Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 38850 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-To-Site IPSEC VPN

AnthonyTEC
Hi Everyone, 

This is my first experience with Sophos on any level, however I've been working within the industry for quite some time with other similar products.

I'm currently attempting to set-up an IPSEC VPN between two sites.

NetworkA:
[HTML]
Range: 192.168.0.0 / 255.255.255.0
Gateway: 192.168.0.1 (Sophos UTM 9)

Connection:
Remote IPSec Gateway: InterSite Gateway
Local interface: External (WAN)
Policy: Intersite Policy
Local Networks: Internal (Network)
Automatic Firewall Rules: Yes
Strict Routing: No
Bind Tunnel to Local Interface: No

Remote Gateway
Name: InterSite Gateway
Gateway Type: Initiate
Gateway: Remote Gateway (External Static IP address of NetworkB)
Authentication Type: Preshared Key
Key: 
VPN ID type: IP Address
Remote Networks: Remote Network (IP subnet of NetworkB)

Policy
Name: Intersite Policy
IKE Encryption: 3DES
IKE Auth: MD5
SA Lifetime: 3600
DH Group: 2

IPSEC Encryption: 3DES
IPSEC Authentication: MD5
SA Lifetime: 3600
DH Group: DH2
Strict Policy: No
Compression: No[/HTML]

NetworkB:
[HTML]Range: 10.0.0.3 / 255.255.255.0
Gateway: 10.0.0.250 (TP-LINK W8960N)

Remote IPSEC Gateway: Network A External IP Address

Tunnel Access from Local IP Addresses: Subnet
IP Address for VPN: 10.0.0.0
IP Subnetmask: 255.255.255.0

Tunnel Access from Remote IP Addresses: Subnet
IP address for VPN: 192.168.0.0
IP Subnetmask: 255.255.255.0

Key Exchange Method: Auto (IKE)
Authentication method: Pre-Shared Key
Pre-SharedKey: 
Perfect Password Secrecy: Enabled

Phase 1
Mode: Main
My Identifier: Local WAN IP
Remote Identifier: Remote WAN IP
Encryption Algorithm: 3DES
Integrity Algorithm: MD5
DH Group: 1024bit
Key Life Time: 3600

Phase 2
Encryption Algorithm: 3DES
Integrity Algorithm: MD5
DH Group: 1024 bit
Key Life Time: 3600
[/HTML]

As you can see, both sites are configured exactly the same (except for remote IP's, etc obviously). However I'm receiving the following error on the NetworkB modem:

[HTML]racoon: INFO: unsupported PF_KEY message REGISTER [/HTML]

I'm hoping someone can give me a hand here as I've not idea what could be going wrong.

Cheers,
Anthony


This thread was automatically locked due to age.
Parents
  • 0
    Racoon is the software which TP-Link like to have on their modems / routers.

    I've since learned that it's also used in smart phones, Anthony.

    sendto on eth1 to 110.142.xx.***:500 failed in main_outI1

    Are you behind a device that blocks that port - or does the device itself do so?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Racoon is the software which TP-Link like to have on their modems / routers.

    I've since learned that it's also used in smart phones, Anthony.

    sendto on eth1 to 110.142.xx.***:500 failed in main_outI1

    Are you behind a device that blocks that port - or does the device itself do so?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    I've since learned that it's also used in smart phones, Anthony.


    Well you learn something new every day [:)]


    Are you behind a device that blocks that port - or does the device itself do so?


    I don't believe that anything should be blocking it. I would have thought that by ticking the "Automatic Firewall Rule" box should allow UTM to use the port.

    I will create a manual exception for UDP 500 and see how we go.

    Cheers,
    Anthony
Unfiltered HTML