i find a more recent and working guide for setting up one or multiples gateways between azure and sophos UTM ?


Thanks in advance.

 



This thread was automatically locked due to age.
Parents
  • Bumping this one - having the exact same issue. Trying to setup an IPSEC Site to Site VPN between my On-Prem environment behind an SG230 and Microsoft Azure. Followed those latest guides to the letter and every suggestion I could find on these forums and all I am getting is:

    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK
     
    Tried setting it to Respond Only (and changed the Azure end to match etc) and exactly the same messages. Tried playing with Policy settings other people have said worked for them in other threads here - same results. Tried Probing of Pre-Shared Keys. Tried enabling NAT Traversal. Just keep getting the same message: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK

    Any clues, tips or hints are greatly appreciated - as usual ;) 
Reply
  • Bumping this one - having the exact same issue. Trying to setup an IPSEC Site to Site VPN between my On-Prem environment behind an SG230 and Microsoft Azure. Followed those latest guides to the letter and every suggestion I could find on these forums and all I am getting is:

    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
    2019:05:02-10:47:42 FW-SG230 pluto[8360]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK
     
    Tried setting it to Respond Only (and changed the Azure end to match etc) and exactly the same messages. Tried playing with Policy settings other people have said worked for them in other threads here - same results. Tried Probing of Pre-Shared Keys. Tried enabling NAT Traversal. Just keep getting the same message: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK

    Any clues, tips or hints are greatly appreciated - as usual ;) 
Children
  • If you followed https://community.sophos.com/kb/en-us/126995 exactly, it should work.  I would definitely select Probing and NAT-T and use an "Initiate connection" Remote Gateway.  You do have a public IP on the UTM - right?  Please show a picture of the Edit of the IPsec Policy you're using.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

     

    Currently we have a stable connection between azure  regardint http, https and ssh transfer, but also have a unstable RDP connection, which currently its terrible ( drops 1/2 times every 60 seconds ).

    Our current ipsec policy is the same provided on the guide:

     

     

    Regarding the public IP, yes, we have multiple connections across the globe, but currently, since we have some servers on azure, we are facing some issues regarding this matter

  • Cheers for the Reply Bob ;)

    I have followed it to the letter (before experimenting with other suggestions.

     



    And adding IPSEC Logs without Debug and with:

    2019:05:03-11:08:27 KYA-FW-SG230 ipsec_starter[667]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2019:05:03-11:08:27 KYA-FW-SG230 ipsec_starter[667]: no default route - cannot cope with %defaultroute!!!
    2019:05:03-11:08:27 KYA-FW-SG230 pluto[685]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2019:05:03-11:08:27 KYA-FW-SG230 ipsec_starter[676]: pluto (685) started after 20 ms
    2019:05:03-11:08:27 KYA-FW-SG230 pluto[685]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2019:05:03-11:08:27 KYA-FW-SG230 pluto[685]: including NAT-Traversal patch (Version 0.6c)
    2019:05:03-11:08:27 KYA-FW-SG230 pluto[685]: Using Linux 2.6 IPsec interface code
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: Changing to directory '/etc/ipsec.d/crls'
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface ppp0/ppp0 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface ppp0/ppp0 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface ppp1/ppp1 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface ppp1/ppp1 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface br0/br0 10.0.50.253:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface br0/br0 10.0.50.253:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth2/eth2 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth1/eth1 x.x.x.x:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth0/eth0 10.0.10.250:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface eth0/eth0 10.0.10.250:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface lo/lo 127.0.0.1:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface lo/lo 127.0.0.1:4500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: adding interface lo/lo ::1:500
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loading secrets from "/etc/ipsec.secrets"
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: loaded PSK secret for x.x.x.x x.x.x.x
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: listening for IKE messages
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: added connection description "S_mydomain to Azure Cloud"
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: "S_mydomain to Azure Cloud" #1: initiating Main Mode
    2019:05:03-11:08:28 KYA-FW-SG230 pluto[685]: added connection description "S_mydomain to Azure Cloud"
    2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
    2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
    2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
    2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
    2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
    2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
    2019:05:03-11:09:45 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK
    2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
    2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
    2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
    2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
    2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
    2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
    2019:05:03-11:09:46 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK
    2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
    2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
    2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
    2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
    2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
    2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
    2019:05:03-11:09:47 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK
    2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
    2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
    2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947]
    2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
    2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
    2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
    2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: ignoring Vendor ID payload [IKE CGA version 1]
    2019:05:03-11:09:50 KYA-FW-SG230 pluto[685]: packet from x.x.x.x:500: initial Main Mode message received on x.x.x.x:500 but no connection has been authorized with policy=PSK

     

    8880.IPSEC with Debug.txt

     

  • Maybe we need IKEv2 on Sophos SG? [;)]

     

    Marco

  • I can only guess that the PSKs don't match.

    This configuration avoids using IKEv2.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Reporting back in - after a long weekend here ...

    I have an IPSEC Connection up and running successfully and it seems to be stable (so far). I decided to delete all of the IPSEC components on the SG and re-enter them all and it worked. Nothing was different as far as I could see ... my current config is identical to the screenshots posted above. Ah well, at least it is working now ;)

    Now I just get to start working on having traffic pass from the VM I created in Azure on its network (10.100.0.x/24) hit my On-Prem server vLAN 10 (10.0.10.x/24) and vice versa ;) 

    Cheers for the Assist Bob ;) 

  • And you have stable RDP connections after that? I might just try right now and report back in a few minutes.