Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
4
Helpful
5
Replies

VPN L2L tunnel: ASA to Sophos - unable to change from IKEv1 to IKEv2

swscco001
Level 3
Level 3

‎08-14-2023 02:17 AM

Hello everybody,

we have the task to change all VPN L2L tunnels on our Firepower 2130
running ASA (185.247.62.19 running image 9.14(3)18.

There are hundrets of VPN L2L tunnels running on this firewall and usually
this change is running well.

But at this time where the peer firewall is a Sophos XG230 (SFOS 19.5.0 GA-Build197)
we have a real problem.

The peer admin and me have tried a lot of IPSec parameter settings that
both firewalls support but the IKEv2 tunnel does not come up.

I gathered the following log- and debug infomation:

7|Jul 31 2023|15:00:40|715064|||||IP = 87.129.137.162, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

6|Jul 31 2023|14:59:24|713219|||||IP = 87.129.137.162, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

4|Jul 31 2023|14:58:06|750003|||||Local:185.247.62.10:500 Remote:87.129.137.162:500 Username:87.129.137.162 IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify

7|Jul 31 2023|14:58:06|713906|||||IKE Receiver: Packet received on 185.247.62.10:500 from 87.129.137.162:500

5|Jul 31 2023|14:58:06|750001|||||Local:185.247.62.10:500 Remote:87.129.137.162:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 185.247.62.225-185.247.62.225 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 129.3.38.100-129.3.38.100 Protocol: 0 Port Range: 0-65535

7|Jul 31 2023|14:58:06|713906|||||IKE Receiver: Packet received on 185.247.62.10:500 from 87.129.137.162:500

4|Jul 31 2023|14:58:06|750003|||||Local:185.247.62.10:500 Remote:87.129.137.162:500 Username:87.129.137.162 IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify

7|Jul 31 2023|14:58:06|713906|||||IKE Receiver: Packet received on 185.247.62.10:500 from 87.129.137.162:500

5|Jul 31 2023|14:58:06|750001|||||Local:185.247.62.10:500 Remote:87.129.137.162:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 185.247.62.225-185.247.62.225 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 129.3.38.100-129.3.38.100 Protocol: 0 Port Range: 0-65535

7|Jul 31 2023|14:58:06|713906|||||IKE Receiver: Packet received on 185.247.62.10:500 from 87.129.137.162:500
IKEv2-PLAT-4: attempting to find tunnel group for IP: 87.129.137.162

IKEv2-PLAT-4: mapped to tunnel group 87.129.137.162 using peer IP

IKEv2-PLAT-7: INVALID PSH HANDLE

IKEv2-PLAT-7: INVALID PSH HANDLE

IKEv2-PLAT-7: INVALID PSH HANDLE

IKEv2-PLAT-4: my_auth_method = 2

IKEv2-PLAT-4: supported_peers_auth_method = 2

IKEv2-PLAT-4: P1 ID = 0

IKEv2-PLAT-4: Translating IKE_ID_AUTO to = 255

IKEv2-PLAT-7: INVALID PSH HANDLE

IKEv2-PLAT-4: Received PFKEY SPI callback for SPI 0x48FBDFDB, error FALSE

IKEv2-PLAT-4:

IKEv2 received all requested SPIs from CTM to initiate tunnel.

IKEv2-PLAT-7: INVALID PSH HANDLE

IKEv2-PLAT-7: INVALID PSH HANDLE

IKEv2-PLAT-4: tp_name set to:

IKEv2-PLAT-4: tg_name set to: 87.129.137.162

IKEv2-PLAT-4: tunn grp type set to: L2L

IKEv2-PROTO-4: Couldn't find matching SA

IKEv2-PLAT-7: New ikev2 sa request admitted

IKEv2-PLAT-7: Incrementing outgoing negotiating sa count by one
…

IKEv2-PLAT-5: (16587): SENT PKT [IKE_SA_INIT] [185.247.62.10]:500->[87.129.137.162]:500 InitSPI=0x9902490a89d9593f RespSPI=0x0000000000000000 MID=00000000

IKEv2-PROTO-7: (16587): SM Trace-> SA: I_SPI=9902490A89D9593F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA

IKEv2-PROTO-4: (16587): Insert SA

IKEv2-PROTO-7: (16587): SM Trace-> SA: I_SPI=9902490A89D9593F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT

Can you give me hints what we still could try based on these outputs?

Every hint is very welcome!

Thanks a lot!


Bye
R.



Labels:
0 Helpful
5 Replies 5

marce1000
VIP
VIP

‎08-14-2023 03:51 AM

 

 - You may find this documentation informational : https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/137462/sophos-firewall-configure-ipsec-connection-between-sophos-firewall-and-cisco-asa

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

swscco001
Level 3
Level 3
In response to marce1000

‎08-14-2023 05:27 AM

Hi Marce1000,

I found the same document with google  and we tried the recommended settings 
but the issue persists

Is there any other hint after checking the given log and debug outputs?

Thanks a lot!




Bye
R.

0 Helpful

Rob Ingram
VIP
VIP
In response to swscco001

‎08-14-2023 05:45 AM

@swscco001 based on this error:- "ERROR: Received no proposal chosen notify" I would check the configured IKEv2 and IPSec algorithms match between you and your peer.

swscco001
Level 3
Level 3
In response to Rob Ingram

‎08-14-2023 06:00 AM

Hi Rob,

thanks for your reply!

We checked the parameters of both phases many times and 
tried different variants but nothing helped. No problem at
IKEv1 but this should be replaced.

Thanks a lot!


Bye
R.

0 Helpful

Rob Ingram
VIP
VIP
In response to swscco001

‎08-14-2023 06:06 AM

@swscco001 not all vendors label the crypto ciphers the same, I've seen this cause confusion in the past.

Please share a screenshot/configuration of the IKEv2/IPSec settings from both devices and provide the full output of the IKEv2 debug from your ASA.

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

 

Customers Also Viewed These Support Documents