Client IPsec VPN - Verbindung OK aber kein Zugriff/Routing(?)

Hallo HALi

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

As Dirk asked, please open the IPsec Live Log and the Firewall Live Log and then show us what you see when you connect and then attempt to access something in Internal.

Check also that you haven't violated #3 through #5 in Rulz.  Also, if the test you are using is Ping, then know that ICMP is not included in the "Any" Service object, only TCP and UDP.  Pings, etc. are regulated on the 'ICMP' tab of 'Firewall'.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Hallo,

hier sind meine IPsec Live Logs. Ich habe hierfür meinen selbst erstellten VPN Pool benutzt. Hier sehe ich auch direkt den Fehler "cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0". Passt das nicht zu meinem Fehler, dass ich die .1 erhalte und kein Gateway besitze? In dne Firewall Logs passiert in diesem Moment rein gar nichts. Eine PING Regel habe ich in der Firewall zwischen den VPN-Pools und dem Netzwerk Internal erstellt.

Bei dem IPSec Client VPN gibt es keine Option "Automatic Firewall". Beim Cisco VPN ist das natürlich anders und alles funktioniert. Ich will aber IPsec VPN :)

2016:11:28-03:00:17 utm pluto[52052]: adding interface lo/lo ::1:500
2016:11:28-03:00:17 utm pluto[52052]: loading secrets from "/etc/ipsec.secrets"
2016:11:28-03:00:17 utm pluto[52052]: loaded PSK secret for 87.SAFE.SAFE.SAFE %any
2016:11:28-03:00:17 utm pluto[52052]: listening for IKE messages
2016:11:28-03:00:17 utm pluto[52052]: added connection description "D_Client VPN - Safe Username"
2016:11:28-03:27:53 utm pluto[52052]: "D_Client VPN - Safe Username"[1] 216.218.206.94:44246 #1: responding to Main Mode from unknown peer 216.218.206.94:44246
2016:11:28-03:27:53 utm pluto[52052]: "D_Client VPN - Safe Username"[1] 216.218.206.94:44246 #1: CAST_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
2016:11:28-03:27:53 utm pluto[52052]: "D_Client VPN - Safe Username"[1] 216.218.206.94:44246 #1: no acceptable Oakley Transform
2016:11:28-03:27:53 utm pluto[52052]: "D_Client VPN - Safe Username"[1] 216.218.206.94:44246 #1: sending notification NO_PROPOSAL_CHOSEN to 216.218.206.94:44246
2016:11:28-03:27:53 utm pluto[52052]: "D_Client VPN - Safe Username"[1] 216.218.206.94:44246: deleting connection "D_Client VPN - Safe Username"[1] instance with peer 216.218.206.94 {isakmp=#0/ipsec=#0}
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: received Vendor ID payload [XAUTH]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: received Vendor ID payload [RFC 3947]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: received Vendor ID payload [Dead Peer Detection]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: ignoring Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: ignoring Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: ignoring Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: ignoring Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:500: ignoring Vendor ID payload [Cisco-Unity]
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[2] 88.153.SAFE.SAFE #2: responding to Main Mode from unknown peer 88.153.SAFE.SAFE
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[2] 88.153.SAFE.SAFE #2: NAT-Traversal: Result using RFC 3947: peer is NATed
2016:11:28-22:09:47 utm pluto[52052]: | NAT-T: new mapping 88.153.SAFE.SAFE:500/4500)
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[2] 88.153.SAFE.SAFE:4500 #2: Peer ID is ID_IPV4_ADDR: '192.168.192.233'
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: deleting connection "D_Client VPN - Safe Username"[2] instance with peer 88.153.SAFE.SAFE {isakmp=#0/ipsec=#0}
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Dead Peer Detection (RFC 3706) enabled
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sent MR3, ISAKMP SA established
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending XAUTH request
2016:11:28-22:09:47 utm pluto[52052]: packet from 88.153.SAFE.SAFE:4500: Informational Exchange is for an unknown (expired?) SA
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: parsing XAUTH reply
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: extended authentication was successful
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending XAUTH status
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: parsing XAUTH ack
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: received XAUTH ack, established
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: parsing ModeCfg request
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: peer requested virtual IP %any
2016:11:28-22:09:47 utm pluto[52052]: acquired existing lease for address 172.16.100.1 in pool 'VPN Pool (172.16.100.0/23)'
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: assigning virtual IP 172.16.100.1 to peer
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending ModeCfg reply
2016:11:28-22:09:47 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sent ModeCfg reply, established
2016:11:28-22:09:48 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===87.138.SAFE.SAFE:4500[87.138.SAFE.SAFE]...88.153.SAFE.SAFE:4500[192.168.192.233]===172.16.100.1/32
2016:11:28-22:09:48 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_ID_INFORMATION to 88.153.SAFE.SAFE:4500
