This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipsec site-2-site tunnel between sophos utm 9 and libreswan

I have to create a tunnel between our sophos utm 9 and a remote linux libreswan.

Here is a table with the proposal from the remote site (libreswan on the left) and which setting I tried to match on our side (sophos on the right)

 

libreswan sophos utm 9
public ip addres 195.x.x.x created a ipsec remote gateway...
 type: initiate connection
 gateway: used the 195.x.x.x address
 auth type: preshared key
 key: same key used on both sites
remote subnet 10.x.x.x
our subnet 192.168.x.x
added subnet to gateway/remote networks list
and our subnet in the IPSec Connection entry in "Local networks"
where also
automatic firewall rules are OFF - I need to define those later
strict routing is OFF


Phase 1 :
o Mode : main
o Encrypt Algorithm: AES256
o Hash Algorithm : SHA256
o IKE Version : Version 1
o Diffie-Hellman Group : Group 5
o Life time (sec) : 86400

Phase 2 :
o Protocol : EAP
o Encrypt Algorithm : AES256
o Hash Algorithm : SHA256
o Perfect Forward Secrecy : Enable
o Diffie-Hellman Group : Group 5
o Life time (sec) : 43200

Created IPsec Policy...

IKE encryption algorithm: AES 256
IKE authentication algorithm: SHA2 256
IKE SA lifetime: 86400
IKE DH group: Group 5: MODP 1536

IPsec encryption algorithm: AES 256
IPsec authentication algorithm: SHA2 256
IPsec SA lifetime; 43200
IPsec PFS group: Group 5: MODP 1536

Strict policy: disabled
Compression: disabled

..don't know if the parameters:
"mode:main"
"IKE version"
"Protocol: EAP"
are relevant and/or can be matched to a setting in Sophos


That is the best match of the proposal I could do on our side but it desn't work.

The global status on the "Site-ti-site VPN" for this tunnel says:
"XXX Tunnel [0 of X IPsec SAs established"

Is there any libreswan setting that looks incompatible with utm 9 ipsec?
Should I rather ask the remote site to change a setting in theird libreswan configuration?
What would be the best strategy to find a  reasonable compromise for ipsec settings?



This thread was automatically locked due to age.
  • That looks good to me, Chris.  Do you have DPD and NAT-T enabled on both ends?

    To improve the odds of someone being able to help, post a relevant extract of the IPsec log:

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Show us about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    thank you for your quick answer. Actually on the next day in the beginning of the next configuration session the admin of the other site "restarted" his service and the vpn tunnel went online immediately. The settings were pretty right in sophos.

    One interesting fact we noticed: Even the tunnel was up and the firewall rules on both sides were configured I was not able to do a ping towards any of his servers. He had to do the first ping to my sophos-gateway's subnet address. After it seems the routes have been configured and a ping in both directions was possible.

    Could it be that I should select one of the ipsec options like "strict routing" or "bind to ..." ?

  • "No" to your last question, Chris.  Look at the Help for that page to see what those options do.

    Pinging is regulated on the 'ICMP' tab of 'Firewall'.  Enabling pinging there creates firewall Allow rules that take precedence over any that you create manually.  See #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA