cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9120
Views
20
Helpful
19
Replies

Site-to-Site VPN connection between ASAv30 and Sophos XG210

S.U.H.E.L
Level 1
Level 1

Trying to establish a VPN connection between ASAv30 and Sophos XG210

 

IPs took for example:

ASA public IP: 1.1.1.1

ASA local network: 10.1.1.0/24

Sophos public IP: 2.2.2.2

Sophos Local network: 10.2.2.0/24

 

Attached are parameters defined at Sophos end.

 

Below is the config on ASAv30:

 

nat (inside,outside) source static Obj_10.1.1.0 Obj_10.1.1.0 destination static Obj_10.2.2.0 Obj_10.2.2.0 no-proxy-arp

access-list VPN_ACL extended permit ip object Obj_10.1.1.0 object Obj_10.2.2.0

 

crypto ikev2 policy 10
enc aes-256
int sha256
group 5
prf sha256
lifetime seconds 5400

 

crypto ipsec ikev2 ipsec-proposal VPN-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256

 

group-policy GroupPolicy_2.2.2.2 internal
group-policy GroupPolicy_2.2.2.2 attributes
vpn-tunnel-protocol ikev2

 

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key abc123
ikev2 local-authentication pre-shared-key abc123
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2

 

crypto map MYMAP 10 match address VPN_ACL
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set ikev2 ipsec-proposal VPN-PROPOSAL

crypto map MYMAP interface outside

 

Looking at the config on Sophos end, is there anything missing on ASA?

19 Replies 19

Comparing the output of the debugs the latest output is getting further into the IKE process, no more "NO_PROPOSAL_CHOSEN" errors. Ultimately it still fails with "AUTHENTICATION_FAILED".

What peer identity is configured on the Sophos end? I assume it is using the local public IP address of the external interface and does that match exactly the tunnel-group on the ASA?

I assume Sophos supports asymmetric pre-shared keys (a local psk and another for remote psk)? Provide screenshot to help assist.

The remote ID was configured incorrectly on the Sophos. 

Also, added the following commands on ASA, since lifetime was defined on phase-2 of Sophos:

crypto map MYMAP 10 set security-association lifetime seconds 3600
crypto map MYMAP 10 set security-association lifetime kilobytes unlimited

 

VPN is now established! Thanks, @Rob Ingram  for your support and prompt responses.

 

 

Also getting the following logs:

 

<165>:Jan 02 16:46:33 EAT: %ASA-vpn-5-750001: Local:172.31.42.1:500 Remote:154.73.170.138:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.31.28.5-172.31.28.5 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 192.168.112.212-192.168.112.212 Protocol: 0 Port Range: 0-65535
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-750003: Local:172.31.42.1:4500 Remote:154.73.170.138:4500 Username:154.73.170.138 IKEv2 Negotiation aborted due to ERROR: Auth exchange failed
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MYMAP. Map Sequence Number = 23.
<163>:Jan 02 16:46:33 EAT: %ASA-vpn-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MYMAP. Map Sequence Number = 23.


<165>:Jan 02 16:46:33 EAT: %ASA-vpn-5-750001: Local:172.31.42.1:500 Remote:154.73.170.138:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.31.28.5-172.31.28.5 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 192.168.112.212-192.168.112.212 Protocol: 0 Port Range: 0-65535
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-750003: Local:172.31.42.1:4500 Remote:154.73.170.138:4500 Username:154.73.170.138 IKEv2 Negotiation aborted due to ERROR: Auth exchange failed
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MYMAP. Map Sequence Number = 23.
<163>:Jan 02 16:46:33 EAT: %ASA-vpn-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MYMAP. Map Sequence Number = 23.

"Auth exchange failed" = re-enter the Pre-Shared Key (PSK) on both the ASA and Sophos.

InTheJuniverse
Level 1
Level 1

If you are very sure that the PSK is not an issue, then please go back to IKEv1 and test the Tunnel.

Review Cisco Networking for a $25 gift card