2016:11:28-22:09:51 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===87.138.SAFE.SAFE:4500[87.138.SAFE.SAFE]...88.153.SAFE.SAFE:4500[192.168.192.233]===172.16.100.1/32
2016:11:28-22:09:51 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_ID_INFORMATION to 88.153.SAFE.SAFE:4500
2016:11:28-22:09:53 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc8631110 (perhaps this is a duplicated packet)
2016:11:28-22:09:53 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:09:56 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x0f9641a8 (perhaps this is a duplicated packet)
2016:11:28-22:09:56 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:09:58 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc8631110 (perhaps this is a duplicated packet)
2016:11:28-22:09:58 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:01 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x0f9641a8 (perhaps this is a duplicated packet)
2016:11:28-22:10:01 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:03 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xc8631110 (perhaps this is a duplicated packet)
2016:11:28-22:10:03 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:06 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x0f9641a8 (perhaps this is a duplicated packet)
2016:11:28-22:10:06 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:07 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===87.138.SAFE.SAFE:4500[87.138.SAFE.SAFE]...88.153.SAFE.SAFE:4500[192.168.192.233]===172.16.100.1/32
2016:11:28-22:10:07 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_ID_INFORMATION to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:12 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xbdf4df4c (perhaps this is a duplicated packet)
2016:11:28-22:10:12 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:17 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xbdf4df4c (perhaps this is a duplicated packet)
2016:11:28-22:10:17 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:22 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xbdf4df4c (perhaps this is a duplicated packet)
2016:11:28-22:10:22 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:24 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===87.138.SAFE.SAFE:4500[87.138.SAFE.SAFE]...88.153.SAFE.SAFE:4500[192.168.192.233]===172.16.100.1/32
2016:11:28-22:10:24 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_ID_INFORMATION to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:29 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xa6b7f076 (perhaps this is a duplicated packet)
2016:11:28-22:10:29 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:34 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xa6b7f076 (perhaps this is a duplicated packet)
2016:11:28-22:10:34 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:39 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xa6b7f076 (perhaps this is a duplicated packet)
2016:11:28-22:10:39 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:40 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===87.138.SAFE.SAFE:4500[87.138.SAFE.SAFE]...88.153.SAFE.SAFE:4500[192.168.192.233]===172.16.100.1/32
2016:11:28-22:10:40 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_ID_INFORMATION to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:45 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xaba78297 (perhaps this is a duplicated packet)
2016:11:28-22:10:45 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:50 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xaba78297 (perhaps this is a duplicated packet)
2016:11:28-22:10:50 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:55 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xaba78297 (perhaps this is a duplicated packet)
2016:11:28-22:10:55 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_MESSAGE_ID to 88.153.SAFE.SAFE:4500
2016:11:28-22:10:57 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===87.138.SAFE.SAFE:4500[87.138.SAFE.SAFE]...88.153.SAFE.SAFE:4500[192.168.192.233]===172.16.100.1/32
2016:11:28-22:10:57 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: sending encrypted notification INVALID_ID_INFORMATION to 88.153.SAFE.SAFE:4500
2016:11:28-22:11:02 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500 #2: received Delete SA payload: deleting ISAKMP State #2
2016:11:28-22:11:02 utm pluto[52052]: "D_Client VPN - Safe Username"[3] 88.153.SAFE.SAFE:4500: deleting connection "D_Client VPN - Safe Username"[3] instance with peer 88.153.SAFE.SAFE {isakmp=#0/ipsec=#0}

"cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0"

I don't think that's the cause of the problem, just an indication that those things aren't accomplished before the connection attempt fails.

There is an 'Automatic Firewall Rules' selection available in the 'IPsec-Fernzugriffsregel', so you might need to clear your browser cache or try a different browser to see that.  In the 'IPsec Richtlinie', try without 'Strikte Richtlinie'.  I also would select 'Probing für verteilten Schlüsseln aktivieren' on the 'Erweiteret' tab and then reset the Schlüsselung in the 'IPsec-Fernzugriffsregel'.

If you still cannot connect, try a simpler PSK and a different IPsec Richtlinie.

Immer noch kein Glück gehabt?

MfG - Bob (Bitte auf Deutsch weiterhin.)

