Hello together!
We've an asg220 v8.302 connected with an asg110 v8.302 via ipsec vpn. we've changed the ip adress of the asg110, made the config on both machines and everything is working fine.
now we changed the ip of the asg220, made the config on both machines, the vpn works but they can't do a connection to the servers via http or rdp.
the log from the asg110 tells me:
2012:05:15-06:45:14 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: received Vendor ID payload [RFC 3947]
2012:05:15-06:45:14 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: enabling possible NAT-traversal with method 3
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: NAT-Traversal: Result using RFC 3947: no NAT detected
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: we don't have a cert
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: Peer ID is ID_IPV4_ADDR: '212.117.***.***' (THAT'S THE NEW IP)
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: Dead Peer Detection (RFC 3706) enabled
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: ISAKMP SA established
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #48: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#47}
2012:05:15-06:45:16 gelsenkirchen pluto[6269]: "S_VPN to EU" #48: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun.10000@178.15.***.*** included errno 17: File exists
2012:05:15-06:45:16 gelsenkirchen pluto[6269]: "S_VPN to EU" #48: sent QI2, IPsec SA established {ESP=>0x1b33365d <0xd649a0b0 DPD}
and here the log from the asg220:
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: received Vendor ID payload [strongSwan]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [Cisco-Unity]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: received Vendor ID payload [XAUTH]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: received Vendor ID payload [Dead Peer Detection]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: received Vendor ID payload [RFC 3947]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: responding to Main Mode from unknown peer 178.15.109.106
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: NAT-Traversal: Result using RFC 3947: no NAT detected
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: Peer ID is ID_IPV4_ADDR: '178.15.***.***'
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: we don't have a cert
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: Dead Peer Detection (RFC 3706) enabled
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: sent MR3, ISAKMP SA established
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: ignoring informational payload, type INVALID_KEY_INFORMATION
2012:05:14-17:04:30 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2012:05:14-17:04:30 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: ignoring informational payload, type INVALID_KEY_INFORMATION
2012:05:14-17:04:50 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2012:05:14-17:04:50 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: ignoring informational payload, type INVALID_KEY_INFORMATION
Do I need to regenerate the certificate on the asg220?
Thanks for ideas!
Kind regards,
atctv
We've an asg220 v8.302 connected with an asg110 v8.302 via ipsec vpn. we've changed the ip adress of the asg110, made the config on both machines and everything is working fine.
now we changed the ip of the asg220, made the config on both machines, the vpn works but they can't do a connection to the servers via http or rdp.
the log from the asg110 tells me:
2012:05:15-06:45:14 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: received Vendor ID payload [RFC 3947]
2012:05:15-06:45:14 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: enabling possible NAT-traversal with method 3
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: NAT-Traversal: Result using RFC 3947: no NAT detected
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: we don't have a cert
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: Peer ID is ID_IPV4_ADDR: '212.117.***.***' (THAT'S THE NEW IP)
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: Dead Peer Detection (RFC 3706) enabled
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #47: ISAKMP SA established
2012:05:15-06:45:15 gelsenkirchen pluto[6269]: "S_VPN to EU" #48: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#47}
2012:05:15-06:45:16 gelsenkirchen pluto[6269]: "S_VPN to EU" #48: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun.10000@178.15.***.*** included errno 17: File exists
2012:05:15-06:45:16 gelsenkirchen pluto[6269]: "S_VPN to EU" #48: sent QI2, IPsec SA established {ESP=>0x1b33365d <0xd649a0b0 DPD}
and here the log from the asg220:
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: received Vendor ID payload [strongSwan]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [Cisco-Unity]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: received Vendor ID payload [XAUTH]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: received Vendor ID payload [Dead Peer Detection]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: received Vendor ID payload [RFC 3947]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2012:05:14-17:04:20 euskirchen pluto[24569]: packet from 178.15.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: responding to Main Mode from unknown peer 178.15.109.106
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: NAT-Traversal: Result using RFC 3947: no NAT detected
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: Peer ID is ID_IPV4_ADDR: '178.15.***.***'
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: we don't have a cert
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: Dead Peer Detection (RFC 3706) enabled
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: sent MR3, ISAKMP SA established
2012:05:14-17:04:20 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: ignoring informational payload, type INVALID_KEY_INFORMATION
2012:05:14-17:04:30 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2012:05:14-17:04:30 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: ignoring informational payload, type INVALID_KEY_INFORMATION
2012:05:14-17:04:50 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2012:05:14-17:04:50 euskirchen pluto[24569]: "S_VPN to GE"[1] 178.15.***.*** #111: ignoring informational payload, type INVALID_KEY_INFORMATION
Do I need to regenerate the certificate on the asg220?
Thanks for ideas!
Kind regards,
atctv