This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

updated to UTM 9.111-7 - VPN stopped working

I applied the update and followed the steps as recommended in

Heartbleed: Recommended steps for UTM

including regenerating certs and a lot of rebooting. The IPSec Tunnels get established (they show green in , but there is no traffic coming through.
SSL-VPN clients can't login at all and the regular https-Site for downloading config files isn't working either. So I am pretty stuck here.

Please, can somebody tell me what I am missing?

Here is a sniplet from the ipsec.log:

2014:04:17-15:32:11 vipsec pluto[6087]: | *received 84 bytes from 21x.x1.x5.***:500 on eth0
2014:04:17-15:32:11 vipsec pluto[6087]: | **parse ISAKMP Message:
2014:04:17-15:32:11 vipsec pluto[6087]: |    initiator cookie:
2014:04:17-15:32:11 vipsec pluto[6087]: |   72 14 54 5e  1a cc 67 d3
2014:04:17-15:32:11 vipsec pluto[6087]: |    responder cookie:
2014:04:17-15:32:11 vipsec pluto[6087]: |   9b 17 9a 94  96 75 30 9e
2014:04:17-15:32:11 vipsec pluto[6087]: |    next payload type: ISAKMP_NEXT_HASH
2014:04:17-15:32:11 vipsec pluto[6087]: |    ISAKMP version: ISAKMP Version 1.0
2014:04:17-15:32:11 vipsec pluto[6087]: |    exchange type: ISAKMP_XCHG_INFO
2014:04:17-15:32:11 vipsec pluto[6087]: |    flags: ISAKMP_FLAG_ENCRYPTION
2014:04:17-15:32:11 vipsec pluto[6087]: |    message ID:  e4 c0 a2 5e
2014:04:17-15:32:11 vipsec pluto[6087]: |    length: 84
2014:04:17-15:32:11 vipsec pluto[6087]: | ICOOKIE:  72 14 54 5e  1a cc 67 d3
2014:04:17-15:32:11 vipsec pluto[6087]: | RCOOKIE:  9b 17 9a 94  96 75 30 9e
2014:04:17-15:32:11 vipsec pluto[6087]: | peer:  d9 5b 19 fe
2014:04:17-15:32:11 vipsec pluto[6087]: | state hash entry 16
2014:04:17-15:32:11 vipsec pluto[6087]: | state object #15 found, in STATE_MAIN_I4
2014:04:17-15:32:11 vipsec pluto[6087]: | ***parse ISAKMP Hash Payload:
2014:04:17-15:32:11 vipsec pluto[6087]: |    next payload type: ISAKMP_NEXT_N
2014:04:17-15:32:11 vipsec pluto[6087]: |    length: 24
2014:04:17-15:32:11 vipsec pluto[6087]: | ***parse ISAKMP Notification Payload:
2014:04:17-15:32:11 vipsec pluto[6087]: |    next payload type: ISAKMP_NEXT_NONE
2014:04:17-15:32:11 vipsec pluto[6087]: |    length: 32
2014:04:17-15:32:11 vipsec pluto[6087]: |    DOI: ISAKMP_DOI_IPSEC
2014:04:17-15:32:11 vipsec pluto[6087]: |    protocol ID: 1
2014:04:17-15:32:11 vipsec pluto[6087]: |    SPI size: 16
2014:04:17-15:32:11 vipsec pluto[6087]: |    Notify Message Type: R_U_THERE
2014:04:17-15:32:11 vipsec pluto[6087]: | info:  72 14 54 5e  1a cc 67 d3  9b 17 9a 94  96 75 30 9e
2014:04:17-15:32:11 vipsec pluto[6087]: |   15 e2 a3 a0
2014:04:17-15:32:11 vipsec pluto[6087]: | received DPD notification R_U_THERE with seqno = 367174560
2014:04:17-15:32:11 vipsec pluto[6087]: | **emit ISAKMP Message:
2014:04:17-15:32:11 vipsec pluto[6087]: |    initiator cookie:
2014:04:17-15:32:11 vipsec pluto[6087]: |   72 14 54 5e  1a cc 67 d3
2014:04:17-15:32:11 vipsec pluto[6087]: |    responder cookie:
2014:04:17-15:32:11 vipsec pluto[6087]: |   9b 17 9a 94  96 75 30 9e
2014:04:17-15:32:11 vipsec pluto[6087]: |    next payload type: ISAKMP_NEXT_HASH
2014:04:17-15:32:11 vipsec pluto[6087]: |    ISAKMP version: ISAKMP Version 1.0
2014:04:17-15:32:11 vipsec pluto[6087]: |    exchange type: ISAKMP_XCHG_INFO
2014:04:17-15:32:11 vipsec pluto[6087]: |    flags: ISAKMP_FLAG_ENCRYPTION
2014:04:17-15:32:11 vipsec pluto[6087]: |    message ID:  2b ba 38 8e
