Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 8086 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why Shrewsoft Tunnel to UTM9 does not complete?

JT_1234

Hello guys

I got an strange issue. I needed a long time to complete a configuration between my Sophos UTM9 and my ShrewSoft Client to bring up a tunnel with an X509 certificate. A preshared key is unwanted. Now this is completed with 99%. The problem is now, the touchy UTM9 firewall assignes my client an IP address, without assigning itself one.

How to understand this?
IPsec VPN uses its own network. (Like an SSL VPN does it too.) But there is only one host in this network, the client. The route configuration is completed correctly. But now the routing wants to route the package over the client instead over the firewall. This is unacceptable. In SSL VPN configuration this works better. Client and UTM has an IP address. Networking works.

My Logs

2017:09:30-03:29:36 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: assigning virtual IP 192.168.4.1 to peer
2017:09:30-03:29:36 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending ModeCfg reply
2017:09:30-03:29:36 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sent ModeCfg reply, established
2017:09:30-03:29:37 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===172.99.1.2:4500[privatedomain.com]...223.27.209.117:64916[my.email@domain.com]===192.168.4.1/32
2017:09:30-03:29:37 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending encrypted notification INVALID_ID_INFORMATION to 223.27.209.117:64916
2017:09:30-03:29:43 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x59b9b6f4 (perhaps this is a duplicated packet)
2017:09:30-03:29:43 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending encrypted notification INVALID_MESSAGE_ID to 223.27.209.117:64916
2017:09:30-03:29:48 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x59b9b6f4 (perhaps this is a duplicated packet)
2017:09:30-03:29:48 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending encrypted notification INVALID_MESSAGE_ID to 223.27.209.117:64916
2017:09:30-03:29:53 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x59b9b6f4 (perhaps this is a duplicated packet)
2017:09:30-03:29:53 fw pluto[6907]: "%%%%%%"[3] 223.27.209.117:64916 #7727: sending encrypted notification INVALID_MESSAGE_ID to 223.27.209.117:64916
 
What is wrong here? Why the UTM firewall is not fairly giving itself also an IP address to make networking possible?
example:
192.168.4.1 --> firewall/gateway
192.168.4.2 --> 1st client
With this everything should work, like it does in SSL VPN.
 
Greetz
jens
 


This thread was automatically locked due to age.
Parents
  • 0

    Probably not much help but I had issues with this a long time ago. Think it was resolved by altering one of the advance options on the shrewsoft client (last tab from what I can remember changing something from required to optional I think)

    It then connected and worked.

Reply
  • 0

    Probably not much help but I had issues with this a long time ago. Think it was resolved by altering one of the advance options on the shrewsoft client (last tab from what I can remember changing something from required to optional I think)

    It then connected and worked.

Children
No Data