Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 5 subscribers
  • Views 23312 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Zwei IPSec-VPN-Tunnel zwischen zwei Sophos UTM9

Moritz Steinkamp

Hallo Community,

ich habe ein Problem beim Erstellen von 2 separaten VPN-Tunneln zwischen zwei Sophos UTM 9. Tunnel A besteht bereits und funktioniert ohne Probleme.

Beim Verbinden von Tunnel B gibt es zuerst keine Probleme und der Tunnel funktioniert. Aber nach einer gewissen Zeit bricht einer der beiden Tunnel zusammen.

 

Hier die zwei Tunnel:

Tunnel A (besteht bereits)

Site A:

GW: XXX.XXX.XXX.74

Internes Netz: 192.168.10.0/24

Site B:

GW:  XXX.XXX.XXX.85

Internes Netz: 192.168.20.0/24

 

Tunnel B (soll hinzukommen)

Site A:

GW:  XXX.XXX.XXX.74

Internes Netz: 10.10.1.0/24

Site B:

GW:  XXX.XXX.XXX.85

Internes Netz: 192.168.20.0/24

 

 

Beim Durchschauen der Logfiles sind mir folgende Meldungen aufgefallen:

 

"Tunnel A" #96465: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf62d710c (perhaps this is a duplicated packet)

"Tunnel A" #96465: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.85:500

 

Könnt ihr mir weiterhelfen, wieso es zu diesem Problem kommt?

Was genau sagt die Fehlermeldung aus(habe dazu leider nichts richtiges gefunden)?

Gibt es eventuell Limitierungen (nur eine IPsec-verbindung zwischen 2 GW)?

 

Gruß und Danke

Moritz



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Moritz,

    Erstmal herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Ster's prescription seems correct to me.

    If you want to figure out what was causing the problem, we'll need more information.

    • Pictures of the Edits of the IPsec Connection, Remote Gateway and IPsec Policy on both sides.
    • Disable the IPsec Connection on one side, disable Debug if it is enabled, start the IPsec Live Log, enable the IPsec Connection after the Live Log shows a few lines and then show us about 60 lines ending with the one about INVALID_MESSAGE_ID.

    INVALID_MESSAGE_ID can mean that site A is behind a NAT, but that's not the topology you described above.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hallo Bob,

     

    hier sind die Log-Auszüge wenn ich den neuen Tunnel (Tunnel B) aktiviere:

     

    2017:05:29-10:20:49 office pluto[9626]: added connection description "Tunnel B"
    2017:05:29-10:20:49 office pluto[9626]: "Tunnel B" #63: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#62}
    2017:05:29-10:20:49 office pluto[9626]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Tunnel B" address="XXX.XXX.XXX.74" local_net="10.10.1.0/24" remote_net="192.168.20.0/24"
    2017:05:29-10:20:50 office pluto[9626]: "Tunnel B" #63: sent QI2, IPsec SA established {ESP=>0x247c78e1 <0xf2b7912b DPD}
    2017:05:29-10:20:58 office pluto[9626]: "Tunnel A" #62: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x82c0a404 (perhaps this is a duplicated packet)
    2017:05:29-10:20:58 office pluto[9626]: "Tunnel A" #62: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.85:500

    2017:05:29-10:21:38 office pluto[9626]: "Tunnel B" #64: responding to Quick Mode
    2017:05:29-10:21:38 office pluto[9626]: "Tunnel B" #64: IPsec SA established {ESP=>0x9967759b <0x92bccb3b DPD}

     

    Nach einer unbestimmten Zeit, bekomme ich dann diverse Meldungen, bis die Verbindung dann zusammenbricht:

    2017:05:29-11:06:53 office pluto[9626]: "Tunnel A" #87: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #56 {using isakmp#62}
    2017:05:29-11:06:53 office pluto[9626]: "Tunnel A" #87: sent QI2, IPsec SA established {ESP=>0xcb900fa9 <0x859220cf DPD}

    2017:05:29-11:08:02 office pluto[9626]: "Tunnel B" #88: responding to Quick Mode
    2017:05:29-11:08:02 office pluto[9626]: "Tunnel B" #88: IPsec SA established {ESP=>0x33894f65 <0xfd07f048 DPD}

