Quantcast
Channel: Sophos User Bulletin Board
Viewing all articles
Browse latest Browse all 14361

Site-to-Site VPN stopped working

November 21, 2012, 7:31 am
$
0
0
Hi all,
i hope someone can help me.
I have set up an IPsec VPN between 2 UTMs Version 9.004-33.
I use RSA-Key identification.
The tunnel worked fine but after rebooting one of them tunnel does not come up anymore.

FW1 has a dynamic IP:
remote GW: initiate connection
GW IP: x.x.x.x (static)
RSA-Key:
VPN-ID-Type Hostname: FW1

FW2 has a static IP:
remote GW: respond only
RSA-Key:
VPN-ID-Type Hostname: FW1

IPsec-Connection:
Name: VPN-01
encryption algorithm: AES-128

In the live LOG I get the following messages:
FW1
Code:
11:21-16:24:54 homegate ipsec_starter[14226]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2012:11:21-16:24:55 homegate pluto[14233]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2012:11:21-16:24:55 homegate pluto[14233]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2012:11:21-16:24:55 homegate pluto[14233]: including NAT-Traversal patch (Version 0.6c)
2012:11:21-16:24:55 homegate pluto[14233]: Using Linux 2.6 IPsec interface code
2012:11:21-16:24:55 homegate ipsec_starter[14232]: pluto (14233) started after 20 ms
2012:11:21-16:24:55 homegate pluto[14233]: loading ca certificates from '/etc/ipsec.d/cacerts'
2012:11:21-16:24:55 homegate pluto[14233]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2012:11:21-16:24:55 homegate pluto[14233]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA (Wed Nov 21 14:38:40 2012).pem'
2012:11:21-16:24:55 homegate pluto[14233]: loading aa certificates from '/etc/ipsec.d/aacerts'
2012:11:21-16:24:55 homegate pluto[14233]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2012:11:21-16:24:55 homegate pluto[14233]: Changing to directory '/etc/ipsec.d/crls'
2012:11:21-16:24:55 homegate pluto[14233]: loading attribute certificates from '/etc/ipsec.d/acerts'
2012:11:21-16:24:55 homegate pluto[14233]: listening for IKE messages
2012:11:21-16:24:55 homegate pluto[14233]: adding interface eth2/eth2 192.168.10.1:500
2012:11:21-16:24:55 homegate pluto[14233]: adding interface eth2/eth2 192.168.10.1:4500
2012:11:21-16:24:55 homegate pluto[14233]: adding interface eth1/eth1 192.168.4.2:500
2012:11:21-16:24:55 homegate pluto[14233]: adding interface eth1/eth1 192.168.4.2:4500
2012:11:21-16:24:55 homegate pluto[14233]: adding interface eth0/eth0 192.168.2.1:500
2012:11:21-16:24:55 homegate pluto[14233]: adding interface eth0/eth0 192.168.2.1:4500
2012:11:21-16:24:55 homegate pluto[14233]: adding interface lo/lo 127.0.0.1:500
2012:11:21-16:24:55 homegate pluto[14233]: adding interface lo/lo 127.0.0.1:4500
2012:11:21-16:24:55 homegate pluto[14233]: adding interface lo/lo ::1:500
2012:11:21-16:24:55 homegate pluto[14233]: loading secrets from "/etc/ipsec.secrets"
2012:11:21-16:24:55 homegate pluto[14233]: added connection description "S_VPN-01"
2012:11:21-16:24:55 homegate pluto[14233]: "S_VPN-01" #1: initiating Main Mode
2012:11:21-16:24:55 homegate pluto[14233]: added connection description "S_VPN-01"
2012:11:21-16:24:55 homegate pluto[14233]: "S_VPN-01" #1: received Vendor ID payload [strongSwan]
2012:11:21-16:24:55 homegate pluto[14233]: "S_VPN-01" #1: ignoring Vendor ID payload [Cisco-Unity]
2012:11:21-16:24:55 homegate pluto[14233]: "S_VPN-01" #1: received Vendor ID payload [XAUTH]
2012:11:21-16:24:55 homegate pluto[14233]: "S_VPN-01" #1: received Vendor ID payload [Dead Peer Detection]
2012:11:21-16:24:55 homegate pluto[14233]: "S_VPN-01" #1: received Vendor ID payload [RFC 3947]
2012:11:21-16:24:55 homegate pluto[14233]: "S_VPN-01" #1: enabling possible NAT-traversal with method 3
2012:11:21-16:24:55 homegate pluto[14233]: "S_VPN-01" #1: NAT-Traversal: Result using RFC 3947: i am NATed
2012:11:21-16:24:55 homegate pluto[14233]: "S_VPN-01" #1: we don't have a cert
2012:11:21-16:25:05 homegate pluto[14233]: "S_VPN-01" #1: discarding duplicate packet; already STATE_MAIN_I3
11:21-16:25:25 homegate pluto[14233]: "S_VPN-01" #1: discarding duplicate packet; already STATE_MAIN_I3
2012:11:21-16:26:05 homegate pluto[14233]: "S_VPN-01" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
FW2:

