This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Kompletten Traffic über Site-to-Site VPN routen

Hallo zusammen,

ich habe folgendes vor:

Ich möchte mit einer Sophos UTM 9.204-20 eine Site-to-Site VPN Connection zu einem VPN-Provider (in meinem Fall Hide.me) aufbauen und im Anschluss daran alle Verbindungen ins Internet darüber routen, sodass von meiner Sophos aus lediglich die "anonyme" VPN-Verbindung ins Internet besteht.

Als Bons wäre eine Art Failover mit einer zweiten Site-to-Site VPN Verbindung wünschenswert, sodass bei Verbindungsabbruch zum einen Tunnel, der Traffic über den nächsten geroutet wird. Das wäre allerdings nur optional.

Nun zum Aufbau:

Den Site-to-Site Tunnel habe ich via IPsec zustande bekommen, dieser kann auch mit folgenden Einstellungen erfolgreich aufgebaut werden:

Einstellungen Remote Gateway:

Einstellungen IPsec Connection:

Wenn die Verbindung aktiv ist, ist momentan kein Zugriff aufs Internet möglich.

Welche Einstellungen muss ich ändern bzw. evtl. an anderer Stelle vornehmen?

This thread was automatically locked due to age.

Parents

0 BAlfson over 10 years ago

'Local networks' in der 'IPsec Connection' sollte nicht "External (WAN) (Network)" enthalten, sondern 'Internal (Network)'.

MfG - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 10 years ago

'Local networks' in der 'IPsec Connection' sollte nicht "External (WAN) (Network)" enthalten, sondern 'Internal (Network)'.

MfG - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 stephan.s over 10 years ago in reply to BAlfson

'Local networks' in der 'IPsec Connection' sollte nicht "External (WAN) (Network)" enthalten, sondern 'Internal (Network)'.

MfG - Bob

Das hatte ich bereits versucht, allerdings kann dann der IPsec Tunnel nicht aufgebaut werden.

Folgendes steht dazu im Log:

2014:07:27-10:30:00 jphs pluto[16069]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2014:07:27-10:30:00 jphs pluto[16069]: loading attribute certificates from '/etc/ipsec.d/acerts'
2014:07:27-10:30:00 jphs pluto[16069]: Changing to directory '/etc/ipsec.d/crls'
2014:07:27-10:30:00 jphs pluto[16069]: added connection description "S_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:00 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: initiating Main Mode
2014:07:27-10:30:00 jphs pluto[16069]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:00 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: received Vendor ID payload [strongSwan]
2014:07:27-10:30:00 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: received Vendor ID payload [XAUTH]
2014:07:27-10:30:00 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: received Vendor ID payload [Dead Peer Detection]
2014:07:27-10:30:00 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: received Vendor ID payload [RFC 3947]
2014:07:27-10:30:00 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: enabling possible NAT-traversal with method 3
2014:07:27-10:30:01 jphs pluto[16069]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: NAT-Traversal: Result using RFC 3947: no NAT detected
2014:07:27-10:30:02 jphs pluto[16069]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: Peer ID is ID_IPV4_ADDR: '109.201.143.91'
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: Dead Peer Detection (RFC 3706) enabled
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: ISAKMP SA established
2014:07:27-10:30:02 jphs pluto[16069]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: parsing XAUTH request
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: sending XAUTH reply
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: parsing XAUTH status
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: extended authentication was successful
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: sending XAUTH ack
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: sent XAUTH ack, established
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #9: initiating Quick Mode ENCRYPT+TUNNEL+UP+XAUTHPSK {using isakmp#8}
2014:07:27-10:30:02 jphs pluto[16069]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:02 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: ignoring informational payload, type INVALID_ID_INFORMATION
2014:07:27-10:30:02 jphs pluto[16069]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:03 jphs pluto[16069]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:03 jphs pluto[16069]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:03 jphs pluto[16069]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:27-10:30:12 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: ignoring informational payload, type INVALID_MESSAGE_ID
2014:07:27-10:30:32 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: ignoring informational payload, type INVALID_MESSAGE_ID
2014:07:27-10:31:12 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #9: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:07:27-10:31:12 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #9: starting keying attempt 2 of an unlimited number
2014:07:27-10:31:12 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #10: initiating Quick Mode ENCRYPT+TUNNEL+UP+XAUTHPSK to replace #9 {using isakmp#8}
2014:07:27-10:31:12 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: ignoring informational payload, type INVALID_ID_INFORMATION
2014:07:27-10:31:22 jphs pluto[16069]: "S_Hide.me VPN NL Roosendaal" #8: ignoring informational payload, type INVALID_MESSAGE_ID

Kann damit jemand etwas anfangen?
Cancel
Vote Up 0 Vote Down

Cancel
0 K.N. over 10 years ago in reply to stephan.s

Das hatte ich bereits versucht, allerdings kann dann der IPsec Tunnel nicht aufgebaut werden.
...
Kann damit jemand etwas anfangen?

