This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN issues between UTM and XG firewalls

Hello all,

I am rather new to Sophos and am trying to get a site to site ipsec VPN working. It seems as thou the tunnel comes up, but I cannot seem to get data to traverse the tunnel. I have gotten the firewall rules setup, however I keep getting the same messages in the IPSec VPN event log.

2022:03:07-13:18:05 hq-utm-01 pluto[7633]: packet from 66.XXX.XXX.237:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2022:03:07-13:18:45 hq-utm-01 pluto[7633]: "S_secondary" #26: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2022:03:07-13:18:45 hq-utm-01 pluto[7633]: "S_secondary" #26: starting keying attempt 14 of an unlimited number
2022:03:07-13:18:45 hq-utm-01 pluto[7633]: "S_secondary" #27: initiating Main Mode to replace #26
2022:03:07-13:18:45 hq-utm-01 pluto[7633]: packet from 66.XXX.XXX.237:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Any one have any thoughts on this?
Thanks!


This thread was automatically locked due to age.
  • As an update, the following just came into the event log:

    2022:03:07-13:55:53 hq-utm-01 pluto[7633]: "S_secondary" #31: responding to Main Mode
    2022:03:07-13:55:53 hq-utm-01 pluto[7633]: "S_secondary" #31: NAT-Traversal: Result using RFC 3947: no NAT detected
    2022:03:07-13:55:53 hq-utm-01 pluto[7633]: "S_secondary" #31: Peer ID is ID_IPV4_ADDR: '66.XXX.XXX.237'
    2022:03:07-13:55:53 hq-utm-01 pluto[7633]: "S_secondary" #31: Dead Peer Detection (RFC 3706) enabled
    2022:03:07-13:55:53 hq-utm-01 pluto[7633]: "S_secondary" #31: sent MR3, ISAKMP SA established
    2022:03:07-13:56:03 hq-utm-01 pluto[7633]: "S_secondary" #12: received Delete SA payload: deleting ISAKMP State #12
    Not sure what is going on.
  • Hi Scott and welcome to the UTM Community!

    Please insert pictures of the Edits of the IPsec Connection and Remote Gateway.

    Also, confirm that the NAT-T and DPD settings are identical on both devices and that the PreShared Key is the same on both sides.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thank you for the reply. Forgive me, but where do I find the NAT-T and DPD settings to make sure they are correct?

    Thank you!

    Scott

  • This is the UTM-side:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • And that's the XG-side:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.