topic Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210 in Network Security

Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Thu, 02 Jan 2020 12:59:16 GMT

Trying to establish a VPN connection between ASAv30 and Sophos XG210

IPs took for example:

ASA public IP: 1.1.1.1

ASA local network: 10.1.1.0/24

Sophos public IP: 2.2.2.2

Sophos Local network: 10.2.2.0/24

Attached are parameters defined at Sophos end.

Below is the config on ASAv30:

nat (inside,outside) source static Obj_10.1.1.0 Obj_10.1.1.0 destination static Obj_10.2.2.0 Obj_10.2.2.0 no-proxy-arp

access-list VPN_ACL extended permit ip object Obj_10.1.1.0 object Obj_10.2.2.0

crypto ikev2 policy 10
enc aes-256
int sha256
group 5
prf sha256
lifetime seconds 5400

crypto ipsec ikev2 ipsec-proposal VPN-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256

group-policy GroupPolicy_2.2.2.2 internal
group-policy GroupPolicy_2.2.2.2 attributes
vpn-tunnel-protocol ikev2

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key abc123
ikev2 local-authentication pre-shared-key abc123
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2

crypto map MYMAP 10 match address VPN_ACL
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set ikev2 ipsec-proposal VPN-PROPOSAL

crypto map MYMAP interface outside

Looking at the config on Sophos end, is there anything missing on ASA?

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

Rob Ingram — Thu, 02 Jan 2020 13:03:50 GMT

Hi,
Do you have "crypto ikev2 enable OUTSIDE" configured on the ASA?

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Thu, 02 Jan 2020 13:07:05 GMT

Yes, it is.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

Rob Ingram — Thu, 02 Jan 2020 13:16:59 GMT

The Sophos Phase 1 DH group says "6 selected" what was selected? The ASA is configured with DH group 5. Ensure they are exactly the same.

The Sophos Phase 2 settings confirms the PFS group (DH group) is Same as Phase 1 - The ASA does not have PFS group defined. Remove PFS from Sophos or add PFS to ASA, ensure they are identical.

Make the changes and try establishing a VPN, if an issue please provide the output from debugs, also run packet-tracer from the CLI and provide the output for review.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Thu, 02 Jan 2020 13:25:12 GMT

initially, 6 groups were selected but was later changed to group-5 from sophos end as well.

how do we define pfs group on ASA? can you share the command specific to this scenario where DH group is 5?

Ran the following packet tracer command:
packet-tracer input inside tcp 10.1.1.1 55555 10.2.2.1 443 detailed.

the output shows dropped at VPN phase type : Drop-reason: (acl-drop) Flow is denied by configured rule
I understand traffic is dropped initially when a new VPN connection is set up but I've been trying this for a while now and it still drops at the same phase.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

Rob Ingram — Thu, 02 Jan 2020 13:29:34 GMT

To enable PFS on the ASA use "crypto map MYMAP 10 set pfs group5"

Turn on IKEv2 debugs and try again, upload the output if it still does not work.

HTH

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Thu, 02 Jan 2020 13:44:49 GMT

configured "crypto map MYMAP 10 set pfs group5" as suggested. Still packet-tracer output drops at VPN phase with the same reason.

Following error is observed on SOPHOS end:

2020-01-02 18:41:25 14[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (E89B7FE6) from other side.

Please share debug commands which can be used.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

Rob Ingram — Thu, 02 Jan 2020 13:45:11 GMT

Use the commands "debug crypto ikev2 platform 128" and "debug crypto ikev2 protocol 128"

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Thu, 02 Jan 2020 13:50:27 GMT

Tried to run debug but got the following notification:

ASA# debug crypto ikev2 protocol 128
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
ASA# debug crypto ikev2 platform 128
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session

How do I enable debug logs to appear in "show logging" output

And what commands do I run after enabling debug?

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

Rob Ingram — Thu, 02 Jan 2020 13:57:43 GMT

If the logs are being sent to your syslog server you could gather them from there and forward. Or alternatively temporarily disable the debug-trace command with "no logging debug-trace", enable the debugs and the logs should appear on the console and appear under "show logging".

The ASA will only attempt to establish a VPN and therefore output the debug information when you attempt to send traffic across the VPN tunnel. Generate traffic PC behind the ASA.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Thu, 02 Jan 2020 14:13:40 GMT

output attached

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Thu, 02 Jan 2020 14:30:30 GMT

Also getting the following logs:

<165>:Jan 02 16:46:33 EAT: %ASA-vpn-5-750001: Local:172.31.42.1:500 Remote:154.73.170.138:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.31.28.5-172.31.28.5 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 192.168.112.212-192.168.112.212 Protocol: 0 Port Range: 0-65535
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-750003: Local:172.31.42.1:4500 Remote:154.73.170.138:4500 Username:154.73.170.138 IKEv2 Negotiation aborted due to ERROR: Auth exchange failed
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MYMAP. Map Sequence Number = 23.
<163>:Jan 02 16:46:33 EAT: %ASA-vpn-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MYMAP. Map Sequence Number = 23.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

Rob Ingram — Thu, 02 Jan 2020 14:31:23 GMT

Well the outcome of the debug is "NO_PROPOSAL_CHOSEN"=. You can see in the output the ASA is processing different IKEv2 proposals, none are matched.

AES-CBC(25): SHA1(25): SHA96(25): DH_GROUP_1024_MODP/Group 2

AES-CBC(25): SHA256(25): SHA256(25): DH_GROUP_1536_MODP/Group 5 << close but I think AES should be 256.

