sophos invalid phase 2 id proposal

Common configuration errors that prevent Sophos Firewall devices from establishing site-to-site IPsec VPN connections. Rarely, the ISP or an upstream appliance, such as a router or another firewall, may corrupt the packet. I can configure the default profile on the XG to tunnel everything (use as default gateway) and then my individual split profiles still work as they should. If you used a provisioning file to import the connection, update the policy connection settings menu (on the Sophos Connect client). Steps to put the strongswan service in debug: SSH into the Sophos firewall by following this KBA: To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device. If you need further assistance, contact Sophos Support. Push the Default CA certificate from Sophos Firewall to the trusted store on the remote computers. Thank you for the feedback. If the connection was added by importing an Open VPN (. Cause: The remote firewall couldn't authenticate the local request because the ID types don't match. The firewall administrator changed the IKE phase 1 proposal used for the Sophos Connect policy on the firewall and the new configuration wasn't exported and uploaded to the client. If you want to have multiple different configurations, this is bad. This error applies to SSL VPN connections only. ), IKE phase-2 negotiation is failed as initiator, quick mode. If it's an SSL VPN over UDP tunnel, you need to wait for the inactivity timer to delete the tunnel. 2020-11-13 04:55:06 17[ENC] invalid HASH_V1 payload length, decryption failed? Its not like SSLVPN, which supports different profiles per Client. You can also match keywords within the logs by entering. Contact Sophos Support if the website is not accessible. I enabled strongswan and it shows that it's running, but when I run the tail -f command, its saying No such file or directory. We built our IPSEC config pre MR4 and the new Advanced settings area being exposed in the GUI. We needed to add a use to the Allowed users and groups and you can't do it in the GUI (from the VPN area) unless the Advanced settings area is configured. We set it up as our standard Split Tunnel config and saved. Retry to see if it was due to user error during input. If it's an SSL VPN over UDP tunnel, then you have to wait for the inactivity timer to delete the tunnel. IPsec failed to setup the connection due to invalid ID. Set the initiator's phase 1 and phase 2 key life values lower than the responder's. The firewall or the router is blocking UDP ports 500 and 4500. Check the logs on the remote firewall to make sure the mismatch of ID types has resulted in the error. The troubleshooting steps below are for Windows only. Contact your firewall administrator if you need further help. The message no matching peer config found indicated that the connection ID wasnt configured to match on both sites. Accept the security warning to connect and download the, Issue a new certificate for Sophos Firewall signed by a public CA. This seems like an artificial limitation so you can have functionality in version 2.1 of the client to push profile updates. Phase 2 fail, IPSec policy invalidated proposal with error 32 The purpose of this post is to help understand troubleshooting steps and explain how to fix the most common IPsec issues that can be encountered while using the Sophos Firewall IPsec VPN(site to site) feature. If all the settings match, the remote firewall administrator must check the configuration at their end since the remote firewall has refused the connection. Go to solution mulhollandm Beginner Options 09-02-2014 04:12 PM - edited 02-21-2020 07:48 PM folks i have two 1941 routers running 15.2 and i'm trying to set up a site to site vpn with digital signatures i can get to a phase 2 proposal (phase 1 gets to qm_idle) but the phase 2 proposal is rejected with the above error message Gateway address: The peer gateway address you've entered on the local firewall matches the listening interface in the remote configuration. If you retry multiple times and get the same error, the password may have changed or been disabled on the firewall. Thank you for your feedback. The user portal uses a self-signed certificate that can't be verified by the Sophos Connect client. This may be because the firewall administrator changed the local ID on the firewall, and the new configuration file wasn't imported to Sophos Connect. In the following topics, you can see error messages, possible causes for the errors, and information on what to do next. Due to negotiation timeout. The Sophos Connect policy isn't defined or activated on the firewall. Sophos Connect automatically downloads the new policy and reestablishes the SSL VPN tunnel. Set the phase 2 key life lower than the phase 1 value in both firewalls. Accept the security warning to connect and download the SSL VPN policy from Sophos Firewall. The output shows the transform sets for the VPN exist, that is, the SAs match. 