IPSec S2S VPN between Palo Alto and Sophos XG

Reply
Highlighted
L0 Member

IPSec S2S VPN between Palo Alto and Sophos XG

Hi,

 

I'm trying to set up a S2S between Palo Alto Sophos XG and so far it's been unsuccessful as Palo Alto is not able to find a suitable proposal for the connection.

 

I've also tried the following the KB here. (https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Establish-...)

 

I'm supposed to be using IKEv1, AES256-SHA256, DH5 and I've checked to make sure the settings on both Firewalls are aligned (IKE, encryption keys, preshared keys).

 

Below is the logs from Palo Alto for a connection coming in from Sophos. Any insight to interpreting the logs would be helpful.

 

2020-10-21 01:29:05.195 +0000 [PNTF]: { 54: }: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <====
====> Initiated SA <====
[INFO]: { 54: }: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
[INFO]: { 54: }: received Vendor ID: DPD
[INFO]: { 54: }: received Vendor ID: CISCO-UNITY
[INFO]: { 54: }: received Vendor ID: FRAGMENTATION
[INFO]: { 54: }: received Vendor ID: RFC 3947
[INFO]: { 54: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#1) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#1) = DH2:DH5
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#1) = 3DES:AES
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#1) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#2):Peer(prop#0:trns#1) = DH2:DH5
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#2) = SHA1:SHA256
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#2) = 3DES:AES
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#2) = SHA1:SHA256
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#3) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#3) = DH2:DH19
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#3) = 3DES:AES
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#3) = SHA1:SHA256
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#2):Peer(prop#0:trns#3) = DH2:DH19
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#4) = AES:TBD
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#4) = SHA1:TBD
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#4) = DH2:DH19
[PERR]: { 54: }: rejected enctype: DB(prop#1:trns#2):Peer(prop#0:trns#4) = 3DES:TBD
[PERR]: { 54: }: rejected hashtype: DB(prop#1:trns#2):Peer(prop#0:trns#4) = SHA1:TBD
[PERR]: { 54: }: rejected dh_group: DB(prop#1:trns#2):Peer(prop#0:trns#4) = DH2:DH19
[PERR]: { 54: }: no suitable proposal found.

[PERR]: { 54: }: (nil) failed to get valid proposal.
[PERR]: { 54: }: failed to process packet.
[INFO]: { 54: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA <====

Highlighted
L7 Applicator

is there a way for you to limit the proposals the Sophos is sending out, and could you post which config you have set on the PAN?

 

the log shows AES but no keysize, so maybe it's proposing 128 instead of 256

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!