3DES(25): SHA1(25): SHA96(25): DH_GROUP_1024_MODP/Group 2

Please confirm again the IKEv2 settings are an exact match on both the ASA and Sophos. Assuming they are, perhaps test using different algorthims.

Please also provide the output of "show crypto ikev2 stats" and "show run crypto ikev2".

Please confirm ASA version

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

Rob Ingram — Thu, 02 Jan 2020 14:33:16 GMT

"Auth exchange failed" = re-enter the Pre-Shared Key (PSK) on both the ASA and Sophos.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Thu, 02 Jan 2020 17:50:38 GMT

AES-256 is set on both phase-1 and phase-2.

Output below as requested.

ASA# show crypto ikev2 stats

Global IKEv2 Statistics
Active Tunnels: - 3
Previous Tunnels: 20
In Octets: 122070
In Packets: 322
In Drop Packets: 18
In Drop Fragments: 0
In Notifys: 785
In P2 Exchange: 23
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 3
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 117496
Out Packets: 415
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 711
Out P2 Exchange: 133
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 58
Out IPSEC Delete: 1
Out IKE Delete: 2
SAs Locally Initiated: 58
SAs Locally Initiated Failed: 61
SAs Remotely Initiated: 28
SAs Remotely Initiated Failed: 53
System Capacity Failures: 0
Authentication Failures: 63
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 20
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 17
Out NAT Keepalives: 45
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0

IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 1500
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 76
Incoming Requests Accepted: 76
Incoming Requests Rejected: 0
Outgoing Requests: 61
Outgoing Requests Accepted: 61
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0

ASA# show run crypto ikev2
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 5400
crypto ikev2 policy 100
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

Rob Ingram — Thu, 02 Jan 2020 18:02:18 GMT

The stats confirm "Authentication Failures: 63" - Did you re-enter the PSK on both the ASA and Sophos as per a previous comment? It also confirms other failures, not sure if they are from older events.

It's probably a good idea to clear the stats, that should provide a clearer indication on the problem. Clear the stats with the command "clear crypto ikev2 stats" and then attempt to re-establish the tunnel (change the PSK if you haven't already), check the ikev2 stats again and upload here.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Fri, 03 Jan 2020 11:48:39 GMT

changed the pre-shared key on both ends, cleared crypto ikev2 stats and run packet tracer command again.

Still the same result.

logs on ASA:

<165>:Jan 03 14:34:02 EAT: %ASA-vpn-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = MYMAP. Map Sequence Number = 23.
<164>:Jan 03 14:34:02 EAT: %ASA-vpn-4-752011: IKEv1 Doesn't have a transform set specified
<165>:Jan 03 14:34:02 EAT: %ASA-vpn-5-750001: Local:172.31.42.1:500 Remote:154.73.170.138:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.31.28.5-172.31.28.5 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 192.168.112.212-192.168.112.212 Protocol: 0 Port Range: 0-65535
<164>:Jan 03 14:34:03 EAT: %ASA-vpn-4-750003: Local:172.31.42.1:4500 Remote:154.73.170.138:4500 Username:154.73.170.138 IKEv2 Negotiation aborted due to ERROR: Auth exchange failed
<164>:Jan 03 14:34:03 EAT: %ASA-vpn-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MYMAP. Map Sequence Number = 23.
<163>:Jan 03 14:34:03 EAT: %ASA-vpn-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MYMAP. Map Sequence Number = 23.

ASA# sh cry ikev2 stats

Global IKEv2 Statistics
Active Tunnels: - 5
Previous Tunnels: 2
In Octets: 3624
In Packets: 12
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 28
In P2 Exchange: 2
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 5566
Out Packets: 24
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 28
Out P2 Exchange: 14
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 2
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 2
SAs Locally Initiated Failed: 2
SAs Remotely Initiated: 2
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 2
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 2
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 2
Out NAT Keepalives: 2
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0

IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 1500
Cookie Challenge Threshold: Never
Active SAs: 1
In-Negotiation SAs: 0
Incoming Requests: 3
Incoming Requests Accepted: 3
Incoming Requests Rejected: 0
Outgoing Requests: 2
Outgoing Requests Accepted: 2
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0

debug output attached

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

Rob Ingram — Fri, 03 Jan 2020 12:44:26 GMT

Comparing the output of the debugs the latest output is getting further into the IKE process, no more "NO_PROPOSAL_CHOSEN" errors. Ultimately it still fails with "AUTHENTICATION_FAILED".

What peer identity is configured on the Sophos end? I assume it is using the local public IP address of the external interface and does that match exactly the tunnel-group on the ASA?

I assume Sophos supports asymmetric pre-shared keys (a local psk and another for remote psk)? Provide screenshot to help assist.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

InTheJuniverse — Fri, 03 Jan 2020 14:43:34 GMT

If you are very sure that the PSK is not an issue, then please go back to IKEv1 and test the Tunnel.

Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L — Mon, 06 Jan 2020 04:54:53 GMT

The remote ID was configured incorrectly on the Sophos.

Also, added the following commands on ASA, since lifetime was defined on phase-2 of Sophos:

crypto map MYMAP 10 set security-association lifetime seconds 3600
crypto map MYMAP 10 set security-association lifetime kilobytes unlimited

VPN is now established! Thanks, @Rob Ingram for your support and prompt responses.