04:12 PM The strongSwan log shows the following messages: We have successfully exchanged Encryption and Authentication algorithms, we are now negotiating the Phase 1 SA encryption (hashing) key, Remote peer reports we failed to authenticate. IPsec authentication fails during phase 1 setup. Resolution To resolve Proxy ID mismatch, please try the following: Check the Proxy ID settings on the Palo Alto Networks firewall and the firewall on the other side. Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.14.22, x86_64): uptime: 4 hours, since Oct 27 05:11:10 2020, malloc: sbrk 4927488, mmap 0, used 550176, free 4377312, worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5, loaded plugins: charon aes des rc2 sha2 sha3 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-netlink socket-default stroke vici xauth-generic xauth-access-server ippool-access-server cop-updown garner-logging error-notify unity, To_Azure_Sophos-1: 192.168.1.16xxxxxx.eastus2.cloudapp.azure.com IKEv2, dpddelay=30s, To_Azure_Sophos-1: local: [72.138.XX.XX] uses pre-shared key authentication, To_Azure_Sophos-1: remote: [10.0.0.4] uses pre-shared key authentication, To_Azure_Sophos-1: child: 172.16.19.0/24 === 10.0.1.0/24 TUNNEL, dpdaction=restart. The most common phase-2 failure is due to Proxy ID mismatch. The Sophos Connect service (scvpn) is not running. Note: Proxy ID for other firewall vendors may be referred to as the Access List or Access Control List (ACL). The troubleshooting steps below are for Windows only. If the subnets match, the remote administrator must check the remote firewall's logs if the error persists. Disclaimer: This information is provided as-is for the benefit of the Community. 02-21-2020 If the preshared key matches, verify with the ISP or on the upstream devices if they've corrupted the packet. XG firewall supports only one profile as of today, if you go down the road with the XG config with split tunneling. Check the display_name attribute in the provisioning file and rename any duplicate names. As IPsec only, Sophos Connect IPSEC tunnel fails with MR5 unless Use as default gateway is set in Advanced settings. They must choose one of the options below: The SSL VPN policy is misconfigured on Sophos Firewall. Thegrepcommandapplies a search filter for the keyword within the logs. The firewall administrator changed the policy on the firewall. https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=t_202108101524110523. Now our second IPSEC configured clients can't connected with aInvalid Phase 2 ID proposal message. It will remain unchanged in future help versions. The Sophos Connect client imports the SSL VPN configuration by connecting to the Sophos Firewall user portal using the provisioning file's properties. Can anyone explain this behaviour and if this is a bug or a poor design decision? Applies to the following Sophos product(s) and version(s): Sophos Firewall 18.0, 17.5, 17.0 . The purpose of this post is to help understand troubleshooting steps and explain how to fix the most common IPsec issues that can be encountered while using the Sophos Firewall IPsec VPN (site to site) feature. Also you can refer the sample config here. crypto ikev2 proposal AES256-192-128-PROPOSAL, encryption aes-cbc-256 aes-cbc-192 aes-cbc-128, match identity remote address 10.0.0.2 255.255.255.255, crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac, ip route 192.168.1.0 255.255.255.0 10.0.0.2, i found the issue, i had misconfigured the tunnel and was using the wrong interface as the source, IPSEC(ipsec_process_proposal): invalid local address. Run the following command to check the current directory. Troubleshooting site-to-site IPsec VPN - Sophos Firewall Check if the website is accessible using the None web filter policy. Open the command prompt as an administrator and enter the following command: net start strongswan. Phase 1 is up\ Initiating establishment of Phase 2 SA\ Remote peer reports no match on the acceptable proposals, The remote firewall shows the following error message: NO_PROPOSAL_CHOSEN, Phase 1 is up\ Remote peer reports INVALID_ID_INFORMATION, Enter the following command: ipsec statusall. If you have issues connecting to your remote network, click the events tab, find the timestamp from when you attempted a connection, and find the relevant error. If you don't have access to the firewall or router, for example, if you're in a hotel, connect through your mobile hotspot and try to connect again. If not, please run the following commands: SFVUNL_VM01_SFOS 17.5.14 MR-14-1# cd /log, SFVUNL_VM01_SFOS 17.5.14 MR-14-1# tail -f strongswan.log. IPSec VPN Error: IKE Phase-2 Negotiation is Failed as Initiator, Quick Mode Check your local firewall or router configuration and allow traffic on those ports. As IPsec only can have one profile, it will only have the option to push one profile to the client and allow only one set of networks to connect. Overview . 2020-11-13 13:56:39 12[ENC] <5> invalid ID_V1 payload length, decryption failed? Also, check the IPSec crypto to ensure that the proposals match on both sides. The local ID type or value configured in the Sophos Connect policy on the firewall is different from this connection's value. DDNS is configured, but it does not resolve to the correct or valid public IP address. If it doesn't resolve, contact your ISP. Sophos Firewall: Troubleshooting site to site IPsec VPN issues 2020-11-13 13:56:39 12[ENC] <5> could not decrypt payloads, 2020-11-13 13:56:39 12[IKE] <5> message parsing failed, 2020-11-13 13:56:39 12[ENC] <5> generating INFORMATIONAL_V1 request 2070455846 [ HASH N(PLD_MAL) ], 2020-11-13 13:56:39 12[NET] <5> sending packet: from 10.0.0.4[500] to 72.138.xxx.xxx[500] (124 bytes), 2020-11-13 13:56:39 12[IKE] <5> ID_PROT request with message ID 0 processing failed, 2020-11-13 13:56:39 04[NET] sending packet: from 10.0.0.4[500] to 72.138.xxx.xxx[500], 2020-11-13 13:56:39 12[DMN] <5> [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 72.138.xxx.xxx[4500] failed, 2020-11-03 04:17:03 03[NET] received packet: from 40.75.xxx.xxx[4500] to 192.168.1.16[4500] (96 bytes), 2020-11-03 04:17:03 03[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ], 2020-11-03 04:17:03 03[IKE] received AUTHENTICATION_FAILED notify error, 2020-11-03 04:17:03 03[DMN] [GARNER-LOGGING] (child_alert) ALERT: creating local authentication data failed, 2020-11-03 04:17:03 03[IKE] IKE_SA AUTHENTICATION_FAILED set_condition COND_START_OVER, 2020-11-03 04:17:03 03[IKE] IKE_SA has_condition COND_START_OVER retry initiate in 60 sec, 2020-11-03 04:17:03 03[CHD] CHILD_SA To_Azure_Sophos-1{191} state change: CREATED => DESTROYING, 2020-11-03 04:17:03 03[IKE] IKE_SA To_Azure_Sophos-1[123] state change: CONNECTING => DESTROYING, 2020-11-03 13:18:07 21[NET] <136> received packet: from 72.138.xxx.xxx[4500] to 10.0.0.4[4500] (464 bytes), 2020-11-03 13:18:07 21[ENC] <136> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ], 2020-11-03 13:18:07 21[CFG] <136> looking for peer configs matching 10.0.0.4[10.0.0.4]72.138.xxx.xxx[72.138.xxx.xxx], 2020-11-03 13:18:07 21[CFG] <136> candidate "Azure_to_Sophos-1", match: 20/20/1052 (me/other/ike), 2020-11-03 13:18:07 21[CFG] selected peer config 'Azure_to_Sophos-1', 2020-11-03 13:18:07 21[IKE] tried 2 shared keys for '10.0.0.4' - '72.138.xxx.xxx', but MAC mismatched, 2020-11-03 13:18:07 21[DMN] [GARNER-LOGGING] (child_alert) ALERT: peer authentication failed, 2020-11-03 13:18:07 21[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ], 2020-11-03 13:18:07 21[NET] sending packet: from 10.0.0.4[4500] to 72.138.xxx.xxx[4500] (96 bytes), 2020-11-03 13:18:07 21[IKE] IKE_SA Azure_to_Sophos-1[136] state change: CONNECTING => DESTROYING. New Sophos Support Phone Numbers in Effect July 1st, 2023. 2020-11-13 04:55:06 17[ENC] could not decrypt payloads, 2020-11-13 04:55:06 17[IKE] message parsing failed, 2020-11-13 04:55:06 17[IKE] ignore malformed INFORMATIONAL request, 2020-11-13 04:55:06 17[IKE] INFORMATIONAL_V1 request with message ID 2070455846 processing failed, 2020-11-13 04:55:06 17[DMN] [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 20.36.xxx.xxx[500] failed, 2020-11-13 04:55:10 19[IKE] sending retransmit 1 of request message ID 0, seq 3, 2020-11-13 13:56:39 12[NET] <5> received packet: from 72.138.xxx.xxx[4500] to 10.0.0.4[4500] (124 bytes). Now our second IPSEC configured clients can't connected with a Invalid Phase 2 ID proposal message. Always use the following permalink when referencing this page. New Sophos Support Phone Numbers in Effect July 1st, 2023. The gateway isn't responding to IKE negotiation messages. The connection imported from a provisioning file has a duplicate display name. I also deactivated and reactivated the tunnel to see if that would generate logs and create the file. I don't see any specific reference in the documentation saying only a single profile is supported. SURF detected one or more of the following log lines below in the awarrenhttp log file of the SFOS appliance. This error applies to IPsec VPN connections only. To prevent the prompt from showing in the future, contact your firewall administrator. Well put strongswan service in debugging while we troubleshoot IPsec VPN issues. To prevent the prompt from showing when the SSL VPN policy is downloading, contact your firewall administrator. Issue a new certificate for Sophos Firewall signed by a public CA. Please copy it manually. This issue may occur if the IKE version mismatch with the configured policy of the firewalls, Problem #3 -ALERT: peer authentication failed, Check the configured remote and local connection ID. Check that you have a valid IP address and that your existing network connection is working. A site-to-site IPSec VPN between a Palo Alto Networks firewall and a firewall from a different vendor is configured. The Sophos Connect client tried to establish an SSL VPN connection with an existing policy it has saved for this connection. Resolution. Sophos Firewall uses the following files in /log to trace the IPsec events: This page helps with troubleshooting errors that relate to this error message: IPsec connection could not be established, Open the following log file: /log/strongswan.log, The strongSwan log shows the following error message: Remote peer is refusing our Phase 1 proposals. We have two different Split Tunnel configurations deployed to clients. Sophos Firewall requires membership for participation - click to join. I had not configured the Advanced settings as it didn't exist prior to MR4. Is it on the official roadmap to properly support multiple IPSEC profiles? Make sure the phase 2 settings for encryption and authentication algorithms and DH group match on both firewalls. PDF Configuration Guide SOPHOS XG Firewall - TheGreenBow Multiple different split profiles connect fine. Cause: The cause is likely to be a preshared key mismatch between the two firewalls. This issue may occur if the networks being negotiated on either end of the tunnels dont match on both ends. You must download and import a new ovpn file from the Sophos Firewall user portal to successfully re-establish the SSL VPN tunnel. The output shows that IPSec SAs have been established. If you have issues connecting to your remote network, click the events tab, find the timestamp from when you attempted a connection, and find the relevant error. In the instructions posted it doesnt say to switch to that directory first. Cause: Mismatched phase 1 proposals between the two peers. Override hostname is configured, but it does not resolve to a valid or correct public IP address. Strongswan is the service used by Sophos to provide IPSec functionality. Phase 1 succeeds, but Phase 2 negotiation fails. After much stuffing around and spotting a clue in the MR4 release notes, we figured out we had to have the Use as default gateway turned on in the GUI and then all the clients could connect. To prevent key exchange collisions, follow these guidelines: Sophos Firewall only supports time-based rekeying. Ensure that traffic from LAN hosts passes through the Sophos Firewall. On Sophos Firewall, import the certificate then select it for. Failed SA: 216.204.241.93[500]-216.203.80.108[500] message id:0x43D098BB. An SSL VPN policy is downloaded for the first time from Sophos Firewall and the SSL VPN tunnel is established with it. 2020-09-20 00:25:13 05[IKE] failed to establish CHILD_SA, keeping IKE_SA, Logs on remote(respond only) Sophos firewall, 2020-09-24 18:51:19 13[NET] <100> received packet: from 72.138.xx.xx1[500] to 10.0.0.4[500] (872 bytes), 2020-09-24 18:51:19 13[ENC] <100> parsed ID_PROT request 0 [ SA V V V V V V ], 2020-09-24 18:51:19 13[CFG] <100> looking for an ike config for 10.0.0.472.138.xx.xx, 2020-09-24 18:51:19 13[IKE] <100> no IKE config found for 10.0.0.472.138.xx.xx, sending NO_PROPOSAL_CHOSEN, 2020-09-24 18:51:19 13[ENC] <100> generating INFORMATIONAL_V1 request 1316998708 [ N(NO_PROP) ], 2020-09-24 18:51:19 13[NET] <100> sending packet: from 10.0.0.4[500] to 