01-02-2020 04:59 AM
Trying to establish a VPN connection between ASAv30 and Sophos XG210
IPs took for example:
ASA public IP: 1.1.1.1
ASA local network: 10.1.1.0/24
Sophos public IP: 2.2.2.2
Sophos Local network: 10.2.2.0/24
Attached are parameters defined at Sophos end.
Below is the config on ASAv30:
nat (inside,outside) source static Obj_10.1.1.0 Obj_10.1.1.0 destination static Obj_10.2.2.0 Obj_10.2.2.0 no-proxy-arp
access-list VPN_ACL extended permit ip object Obj_10.1.1.0 object Obj_10.2.2.0
crypto ikev2 policy 10
enc aes-256
int sha256
group 5
prf sha256
lifetime seconds 5400
crypto ipsec ikev2 ipsec-proposal VPN-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
group-policy GroupPolicy_2.2.2.2 internal
group-policy GroupPolicy_2.2.2.2 attributes
vpn-tunnel-protocol ikev2
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key abc123
ikev2 local-authentication pre-shared-key abc123
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2
crypto map MYMAP 10 match address VPN_ACL
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set ikev2 ipsec-proposal VPN-PROPOSAL
crypto map MYMAP interface outside
Looking at the config on Sophos end, is there anything missing on ASA?
Solved! Go to Solution.
01-03-2020 04:44 AM
01-05-2020 08:54 PM
The remote ID was configured incorrectly on the Sophos.
Also, added the following commands on ASA, since lifetime was defined on phase-2 of Sophos:
crypto map MYMAP 10 set security-association lifetime seconds 3600
crypto map MYMAP 10 set security-association lifetime kilobytes unlimited
VPN is now established! Thanks, @Rob Ingram for your support and prompt responses.
01-02-2020 06:30 AM
Also getting the following logs:
<165>:Jan 02 16:46:33 EAT: %ASA-vpn-5-750001: Local:172.31.42.1:500 Remote:154.73.170.138:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.31.28.5-172.31.28.5 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 192.168.112.212-192.168.112.212 Protocol: 0 Port Range: 0-65535
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-750003: Local:172.31.42.1:4500 Remote:154.73.170.138:4500 Username:154.73.170.138 IKEv2 Negotiation aborted due to ERROR: Auth exchange failed
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MYMAP. Map Sequence Number = 23.
<163>:Jan 02 16:46:33 EAT: %ASA-vpn-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MYMAP. Map Sequence Number = 23.
<165>:Jan 02 16:46:33 EAT: %ASA-vpn-5-750001: Local:172.31.42.1:500 Remote:154.73.170.138:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.31.28.5-172.31.28.5 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: 192.168.112.212-192.168.112.212 Protocol: 0 Port Range: 0-65535
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-750003: Local:172.31.42.1:4500 Remote:154.73.170.138:4500 Username:154.73.170.138 IKEv2 Negotiation aborted due to ERROR: Auth exchange failed
<164>:Jan 02 16:46:33 EAT: %ASA-vpn-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MYMAP. Map Sequence Number = 23.
<163>:Jan 02 16:46:33 EAT: %ASA-vpn-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MYMAP. Map Sequence Number = 23.
01-02-2020 06:33 AM
01-03-2020 06:43 AM
If you are very sure that the PSK is not an issue, then please go back to IKEv1 and test the Tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide