Last week, my customer has raised a case with us. He is using a site to site IPSec VPN between Sophos XG and Sophos SG devices. The tunnel was not getting up. After verifying logs on the XG device, we found the root cause as Local and Remote ID mismatch. But How? Because we can't change Local ID on the SG devices so there was no Remote ID was assigned on the XG firewall.
I remember that same issue I faced between FortiGate and Sophos XG devices.
Let's come on the issue, finding and resolution.
Case 1: IPSec VPN between SG and XG firewall.
Finding/Root Cause: As XG firewall was showing Remote ID mismatch error so I started investigating the issue was found as SG firewall was sending Its LOCAL ID as It's WAN IP address but As Sophos XG firewall was having remote gateway as DYDNS address so XG was looking remote ID as the same DYDNS address.
Sophos SG Configuration:
Remote Gateway: DYDNS address of the XG firewall.
Local & Remote ID: not enabled.
Sophos XG Configuration:
Remote Gateway: DYDNS address of the SG Firewall
Local & Remote ID: not enabled.
Here Point to be noted we had not enabled the Remote ID/Local ID on the XG and SG firewall. But still, Sophos XG firewall was looking to match remote ID.
I found some tricky solution as If I will assign Remote ID 0.0.0.0 on the XG firewall then tunnel getting UP. I had discussed with the Sophos tech team about remote ID 0.0.0.0 and meaning of it. He told me that avoids assigning 0.0.0.0 as remote ID it means you are going to accept any remote ID for this tunnel means you really don't care about the Remote ID (remote device local ID).
I checked on the SG firewall, gone through the configuration guide and found that we can't change LOCAL IPSec VPN ID on the SG firewall and it was the default behavior of the box.
Issue Resolved: As Customer has configured XG firewall in respond mode, So there is no such requirement to configure remote Gateway so I changed to the any. We also disabled the remote ID on the XG firewall. Due to the respect of the customer security concern, I enabled Local ID on the XG firewall and Remote ID was also enabled on the SG firewall. Wow VPN getting UP.
Case 2: IPSec VPN between Fortigate and XG firewall
Finding/Root Cause: Here, The Fortigate was having a dynamic WAN IP address but Sophos was configured with Static public IP address. So the Customer configured a DYDNS on the Fortigate and was trying to establish IPSec VPN between both devices.
Fortigate Configuration:
Remote Gateway: Public IP of the XG firewall.
Local & Remote ID: not enabled.
Sophos XG Configuration:
Remote Gateway: DYDNS address of the Fortigate Address
Local & Remote ID: not enabled.
Here Point to be noted we had not enabled the Remote ID/Local ID on the XG and FortiGate firewall. But still, Sophos XG firewall was looking to match remote ID with DYDNS address of the FortiGate firewall. But FortiGate was sending Local ID as WAN Interface IP address.
Issue Resolved: I had login in the Fortigate device and changed Local ID as it's DYDNS address in the VPN configuration portal. Wow... The issue was resolved.
Here I have a concern about Sophos XG/Strongswan VPN architecture that If you had disabled the Remote ID then why it is still looking remote ID must be matched if you had configured Remote gateway as DYDNS address of the remote device?
Maybe it is part of the security but not sure. There are no such clear documents on the Sophos website for the same.
Let's move forward and resolve the issue while I will try to get an answer from the Sophos team.