Code:
2012:11:21-16:24:55 maingate pluto[7579]: packet from x.x.112.232:56693: ignoring Vendor ID payload [Cisco-Unity]
2012:11:21-16:24:55 maingate pluto[7579]: packet from x.x.112.232:56693: received Vendor ID payload [XAUTH]
2012:11:21-16:24:55 maingate pluto[7579]: packet from x.x.112.232:56693: received Vendor ID payload [Dead Peer Detection]
2012:11:21-16:24:55 maingate pluto[7579]: packet from x.x.112.232:56693: received Vendor ID payload [RFC 3947]
2012:11:21-16:24:55 maingate pluto[7579]: packet from x.x.112.232:56693: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2012:11:21-16:24:55 maingate pluto[7579]: packet from x.x.112.232:56693: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2012:11:21-16:24:55 maingate pluto[7579]: packet from x.x.112.232:56693: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2012:11:21-16:24:55 maingate pluto[7579]: packet from x.x.112.232:56693: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2012:11:21-16:24:55 maingate pluto[7579]: "S_VPN-01"[2] x.x.112.232:56693 #2: responding to Main Mode from unknown peer x.x.112.232:56693
2012:11:21-16:24:55 maingate pluto[7579]: "S_VPN-01"[2] x.x.112.232:56693 #2: NAT-Traversal: Result using RFC 3947: peer is NATed
2012:11:21-16:26:05 maingate pluto[7579]: "S_VPN-01"[2] x.x.112.232:56693 #2: max number of retransmissions (2) reached STATE_MAIN_R2
2012:11:21-16:26:05 maingate pluto[7579]: "S_VPN-01"[2] x.x.112.232:56693: deleting connection "S_VPN-01"[2] instance with peer x.x.112.232 {isakmp=#0/ipsec=#0}
If you need any further information just let me know.

Thank you for your help,

Spenc
Search
Viewing all articles
Browse latest Browse all 14361

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

January 5, 2014, 10:34 pm

Ominde Commission Report and Recommendations – Ominde Report of 1964

March 16, 2015, 5:14 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

March 26, 2017, 11:23 pm

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

October 17, 2016, 7:20 am

Mp3 Download: Mdu - Kunjenjenjena

December 7, 2017, 8:16 am

How the kill the job , when DTP request running for long hours.

July 26, 2013, 2:41 am

Microsoft Intune から展開しているアプリのアップデートについて

October 17, 2016, 4:11 am

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

September 1, 2017, 10:00 pm

Car crash in Dunton Bassett leaves driver in critical condition

October 7, 2014, 7:51 am

Macky 2, Two Others In Road Accident

March 29, 2015, 5:34 am

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

May 14, 2015, 11:27 pm

Detroit mafia: D’Anna Brothers agree to plea deal

April 21, 2016, 6:56 am

Delivery block field greyed out using VA02

January 26, 2016, 2:52 pm

Muloraki Au

June 22, 2016, 1:44 am

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出w【リベンジポルノ】@PornHub

October 12, 2017, 2:23 pm

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

February 9, 2018, 4:56 am

FIAT 500 B0111 B0112

July 5, 2018, 10:31 am
Search