Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 4481 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec tunnel issue

Gaurav Singh

Network Infrastructure:

{Region1:(Zscaler})-----------------------------------------------------Region2:{[Aztech Modem]--[Sophos FW]---{LAN}}

Description:

Before asking the question, Please have a look on the infrastructure. Aztech Modem has Public IP. Sophos is behind Aztech modem having private interfaces only. Region 2 has outbound connection only(Modem have outbound initiated connection active and inbound initiated is inactive).

 

Issue:

We are trying to set up IPsec tunnel between Oure region(Region2) and Zscaler.

We have configured region2 to initiate connection and with VPN ID as some Email ID. While initiation connection we are getting the below error logs. No idea what is this!! Could anyone please help me understanding and fixing this issue??

2017:01:20-18:29:18 mpgsophossg-gt ipsec_starter[8964]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2017:01:20-18:29:18 mpgsophossg-gt ipsec_starter[8964]: no default route - cannot cope with %defaultroute!!!
2017:01:20-18:29:18 mpgsophossg-gt ipsec_starter[8970]: pluto (8976) started after 20 ms
2017:01:20-18:29:18 mpgsophossg-gt pluto[8976]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: including NAT-Traversal patch (Version 0.6c)
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: Using Linux 2.6 IPsec interface code
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: loading ca certificates from '/etc/ipsec.d/cacerts'
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: loading aa certificates from '/etc/ipsec.d/aacerts'
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: Changing to directory '/etc/ipsec.d/crls'
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: loading attribute certificates from '/etc/ipsec.d/acerts'
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: listening for IKE messages
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: adding interface br0/br0 10.200.1.254:500
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: adding interface br0/br0 10.200.1.254:4500
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: adding interface wlan2/wlan2 172.16.28.1:500
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: adding interface wlan2/wlan2 172.16.28.1:4500
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: adding interface eth2/eth2 192.168.1.1:500
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: adding interface eth2/eth2 192.168.1.1:4500
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: adding interface lo/lo 127.0.0.1:500
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: adding interface lo/lo 127.0.0.1:4500
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: adding interface lo/lo ::1:500
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: loading secrets from "/etc/ipsec.secrets"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: loaded PSK secret for umesh@manpowergroup.com umesh@manpowergroup.com
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "S_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: "S_Zscaler_withFailover" #1: initiating Main Mode
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: ERROR: "S_Zscaler_withFailover" #1: sendto on eth2 to 42.99.164.35:500 failed in main_outI1. Errno 1: Operation not permitted
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"
2017:01:20-18:29:19 mpgsophossg-gt pluto[8976]: added connection description "X_Zscaler_withFailover"

 

 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson

    Yes, It is behind NAT. Is there any way to configure?

  • 0 in reply to Gaurav Singh

    I'm not familiar with the Zscaler.  Set it up in a "Receive only" mode so that it listens for, but does not initiate an IPsec connection.

    In the UTM, configure the Remote Gateway as "Initiate connection" with a "Preshared key," 'VPN ID: IP address' and 'VPN ID (optional):" containing the private IP of the Zscaler (not the public IP you use for the 'Gateway'.

    On the 'Advanced' tab in 'Preshared Key Settings', select 'VPN ID: IP address', enter the private IP of "External (Address)" as the 'VPN ID' and select 'Enable probing of preshared keys'.

    Any better luck now?

    Cheers - Bob