Ich würd' fast meinen, die Gegenstelle kennt Dein LAN nicht, sondern nur Deine externe Adresse. Da diese dort als remote address eingetragen ist, wird die Verbindung wohl fehlschlagen, sobald Du was anderes hinzufügst.

Was steht denn so in den Logs, wenn das VPN etabliert ist?
Cancel
Vote Up 0 Vote Down

Cancel
0 stephan.s over 10 years ago in reply to K.N.

Was steht denn so in den Logs, wenn das VPN etabliert ist?

Wenn die Verbindung mit den ursprünglichen Settings (wie oben im ersten Post beschrieben) hergestellt wird, wird folgendes ins Log geschrieben:

2014:07:28-17:03:47 jphs pluto[19437]: listening for IKE messages
2014:07:28-17:03:47 jphs pluto[19437]: forgetting secrets
2014:07:28-17:03:47 jphs pluto[19437]: loading secrets from "/etc/ipsec.secrets"
2014:07:28-17:03:47 jphs pluto[19437]: loaded private key from 'Local X509 Cert (regenerated).pem'
2014:07:28-17:03:47 jphs pluto[19437]: loaded XAUTH secret for ***@sophos 109.201.143.91
2014:07:28-17:03:47 jphs pluto[19437]: loaded PSK secret for 79.234.103.57 109.201.143.91
2014:07:28-17:03:47 jphs pluto[19437]: forgetting secrets
2014:07:28-17:03:47 jphs pluto[19437]: loading secrets from "/etc/ipsec.secrets"
2014:07:28-17:03:47 jphs pluto[19437]: loaded private key from 'Local X509 Cert (regenerated).pem'
2014:07:28-17:03:47 jphs pluto[19437]: loaded XAUTH secret for ***@sophos 109.201.143.91
2014:07:28-17:03:47 jphs pluto[19437]: loaded PSK secret for 79.234.103.57 109.201.143.91
2014:07:28-17:03:47 jphs pluto[19437]: loading ca certificates from '/etc/ipsec.d/cacerts'
2014:07:28-17:03:47 jphs pluto[19437]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2014:07:28-17:03:47 jphs pluto[19437]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA (Wed Jul 16 22:32:09 2014).pem'
2014:07:28-17:03:47 jphs pluto[19437]: loading aa certificates from '/etc/ipsec.d/aacerts'
2014:07:28-17:03:47 jphs pluto[19437]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2014:07:28-17:03:47 jphs pluto[19437]: loading attribute certificates from '/etc/ipsec.d/acerts'
2014:07:28-17:03:47 jphs pluto[19437]: Changing to directory '/etc/ipsec.d/crls'
2014:07:28-17:03:47 jphs pluto[19437]: added connection description "S_Hide.me VPN NL Roosendaal"
2014:07:28-17:03:47 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: initiating Main Mode
2014:07:28-17:03:47 jphs pluto[19437]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:28-17:03:47 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: received Vendor ID payload [strongSwan]
2014:07:28-17:03:47 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: received Vendor ID payload [XAUTH]
2014:07:28-17:03:47 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: received Vendor ID payload [Dead Peer Detection]
2014:07:28-17:03:47 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: received Vendor ID payload [RFC 3947]
2014:07:28-17:03:47 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: enabling possible NAT-traversal with method 3
2014:07:28-17:03:48 jphs pluto[19437]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
2014:07:28-17:03:48 jphs pluto[19437]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: Peer ID is ID_IPV4_ADDR: '109.201.143.91'
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: Dead Peer Detection (RFC 3706) enabled
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: ISAKMP SA established
2014:07:28-17:03:48 jphs pluto[19437]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: parsing XAUTH request
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: sending XAUTH reply
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: parsing XAUTH status
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: extended authentication was successful
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: sending XAUTH ack
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #1: sent XAUTH ack, established
2014:07:28-17:03:48 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #2: initiating Quick Mode ENCRYPT+TUNNEL+UP+XAUTHPSK {using isakmp#1}
2014:07:28-17:03:48 jphs pluto[19437]: added connection description "X_Hide.me VPN NL Roosendaal"
2014:07:28-17:03:49 jphs pluto[19437]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Hide.me VPN NL Roosendaal" address="79.234.103.57" local_net="79.234.103.57/32" remote_net="0.0.0.0/0"
2014:07:28-17:03:49 jphs pluto[19437]: "S_Hide.me VPN NL Roosendaal" #2: sent QI2, IPsec SA established {ESP=>0xcd98359f
Cancel
Vote Up 0 Vote Down

Cancel

Kompletten Traffic über Site-to-Site VPN routen

Submitted a Tech Support Case lately from the Support Portal?