site to site vpn problem

zachlin19381 · ‎01-05-2021

I want to do site to site vpn with firepower and sophos XG firewall

when i config firepower have a PRF to setup but Sophos don't have PRF to setup

i wonder is it cause me setup not working

Rob Ingram · ‎01-05-2021

Hi @zachlin19381

PRF is used in IKEv2. Are you selecting IKEv2 on Sophos or does Sophos not support IKEv2? If it does not support IKEv2 then you'd have to use IKEv1 which Firepower also supports.

zachlin19381 · ‎01-05-2021

I use iKEv2 to setup Sophos but I can not see the PRF option

Rob Ingram · ‎01-05-2021

This is probably a question for Sophos rather than the Cisco forum. It may well be that PRF on the sophos is the same as integrity value, in your instance SHA-256. You could use IKEv1 if you don't get anywhere with Sophos, as IKEv1 doesn't use PRF.

FYI, don't use DH group 2 - it's weak and depreciated in the latest versions of software.

MHM Cisco World · ‎01-05-2021

PRF if not support by each side or you not pretty sure it support then it better to disable it.
because if make traffic one direction and unknown behavior

zachlin19381 · ‎01-05-2021

I’ll ask sophos to this question

How to disable PRF on Cisco ?

it won’t let me blank...