Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 38851 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-To-Site IPSEC VPN

AnthonyTEC
Hi Everyone, 

This is my first experience with Sophos on any level, however I've been working within the industry for quite some time with other similar products.

I'm currently attempting to set-up an IPSEC VPN between two sites.

NetworkA:
[HTML]
Range: 192.168.0.0 / 255.255.255.0
Gateway: 192.168.0.1 (Sophos UTM 9)

Connection:
Remote IPSec Gateway: InterSite Gateway
Local interface: External (WAN)
Policy: Intersite Policy
Local Networks: Internal (Network)
Automatic Firewall Rules: Yes
Strict Routing: No
Bind Tunnel to Local Interface: No

Remote Gateway
Name: InterSite Gateway
Gateway Type: Initiate
Gateway: Remote Gateway (External Static IP address of NetworkB)
Authentication Type: Preshared Key
Key: 
VPN ID type: IP Address
Remote Networks: Remote Network (IP subnet of NetworkB)

Policy
Name: Intersite Policy
IKE Encryption: 3DES
IKE Auth: MD5
SA Lifetime: 3600
DH Group: 2

IPSEC Encryption: 3DES
IPSEC Authentication: MD5
SA Lifetime: 3600
DH Group: DH2
Strict Policy: No
Compression: No[/HTML]

NetworkB:
[HTML]Range: 10.0.0.3 / 255.255.255.0
Gateway: 10.0.0.250 (TP-LINK W8960N)

Remote IPSEC Gateway: Network A External IP Address

Tunnel Access from Local IP Addresses: Subnet
IP Address for VPN: 10.0.0.0
IP Subnetmask: 255.255.255.0

Tunnel Access from Remote IP Addresses: Subnet
IP address for VPN: 192.168.0.0
IP Subnetmask: 255.255.255.0

Key Exchange Method: Auto (IKE)
Authentication method: Pre-Shared Key
Pre-SharedKey: 
Perfect Password Secrecy: Enabled

Phase 1
Mode: Main
My Identifier: Local WAN IP
Remote Identifier: Remote WAN IP
Encryption Algorithm: 3DES
Integrity Algorithm: MD5
DH Group: 1024bit
Key Life Time: 3600

Phase 2
Encryption Algorithm: 3DES
Integrity Algorithm: MD5
DH Group: 1024 bit
Key Life Time: 3600
[/HTML]

As you can see, both sites are configured exactly the same (except for remote IP's, etc obviously). However I'm receiving the following error on the NetworkB modem:

[HTML]racoon: INFO: unsupported PF_KEY message REGISTER [/HTML]

I'm hoping someone can give me a hand here as I've not idea what could be going wrong.

Cheers,
Anthony


This thread was automatically locked due to age.
Parents
  • 0
    I was able to somewhat resolve the issue, I found that port 500 was being forwarded for use by an old VPN. Once I disabled the port forward, each gateway was able to complete the phase 1 authentication.

    I am now however getting an error:

    [HTML]racoon: ERROR: pfkey DELETE received: ESP [500]->[500] spi=234491392(0xdfa0e00) [/HTML]

    Again, any help is appreciated.

    Cheers,
    Anthony
Reply
  • 0
    I was able to somewhat resolve the issue, I found that port 500 was being forwarded for use by an old VPN. Once I disabled the port forward, each gateway was able to complete the phase 1 authentication.

    I am now however getting an error:

    [HTML]racoon: ERROR: pfkey DELETE received: ESP [500]->[500] spi=234491392(0xdfa0e00) [/HTML]

    Again, any help is appreciated.

    Cheers,
    Anthony
Children
No Data
Unfiltered HTML