IPSec - max number of retransmissions

Heute wieder das selbe Problem, auffällig sind zwei Meldungen wenn ich den Tunnel starte.

2016:12:22-07:14:00 xxxx2 pluto[22510]: ERROR: "S_IPSEC_dus-stg_3" #1: sendto on lag0 to xxxxxxxxx.54:500 failed in main_outI1. Errno 1: Operation not permitted

2016:12:22-07:15:20 xxxx2 pluto[22510]: "S_IPSEC_dus-stg_3" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

Hallo Toruk,

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

We really haven't seen enough contiguous lines to understand the problem, but the last one does give a hint.  I'll guess that a public IP has changed but that one side or the other has a hardcoded VPN ID.

If that doesn't get you there, please insert pictures of the relevant configurations on both sides including of the IPsec Policy.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Hallo BAlfson,

aus vielen Dank für deine Unterstützung. 

Anbei noch ein paar Informationen zu unserem Netzwerk, ich hoffe es hilft dir weiter. Wir setzen auf bei den Seiten eine VPN-ID ein. Warum kann ich dir leider nicht sagen, es wurde damals von einem Dienstleister konfiguriert.

Standort STG:
WAN <-> UTM <-> Internes Netzwerk

Hostname: stu.120xxx.org
Dyndns: stg-xxx.dyndns.org

VPN-Optionen für lokalen RSA-Schlüssel
VPN-ID-Typ: Hostname
VPN-ID: stu.120xxx.org

Standort DUS:
WAN <-> UTM01 <-> DMZ <-> UTM02 <-> Internet Netzwerk 

UTM01:
Hostname: xxx.dyndns.org
Dyndns: xxx2.dyndns.org + xxx.dyndns.org

UTM02: (verantwortlich für IPSec Tunnel)
Hostname: xxx2.dyndns.org

VPN-Optionen für lokalen RSA-Schlüssel
VPN-ID-Typ: Hostname
VPN-ID: fw01

Konfiguration an der stu.120xxx.org (STG)

Konfiguration an der xxx2.dyndns.org (DUS)

Falls du weitere Informationen benötigst lassen es mich bitte Wissen. Das Problem herrscht weiterhin und das Update auf die neusten Versionen hat keine Abhilfe gebracht.

STG is configured to use RSA keys, but DUS appears to be using a PSK (Verteilter Schlüssel).  Also, "stg_vpn_network" is expected by the DUS Remote Gateway but is not included in the STG IPsec Connection.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Hallo BAlfson,

BAlfson said:

STG is configured to use RSA keys, but DUS appears to be using a PSK (Verteilter Schlüssel).  

Woran erkennst du diesen Unterschied, ich bin alle Einstellungen nochmals durchgegangen und finde nicht die Settings um es zu ändern!?

BAlfson said:

Also, "stg_vpn_network" is expected by the DUS Remote Gateway but is not included in the STG IPsec Connection.

stg_vpn_network (192.168.xxx.xxx) ist auf dem entfernten Gateway auf xxx2.dyndns.org (DUS) und an stu.120xxx.org (STG) in den IPSec Connection unter Lokale Netzwerke als Internal Network (192.168.xxx.xxx) hinterlegt. stg_vpn_network und Internal Network unterstützen somit die selben Netze (192.168.xxx.xxx). Ist das etwa auch falsch!?

Kann es sein, dass die beiden 2 WAN Anschlüsse an UTM1 in DUS mit aktiviertem Uplink Ausgleich zu den Ausfällen führen kann?

WAN <-> UTM01 <-> DMZ <-> UTM02 <-> Internet Netzwerk 

Die IPSec VPN wird von UTM02 aufgebaut, könnte es durch den Uplink Ausgleich an UTM01 zu Problemen kommen?

BAlfson: "STG is configured to use RSA keys, but DUS appears to be using a PSK (Verteilter Schlüssel)."

"Woran erkennst du diesen Unterschied, ich bin alle Einstellungen nochmals durchgegangen und finde nicht die Settings um es zu ändern!?"

You're right, I was confused by the inclusion of the pictures of the 'RSA key" tab and by your description of the RSA key configuration in your first post.

"stg_vpn_network und Internal Network unterstützen somit die selben Netze (192.168.xxx.xxx). Ist das etwa auch falsch!?"

If these are just two different objects for the same network, then one of the two doesn't need to be in the configuration.  If the vpn object is used in Remote Access and it overlaps with "Internal (Network)," then, yes, that can cause problems.  I see that you've added "VPN Pool (SSL)" to the IPsec Connection.  If this is the default 10.242.2.0/24 in both locations, then that will cause problems - I would change it in DUS to 10.242.12.0/24.

"Kann es sein, dass die beiden 2 WAN Anschlüsse an UTM1 in DUS mit aktiviertem Uplink Ausgleich zu den Ausfällen führen kann?"

That shouldn't be a problem.  In a situation where I have two ISPs, I will usually make an Interface Group and use that for the 'Local Interface' in the IPsec Connection.  On the other side, I will use an Availability Group as the 'Gateway' in the Remote Gateway.  Note that the order must be the same in the Availability Group as in the Interface Group.

"Possible authentication failure: no acceptable response to our first encrypted message" can only be caused by a few things:

• 'Enable probing of preshared keys' on the 'Erweitert' tab in both locations - this may have been the issue the entire time if you've recently added a new PSK in Remote Access or another site-to-site connection.
• Compare the "AES 256" IPsec Policies to confirm that they are identical.
• If both of those are good, create a new PSK to replace the one currently in use.
• I don't see how it would be anything related to the IP address as I first guessed.

BAlfson: "STG is configured to use RSA keys, but DUS appears to be using a PSK (Verteilter Schlüssel)."

"Woran erkennst du diesen Unterschied, ich bin alle Einstellungen nochmals durchgegangen und finde nicht die Settings um es zu ändern!?"

You're right, I was confused by the inclusion of the pictures of the 'RSA key" tab and by your description of the RSA key configuration in your first post.

"stg_vpn_network und Internal Network unterstützen somit die selben Netze (192.168.xxx.xxx). Ist das etwa auch falsch!?"

If these are just two different objects for the same network, then one of the two doesn't need to be in the configuration.  If the vpn object is used in Remote Access and it overlaps with "Internal (Network)," then, yes, that can cause problems.  I see that you've added "VPN Pool (SSL)" to the IPsec Connection.  If this is the default 10.242.2.0/24 in both locations, then that will cause problems - I would change it in DUS to 10.242.12.0/24.

"Kann es sein, dass die beiden 2 WAN Anschlüsse an UTM1 in DUS mit aktiviertem Uplink Ausgleich zu den Ausfällen führen kann?"

That shouldn't be a problem.  In a situation where I have two ISPs, I will usually make an Interface Group and use that for the 'Local Interface' in the IPsec Connection.  On the other side, I will use an Availability Group as the 'Gateway' in the Remote Gateway.  Note that the order must be the same in the Availability Group as in the Interface Group.

"Possible authentication failure: no acceptable response to our first encrypted message" can only be caused by a few things:

• 'Enable probing of preshared keys' on the 'Erweitert' tab in both locations - this may have been the issue the entire time if you've recently added a new PSK in Remote Access or another site-to-site connection.
• Compare the "AES 256" IPsec Policies to confirm that they are identical.
• If both of those are good, create a new PSK to replace the one currently in use.
• I don't see how it would be anything related to the IP address as I first guessed.