Solved: Re: Site-to-Site VPN connection between ASAv30 and Sophos XG210 - Page 2

S.U.H.E.L · ‎01-02-2020

Trying to establish a VPN connection between ASAv30 and Sophos XG210

IPs took for example:

ASA public IP: 1.1.1.1

ASA local network: 10.1.1.0/24

Sophos public IP: 2.2.2.2

Sophos Local network: 10.2.2.0/24

Attached are parameters defined at Sophos end.

Below is the config on ASAv30:

nat (inside,outside) source static Obj_10.1.1.0 Obj_10.1.1.0 destination static Obj_10.2.2.0 Obj_10.2.2.0 no-proxy-arp

access-list VPN_ACL extended permit ip object Obj_10.1.1.0 object Obj_10.2.2.0

crypto ikev2 policy 10
enc aes-256
int sha256
group 5
prf sha256
lifetime seconds 5400

crypto ipsec ikev2 ipsec-proposal VPN-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256

group-policy GroupPolicy_2.2.2.2 internal
group-policy GroupPolicy_2.2.2.2 attributes
vpn-tunnel-protocol ikev2

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key abc123
ikev2 local-authentication pre-shared-key abc123
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2

crypto map MYMAP 10 match address VPN_ACL
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set ikev2 ipsec-proposal VPN-PROPOSAL

crypto map MYMAP interface outside

Looking at the config on Sophos end, is there anything missing on ASA?

Rob Ingram · ‎01-03-2020

Comparing the output of the debugs the latest output is getting further into the IKE process, no more "NO_PROPOSAL_CHOSEN" errors. Ultimately it still fails with "AUTHENTICATION_FAILED".

What peer identity is configured on the Sophos end? I assume it is using the local public IP address of the external interface and does that match exactly the tunnel-group on the ASA?

I assume Sophos supports asymmetric pre-shared keys (a local psk and another for remote psk)? Provide screenshot to help assist.

S.U.H.E.L · ‎01-05-2020

The remote ID was configured incorrectly on the Sophos.

Also, added the following commands on ASA, since lifetime was defined on phase-2 of Sophos:

crypto map MYMAP 10 set security-association lifetime seconds 3600
crypto map MYMAP 10 set security-association lifetime kilobytes unlimited

VPN is now established! Thanks, @Rob Ingram for your support and prompt responses.

S.U.H.E.L · ‎01-02-2020

Also getting the following logs:

<165>:Jan 02 16:46:33 EAT: %ASA-vpn-5-750001: Local:172.31.42.1:500 Remote:154.73.170.138:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.31.28.5-172.31.28.5 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 192.168.112.212-192.168.112.212 Protocol: 0 Port Range: 0-65535
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-750003: Local:172.31.42.1:4500 Remote:154.73.170.138:4500 Username:154.73.170.138 IKEv2 Negotiation aborted due to ERROR: Auth exchange failed
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MYMAP. Map Sequence Number = 23.
<163>:Jan 02 16:46:33 EAT: %ASA-vpn-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MYMAP. Map Sequence Number = 23.

Rob Ingram · ‎01-02-2020

"Auth exchange failed" = re-enter the Pre-Shared Key (PSK) on both the ASA and Sophos.

InTheJuniverse · ‎01-03-2020

If you are very sure that the PSK is not an issue, then please go back to IKEv1 and test the Tunnel.