Die Reiter "automatische Firewall Regel" wird ab dem Moment nicht mehr angezeigt, wenn "Verteilter Schlüssel" ausgewählt wird. Ist es ein Bug in der Oberfläche? Sobald ich mit dem PSK ein Profil erstelle, wird auch keine automatische Regel erstellt!

Since I always use X509 Certificates instead of PSKs, I had never seen this.  You are absolutely correct - thanks for helping me learn something!

Did my other suggestions help?

MfG - Bob (Bitte auf Deutsch weiterhin.)

Since I always use X509 Certificates instead of PSKs, I had never seen this.  You are absolutely correct - thanks for helping me learn something!

Did my other suggestions help?

MfG - Bob (Bitte auf Deutsch weiterhin.)

Also ich möchte es definitiv mit dem verteilten Schlüssel hinbekommen. Ich habe die Passwörter vereinfacht und auch testweise das entfernte Netzwerk im VPN Client angegeben. Der Client baut auch wieder korrekt eine Verbindung auf, jedoch ist trotz manueller Firewall-Regel nichts erreichbar. Auch in den Firewall Logs steht trotz Protokollierung nix zu meinen Zugriffen drin.

Habe es nun schon versucht so simpel wie auf www.virtualizationhowto.com/.../ einzurichten, jedoch klappt es auch nicht.

192.168.192.0/24 = Local LAN Site A

10.242.4.0/24 = VPN Pool

192.168.178.0/24 = Local LAN of the Remote Site B with Sophos UTM

Das ist mir in den Live Logs aufgefallen:

2016:11:29-21:12:02 utm pluto[53339]: | peer client is 10.242.4.1
2016:11:29-21:12:02 utm pluto[53339]: | peer client protocol/port is 0/0
2016:11:29-21:12:02 utm pluto[53339]: | our client is subnet 0.0.0.0/0
2016:11:29-21:12:02 utm pluto[53339]: | our client protocol/port is 0/0
2016:11:29-21:12:02 utm pluto[53339]: | find_client_connection starting with D_REF_IpsRoaClientVpn_0
2016:11:29-21:12:02 utm pluto[53339]: | looking for 0.0.0.0/0:0/0 -> 10.242.4.1/32:0/0
2016:11:29-21:12:02 utm pluto[53339]: | concrete checking against sr#0 192.168.178.0/24 -> 10.242.4.1/32
2016:11:29-21:12:02 utm pluto[53339]: | fc_try trying D_REF_IpsRoaClientVpn_0:0.0.0.0/0:0/0 -> 10.242.4.1/32:0/0 vs D_REF_IpsRoaClientVpn_0:192.168.178.0/24:0/0 -> 10.242.4.1/32:0/0
2016:11:29-21:12:02 utm pluto[53339]: | fc_try concluding with none [0]
2016:11:29-21:12:02 utm pluto[53339]: | fc_try D_REF_IpsRoaClientVpn_0 gives none
2016:11:29-21:12:02 utm pluto[53339]: | checking hostpair 192.168.178.0/24 -> 10.242.4.1/32 is found
2016:11:29-21:12:02 utm pluto[53339]: | fc_try trying D_REF_IpsRoaClientVpn_0:0.0.0.0/0:0/0 -> 10.242.4.1/32:0/0 vs D_REF_IpsRoaClientVpn_0:192.168.178.0/24:0/0 -> 0.0.0.0/32:0/0
2016:11:29-21:12:02 utm pluto[53339]: | fc_try concluding with none [0]
2016:11:29-21:12:02 utm pluto[53339]: | concluding with d = none
2016:11:29-21:12:02 utm pluto[53339]: "D_REF_IpsRoaClientVpn_0"[4] 88.153.safe.safe:4500 #7: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===87.138.safe.safe:4500[87.138.safe.safe]...88.153.safe.safe:4500[192.168.192.233]===10.242.4.1/32
2016:11:29-21:12:02 utm pluto[53339]: "D_REF_IpsRoaClientVpn_0"[4] 88.153.safe.safe:4500 #7: sending encrypted notification INVALID_ID_INFORMATION to 88.153.safe.safe:4500

This is still the same problem.  I remember having to struggle with getting it to work, but I just did it once about 8 years ago and haven't tried since.  Your same issue might be helped by this post, but the guides below will give you the specifics:

Here's a guide auf Deutsch: http://www.nwlab.net/tutorials/Astaro-to-Shrew/

Here's one in English: http://www.virtualizationhowto.com/2015/01/connect-shrew-soft-vpn-client-sophos-ipsec-vpn/

MfG - Bob (Bitte auf Deutsch weiterhin.)