This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

17.5.3 MR3 - creating an IPSec connection damages the configuration of the Sophos Connect server

I have a very serious problem with router running under 17.5.3 MR3 firmware. Previously we have configured dozens of IPSec site-to-site connections with preshared key. All of them were created in previous versions of the firmware and after migration to 17.5 worked without any problems.

Unfortunately now, at the moment when I add a new IPSec connection with preshared key, the configuration of the Sophos Connect server is dispersed. An attempt to establish a VPN connection with it ends with an "Incorrect pre-shared key" error. As I've checked, this effect only occurs using preshared keys, the same connection created using RSA keys does not cause errors.
That preshared key itself is 10 characters long and does not contain any special characters

It does not help generate a new configuration file in Sophos Connect and upload it to the client, nor try to change the preshared key to another one on the router. The only solution is to restore the router configuration from backup.

What can I do with this? Is this a known bug in this firmware version? Will help me return to the earlier version of the firmware?

This thread was automatically locked due to age.
  • One do not even need to create a new "normal" IPSec connection, just open and save existing ones. This causes immediate damage to the preshared key on the Sophos Connect server. Very frustrating...

  • Hello Michal,


    Let me understand. You are saying a Sophos Connect Client policy using PSK is defined. Now you define a new IPsec connection (is this defined for S-2-S or Remote Access?) using PSK. At this point you are saying that PSK in Sophos Connect Client policy is also getting changed. That is one problem you are defining. At this point if you export the Sophos Connect Client policy and import it in Sophos Connect Client it will give an error?

    Please clarify so I can reproduce the problem and let you know tomorrow



  • It is exactly as you wrote.

    1. I have previously configured IPSec site2site test connection
    2. Edited preshared-key
    3. After saving the changes, the Sophos Connect connection stops working, the error "Received NO_PROPOSAL_CHOSEN notification from gateway" appears

    Below I paste a fragment of the SC client log:

    2019-03-27 10:50:55 AM 13 [CFG] added vici connection: IT
    2019-03-27 10:50:55 AM 12 [CFG] loaded IKE shared key with id 'IT-psk-id' for: '% any'
    2019-03-27 10:50:55 AM 15 [CFG] loaded EAP shared key with id 'IT-xauth-id' for: 'michal'
    2019-03-27 10:50:55 AM 08 [CFG] vici initiate 'IT-1'
    2019-03-27 10:50:55 AM 10 [IKE] <IT | 43> initiating Main Mode IKE_SA IT [43] is
    2019-03-27 10:50:55 AM 10 [ENC] <IT | 43> powers ID_PROT request 0 [SA V V V V V]
    2019-03-27 10:50:55 AM 10 [NET] <IT | 43> sending packet: from [53468] to [500] (180 bytes)
    2019-03-27 10:50:56 AM 13 [NET] <IT | 43> received packet: from [500] to [53468] (56 bytes)
    2019-03-27 10:50:56 AM 13 [ENC] <IT | 43> parsed INFORMATIONAL_V1 request 1696554400 [N (NO_PROP)]
    2019-03-27 10:50:56 AM 13 [IKE] <IT | 43> received NO_PROPOSAL_CHOSEN error notify
    2019-03-27 10:50:56 AM 09 [CFG] unloaded shared key with id 'IT-psk-id'
    2019-03-27 10:50:56 AM 10 [CFG] unloaded shared key with id 'IT-xauth-id'

    An earlier test of creating a completely new IPSec connection also ended with a Sophos Connect failure, only that the "Incorrect pre-shared key" message was displayed.




  • I found the cause of the problem. The .tgb file with the old Sophos Connect configuration contains the PSK key in an encrypted form, e.g. Authentication = "8Yj$N&B". 
    However, the new tgb file - generated after updating PSK in the IPSec connection - contains the same key, but in the form of plain text: Authentication = "abcdefg"

    It seems that this is a firmware error.

  • Hello Michal,

    The tgb file never encrypts the PSK. 


Reply Children
  • Hello Ramesh,

    I have an original tgb file with an encrypted PSK key generated in February. I can also upload to the router a copy of the configuration from two days ago, with which this tbg file works properly.

    Unfortunately, this is not the only problem. Regardless of the password change, the encryption protocol has also been changed. Hence the second message about which I wrote "Received NO_PROPOSAL_CHOSEN notification from gateway".

    Editing a normal IPSec connection resulted in an unexpected change in the PSK key and encryption protocols in Sophos Connect. As a result, I am unable to set up vpn even using a freshly exported configuration. And at any time I can demonstrate it live.