72.138.107.211[500] (40 bytes), 2020-09-24 18:51:19 13[IKE] <100> IKE_SA (unnamed)[100] state change: CREATED => DESTROYING, 2020-09-24 09:50:54 06[NET] received packet: from 40.84.xx.xx [500] to 192.168.1.16[500] (40 bytes), 2020-09-24 09:50:54 06[ENC] parsed INFORMATIONAL_V1 request 1316998708 [ N(NO_PROP) ], 2020-09-24 09:50:54 06[IKE] informational: received NO_PROPOSAL_CHOSEN error notify, 2020-09-24 09:50:54 06[IKE] IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER, 2020-09-24 09:50:54 06[IKE] flush_queue(IKE_MOBIKE), 2020-09-24 09:50:54 06[IKE] ### destroy: 0x7f9b88001f80, 2020-09-24 09:50:54 06[IKE] flush_queue(IKE_NATD), 2020-09-24 09:50:54 06[IKE] flush_queue(IKE_INIT), 2020-09-24 09:50:54 06[IKE] IKE_SA has_condition COND_START_OVER retry initiate in 60 sec, 2020-09-24 09:50:54 06[IKE] IKE_SA To_Azure_Sophos-1[108] state change: CONNECTING => DESTROYING. Help us improve this page by, Comparing policy-based and route-based VPNs, Remote peer reports no match on the acceptable proposals, Tunnel established but traffic stops later. Are you in /log partition? 2020-09-20 00:25:13 05[NET] received packet: from 72.138.xx.xx[4500] to 10.0.0.4[4500] (1168 bytes), 2020-09-20 00:25:13 05[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ], 2020-09-20 00:25:13 05[CFG] looking for a child config for 10.0.1.0/24 === 172.16.19.0/24, 2020-09-20 00:25:13 05[IKE] traffic selectors 10.0.1.0/24 === 172.16.19.0/24 inacceptable. 1997 - 2023 Sophos Ltd. All rights reserved. Example: You've configured the local firewall's IPsec connection with Local ID set to IP address, but the remote firewall is configured to expect a DNS name. New here? 1.2 VPN Network topology Phase 2 fail, IPSec policy invalidated proposal with error 32 *Jan 11 2016 03:47:03.535 UTC: ISAKMP: set new node 1546246116 to QM_IDLE *Jan 11 2016 03:47:03.535 UTC: ISAKMP: (1003): processing HASH payload. !crypto isakmp policy 10encr aesgroup 5lifetime 82800! Proceed to the next steps if the website is accessible. Number of Views 140. Verify if firewall rules are created to allow VPN traffic. Traffic stops flowing after some time. Table of Contents Problem #1 - Incorrect traffic selectors (SA) Verify networks being presented by both local and remote ends match Push the default CA certificate from Sophos Firewall to the trusted store on the remote computers. That worked for me. Verify the network objects on either end match exactly down to the correct subnets and even individual addresses. If you don't have a network connection, follow these instructions. If the firewall administrator changes the SSL VPN policy on Sophos Firewall while the tunnel is in a connected state, and it's an SSL VPN over TCP tunnel, then the Sophos Connect client detects and disconnects the tunnel with an error. Update the local and remote ID types and IDs with matching values on both firewalls. The information below only applies if your firewall administrator configured a provisioning (.pro) file. Verify the IPsec connection status with the following command: , Verify the IPsec route by running the following command: . See the following image: Enter the following command: ip xfrm policy. For example, the remote firewall expects 192.168.0.0/24, but the local firewall tries to negotiate using 192.168.1.0/24. In this case, contact your firewall administrator. The existence of the Sophos Connect Admin tool seems to imply you were allowing different profiles. The SSL VPN (remote access) policy on Sophos Firewall doesn't contain any policy members. They must choose one of the options below: You canceled the certificate warning prompt, and the connection was terminated. This is possibly an MR4+ issue but we encountered this after upgrading to MR 5. __________________________________________________________________________________________________________________. Sophos Firewall: Website inaccessible due to 502 status code - invalid header in response KB-000041466 May 31, 2021 0 people found this article helpful. Solved: vpn phase 2 error - IPSEC(ipsec_process_proposal): invalid 09-02-2014 - edited I also deactivated and reactivated the tunnel to see if that would generate, Sophos Firewall: Troubleshooting site to site IPsec VPN issues, Verify networks being presented by both local and remote ends match, Sophos Firewall requires membership for participation - click to join, Problem #1 -Incorrect traffic selectors (SA), Verify configured IKE version on policies.
Multi-threaded Applications, Articles S