I have to create a tunnel between our sophos utm 9 and a remote linux libreswan.
Here is a table with the proposal from the remote site (libreswan on the left) and which setting I tried to match on our side (sophos on the right)
| libreswan | sophos utm 9 |
| public ip addres 195.x.x.x | created a ipsec remote gateway... type: initiate connection gateway: used the 195.x.x.x address auth type: preshared key key: same key used on both sites |
| remote subnet 10.x.x.x our subnet 192.168.x.x |
added subnet to gateway/remote networks list and our subnet in the IPSec Connection entry in "Local networks" where also automatic firewall rules are OFF - I need to define those later strict routing is OFF |
| Phase 1 : o Mode : main o Encrypt Algorithm: AES256 o Hash Algorithm : SHA256 o IKE Version : Version 1 o Diffie-Hellman Group : Group 5 o Life time (sec) : 86400 Phase 2 : o Protocol : EAP o Encrypt Algorithm : AES256 o Hash Algorithm : SHA256 o Perfect Forward Secrecy : Enable o Diffie-Hellman Group : Group 5 o Life time (sec) : 43200 |
Created IPsec Policy... IKE encryption algorithm: AES 256 IKE authentication algorithm: SHA2 256 IKE SA lifetime: 86400 IKE DH group: Group 5: MODP 1536 IPsec encryption algorithm: AES 256 IPsec authentication algorithm: SHA2 256 IPsec SA lifetime; 43200 IPsec PFS group: Group 5: MODP 1536 Strict policy: disabled Compression: disabled ..don't know if the parameters: "mode:main" "IKE version" "Protocol: EAP" are relevant and/or can be matched to a setting in Sophos |
That is the best match of the proposal I could do on our side but it desn't work.
The global status on the "Site-ti-site VPN" for this tunnel says:
"XXX Tunnel [0 of X IPsec SAs established"
Is there any libreswan setting that looks incompatible with utm 9 ipsec?
Should I rather ask the remote site to change a setting in theird libreswan configuration?
What would be the best strategy to find a reasonable compromise for ipsec settings?
This thread was automatically locked due to age.
