IPSec S2S VPN between Palo Alto and Sophos XG

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSec S2S VPN between Palo Alto and Sophos XG

L0 Member

Hi,

 

I'm trying to set up a S2S between Palo Alto Sophos XG and so far it's been unsuccessful as Palo Alto is not able to find a suitable proposal for the connection.

 

I've also tried the following the KB here. (https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Establish-...)

 

I'm supposed to be using IKEv1, AES256-SHA256, DH5 and I've checked to make sure the settings on both Firewalls are aligned (IKE, encryption keys, preshared keys).

 

Below is the logs from Palo Alto for a connection coming in from Sophos. Any insight to interpreting the logs would be helpful.

 

2020-10-21 01:29:05.195 +0000 [PNTF]: { 54: }: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <====
====> Initiated SA <====
[INFO]: { 54: }: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
[INFO]: { 54: }: received Vendor ID: DPD
[INFO]: { 54: }: received Vendor ID: CISCO-UNITY
[INFO]: { 54: }: received Vendor ID: FRAGMENTATION
[INFO]: { 54: }: received Vendor ID: RFC 3947
[INFO]: { 54: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#1) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#1) = DH2:DH5
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#1) = 3DES:AES
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#1) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#2):Peer(prop#0:trns#1) = DH2:DH5
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#2) = SHA1:SHA256
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#2) = 3DES:AES
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#2) = SHA1:SHA256
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#3) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#3) = DH2:DH19
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#3) = 3DES:AES
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#3) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#2):Peer(prop#0:trns#3) = DH2:DH19
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#4) = AES:TBD
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#4) = SHA1:TBD
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#4) = DH2:DH19
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#4) = 3DES:TBD
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#4) = SHA1:TBD
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#2):Peer(prop#0:trns#4) = DH2:DH19
[PERR]: { 54: }: no suitable proposal found.

[PERR]: { 54: }: (nil) failed to get valid proposal.
[PERR]: { 54: }: failed to process packet.
[INFO]: { 54: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA <====

1 REPLY 1

Cyber Elite
Cyber Elite

is there a way for you to limit the proposals the Sophos is sending out, and could you post which config you have set on the PAN?

 

the log shows AES but no keysize, so maybe it's proposing 128 instead of 256

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 4664 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!