    2017:05:29-12:17:44 office pluto[9626]: "Tunnel B" #124: responding to Main Mode
    2017:05:29-12:17:44 office pluto[9626]: "Tunnel B" #124: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:44 office pluto[9626]: "Tunnel B" #124: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: next payload type of ISAKMP Identification Payload has an unknown value: 251
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: sending encrypted notification PAYLOAD_MALFORMED to XXX.XXX.XXX.85:500

    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #123: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #123: starting keying attempt 5 of an unlimited number
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: initiating Main Mode to replace #123
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [strongSwan]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: ignoring Vendor ID payload [Cisco-Unity]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [XAUTH]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [Dead Peer Detection]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [RFC 3947]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: enabling possible NAT-traversal with method 3
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: next payload type of ISAKMP Hash Payload has an unknown value: 40
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: malformed payload in packet

    2017:05:29-12:17:55 office pluto[9626]: "Tunnel B" #124: next payload type of ISAKMP Identification Payload has an unknown value: 251
    2017:05:29-12:17:55 office pluto[9626]: "Tunnel B" #124: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2017:05:29-12:17:55 office pluto[9626]: "Tunnel B" #124: sending encrypted notification PAYLOAD_MALFORMED to XXX.XXX.XXX.85:500

    2017:05:29-12:18:01 office pluto[9626]: "Tunnel A" #125: next payload type of ISAKMP Hash Payload has an unknown value: 102
    2017:05:29-12:18:01 office pluto[9626]: "Tunnel A" #125: malformed payload in packet
    2017:05:29-12:18:01 office pluto[9626]: "Tunnel A" #125: discarding duplicate packet; already STATE_MAIN_I3

    2017:05:29-12:18:55 office pluto[9626]: "Tunnel B" #124: max number of retransmissions (2) reached STATE_MAIN_R2

    2017:05:29-12:28:08 office pluto[9626]: "Tunnel B" #153: deleting state (STATE_MAIN_R2)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel B" #151: deleting state (STATE_MAIN_R2)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel B" #112: deleting state (STATE_QUICK_R2)
    2017:05:29-12:28:08 office pluto[9626]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="Tunnel B" address="XXX.XXX.XXX.74" local_net="10.10.1.0/24" remote_net="192.168.20.0/24"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Restarting connection "Tunnel B"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Terminating all SAs using this connection
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #152: deleting state (STATE_MAIN_I3)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #110: deleting state (STATE_QUICK_I2)
    2017:05:29-12:28:08 office pluto[9626]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="Tunnel A" address="XXX.XXX.XXX.74" local_net="192.168.10.0/24" remote_net="192.168.20.0/24"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Restarting connection "Tunnel A"
    2017:05:29-12:28:08 office pluto[9626]: updown: /sbin/ip -4 route del 192.168.20.0/24 dev eth1 src 192.168.10.1 proto ipsec metric 0 failed with status 2:
    2017:05:29-12:28:08 office pluto[9626]: updown: RTNETLINK answers: No such process
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Terminating all SAs using this connection
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #150: deleting state (STATE_MAIN_I3)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #109: deleting state (STATE_QUICK_I2)
    2017:05:29-12:28:08 office pluto[9626]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="Tunnel A" address="XXX.XXX.XXX.74" local_net="192.168.10.0/24" remote_net="192.168.20.31/32"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Restarting connection "Tunnel A"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Terminating all SAs using this connection
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: deleting state (STATE_QUICK_I2)

     Was mich wundert, ist, dass der Tunnel eine Zeitlang ohne Probleme funktioniert und dann nach unbestimmter Zeit abbricht.

    Hier noch 5 Bilder der IPsec Connection, der Remote Gateways und der IPsec Policy.


    Benötigst du noch weitere Infos?

     

    @Ster: Wenn es keine Lösung gibt, werde ich es wohl so machen müssen.


    Danke und Gruß 

    Moritz

  • 0 in reply to Moritz Steinkamp

    The one thing I see, Moritz, is the other reason (besides being behind a NAT as mentioned above) that establishing an IPsec SA fails at that point - "(mismatch of preshared secrets?)."  I'm not sure why it works initially.

    Do you have 'Enable probing of preshared keys' selected on the 'Advanced' tab of 'IPsec'?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Moritz Steinkamp

    The one thing I see, Moritz, is the other reason (besides being behind a NAT as mentioned above) that establishing an IPsec SA fails at that point - "(mismatch of preshared secrets?)."  I'm not sure why it works initially.

    Do you have 'Enable probing of preshared keys' selected on the 'Advanced' tab of 'IPsec'?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?