UTM9 VPN to AWS not working anymore

Good evening everyone,
I'm asking here because it looks like to open a ticket in the Sophos portal I have to pay even though I have a subscription.

For a very long time we had a site-to-site VPN with AWS, this stopped working for few days ago.
I've tried to recreate the VPN from scratch without any success, in the logs I see this recurrent error:

2024:09:20-14:36:26 remote pluto[13853]: "S_REF_IpsAmaVpn0176f51_0" #193: starting keying attempt 6 of an unlimited number
2024:09:20-14:36:26 remote pluto[13853]: "S_REF_IpsAmaVpn0176f51_0" #194: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #193 {using isakmp#182}
2024:09:20-14:36:26 remote pluto[13853]: "S_REF_IpsAmaVpn0176f51_0" #194: our client ID returned doesn't match my proposal
2024:09:20-14:36:26 remote pluto[13853]: "S_REF_IpsAmaVpn0176f51_0" #194: sending encrypted notification INVALID_ID_INFORMATION to xxx.xxx.xxx.xxx:4500
2024:09:20-14:36:36 remote pluto[13853]: "S_REF_IpsAmaVpn0176f51_0" #182: ignoring informational payload, type PAYLOAD_MALFORMED
2024:09:20-14:36:56 remote pluto[13853]: "S_REF_IpsAmaVpn0176f51_0" #182: ignoring informational payload, type PAYLOAD_MALFORMED
2024:09:20-14:37:36 remote pluto[13853]: "S_REF_IpsAmaVpn0176f51_0" #194: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

And the IKE phase 2 fails.

System details are:
Model: SG115
Subscriptions: Base Functionality,Network Protection, Wireless Protection
Current firmware version: 9.719-3
Current pattern version: 245109

Is this a know issue?
Thank you very much for any hint
_

Fabio

  • Hi,

    maybe you have selected IPSec params, which AWS will not support any longer.

    Or the Client-ID (VPN ID ... possible the IP-Address) didn't match anymore. 

    "our client ID returned doesn't match my proposal"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello   thank you very much for your reply.

    When I created the VPN tunnel on AWS I left everything on default and
    the configuration was exported from AWS and imported without errors to Sophos firewall using an ad-hoc dialog

    Once imported there's not much I can tweak to make it work.

    I've tried to configure the IPsec tunnel manually, but AWS is doing some internal dynamic routing with BGP using link-local addresses upon connection,
    so the manual IPsec configuration is successful for the IKE part, but not the routing.

    At the moment as a workaround, I'm using a strongSwan server on a EC2 instance to route all traffic to AWS.
    I'll try again after dealing with some impending deadlines.

    Thank you again for your hint

    my kindest regards

    _
    Fabio