Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 8083 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why Shrewsoft Tunnel to UTM9 does not complete?

JT_1234

Hello guys

I got an strange issue. I needed a long time to complete a configuration between my Sophos UTM9 and my ShrewSoft Client to bring up a tunnel with an X509 certificate. A preshared key is unwanted. Now this is completed with 99%. The problem is now, the touchy UTM9 firewall assignes my client an IP address, without assigning itself one.

How to understand this?
IPsec VPN uses its own network. (Like an SSL VPN does it too.) But there is only one host in this network, the client. The route configuration is completed correctly. But now the routing wants to route the package over the client instead over the firewall. This is unacceptable. In SSL VPN configuration this works better. Client and UTM has an IP address. Networking works.

My Logs

2017:09:30-03:29:36 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: assigning virtual IP 192.168.4.1 to peer
2017:09:30-03:29:36 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending ModeCfg reply
2017:09:30-03:29:36 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sent ModeCfg reply, established
2017:09:30-03:29:37 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===172.99.1.2:4500[privatedomain.com]...223.27.209.117:64916[my.email@domain.com]===192.168.4.1/32
2017:09:30-03:29:37 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending encrypted notification INVALID_ID_INFORMATION to 223.27.209.117:64916
2017:09:30-03:29:43 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x59b9b6f4 (perhaps this is a duplicated packet)
2017:09:30-03:29:43 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending encrypted notification INVALID_MESSAGE_ID to 223.27.209.117:64916
2017:09:30-03:29:48 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x59b9b6f4 (perhaps this is a duplicated packet)
2017:09:30-03:29:48 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending encrypted notification INVALID_MESSAGE_ID to 223.27.209.117:64916
2017:09:30-03:29:53 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x59b9b6f4 (perhaps this is a duplicated packet)
2017:09:30-03:29:53 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending encrypted notification INVALID_MESSAGE_ID to 223.27.209.117:64916
 
What is wrong here? Why the UTM firewall is not fairly giving itself also an IP address to make networking possible?
example:
192.168.4.1 --> firewall/gateway
192.168.4.2 --> 1st client
With this everything should work, like it does in SSL VPN.
 
Greetz
jens
 


This thread was automatically locked due to age.
  • 0

    Probably not much help but I had issues with this a long time ago. Think it was resolved by altering one of the advance options on the shrewsoft client (last tab from what I can remember changing something from required to optional I think)

    It then connected and worked.

  • 0

    Hi, Jens, and welcome to the UTM Community!

    As Louis implies, the log lines indicate that the failure to make an IP assignment is a symptom, not the cause of the problem.

    Cheers - Bob
    PS Are you from the north part of Norway (Tromsø?)? [;)]  Sorry, but, as a moderator, I cleaned up two words that were used correctly but were unnecessarily offensive to an English/American ear.

  • 0 in reply to BAlfson

    Hello Louis-M
    Hello Bob

    Thanks for your reply. I tried to set the "Policy Generation Level" to require. It seems, it is working now. I did not check the logs of the sophos, because I had no time for that. But the VPN Client does what I want it to do now.

    I am still confused about the IP address my client receives. I am trying to understand in a better way what is going on there. But it's hard to figure out for me, because the documentation of both software is not very good/clean/straight.

    I am from Germany. The words I have choosen are the result of a bit frustration and a choice of easy understandable words, which I have not translate all one by one with a dictionary. [;)] But I am listening to heavy metal. Which is quite familar in the north countries (I believe that at least). Maybe this influence may make me appear a bit rough. [:D]

  • 0 in reply to JT_1234

    No problem, JT.  My son was in Tromsø last summer and we learned that northern Norwegian is laced with terms other Norwegians consider swear words.  Jens could be a person's name there, so I thought I'd ask!

    Cheers - Bob