2014:04:17-15:32:11 vipsec pluto[6087]: | ***emit ISAKMP Hash Payload:
2014:04:17-15:32:11 vipsec pluto[6087]: |    next payload type: ISAKMP_NEXT_N
2014:04:17-15:32:11 vipsec pluto[6087]: | emitting 20 zero bytes of HASH into ISAKMP Hash Payload
2014:04:17-15:32:11 vipsec pluto[6087]: | emitting length of ISAKMP Hash Payload: 24
2014:04:17-15:32:11 vipsec pluto[6087]: | ***emit ISAKMP Notification Payload:
2014:04:17-15:32:11 vipsec pluto[6087]: |    next payload type: ISAKMP_NEXT_NONE
2014:04:17-15:32:11 vipsec pluto[6087]: |    DOI: ISAKMP_DOI_IPSEC
2014:04:17-15:32:11 vipsec pluto[6087]: |    protocol ID: 1
2014:04:17-15:32:11 vipsec pluto[6087]: |    SPI size: 16
2014:04:17-15:32:11 vipsec pluto[6087]: |    Notify Message Type: R_U_THERE_ACK
2014:04:17-15:32:11 vipsec pluto[6087]: | emitting 8 raw bytes of notify icookie into ISAKMP Notification Payload
2014:04:17-15:32:11 vipsec pluto[6087]: | notify icookie  72 14 54 5e  1a cc 67 d3
2014:04:17-15:32:11 vipsec pluto[6087]: | emitting 8 raw bytes of notify rcookie into ISAKMP Notification Payload
2014:04:17-15:32:11 vipsec pluto[6087]: | notify rcookie  9b 17 9a 94  96 75 30 9e
2014:04:17-15:32:11 vipsec pluto[6087]: | emitting 4 raw bytes of notify data into ISAKMP Notification Payload
2014:04:17-15:32:11 vipsec pluto[6087]: | notify data  15 e2 a3 a0
2014:04:17-15:32:11 vipsec pluto[6087]: | emitting length of ISAKMP Notification Payload: 32
2014:04:17-15:32:11 vipsec pluto[6087]: | emitting length of ISAKMP Message: 84
2014:04:17-15:32:11 vipsec pluto[6087]: | sent DPD notification R_U_THERE_ACK with seqno = 367174560
2014:04:17-15:32:11 vipsec pluto[6087]: | next event EVENT_DPD_UPDATE in 5 seconds for #17
2014:04:17-15:32:16 vipsec pluto[6087]: |
2014:04:17-15:32:16 vipsec pluto[6087]: | *time to handle event
2014:04:17-15:32:16 vipsec pluto[6087]: | event after this is EVENT_DPD_UPDATE in 3 seconds
2014:04:17-15:32:16 vipsec pluto[6087]: | get esp.e062efd9@10.0.88.200
2014:04:17-15:32:16 vipsec pluto[6087]: |   current: 0 bytes
2014:04:17-15:32:16 vipsec pluto[6087]: | get inbound policy with reqid 16393
2014:04:17-15:32:16 vipsec pluto[6087]: |   use_time: Jan 01 01:00:00 1970
2014:04:17-15:32:16 vipsec pluto[6087]: | inserting event EVENT_DPD_UPDATE, timeout in 30 seconds for #17
2014:04:17-15:32:16 vipsec pluto[6087]: | next event EVENT_DPD_UPDATE in 3 seconds for #18
2014:04:17-15:32:19 vipsec pluto[6087]: |
2014:04:17-15:32:19 vipsec pluto[6087]: | *time to handle event
2014:04:17-15:32:19 vipsec pluto[6087]: | event after this is EVENT_DPD in 9 seconds
2014:04:17-15:32:19 vipsec pluto[6087]: | get esp.adfcb0e9@10.0.88.200
2014:04:17-15:32:19 vipsec pluto[6087]: |   current: 0 bytes
2014:04:17-15:32:19 vipsec pluto[6087]: | get inbound policy with reqid 16389
2014:04:17-15:32:19 vipsec pluto[6087]: |   use_time: Jan 01 01:00:00 1970
2014:04:17-15:32:19 vipsec pluto[6087]: | inserting event EVENT_DPD_UPDATE, timeout in 30 seconds for #18
2014:04:17-15:32:19 vipsec pluto[6087]: | next event EVENT_DPD in 9 seconds for #21
2014:04:17-15:32:28 vipsec pluto[6087]: |
2014:04:17-15:32:28 vipsec pluto[6087]: | *time to handle event
2014:04:17-15:32:28 vipsec pluto[6087]: | event after this is EVENT_DPD_UPDATE in 2 seconds
2014:04:17-15:32:28 vipsec pluto[6087]: | **emit ISAKMP Message:
2014:04:17-15:32:28 vipsec pluto[6087]: |    initiator cookie:
2014:04:17-15:32:28 vipsec pluto[6087]: |   1c 58 ed 2e  13 b3 63 0d
2014:04:17-15:32:28 vipsec pluto[6087]: |    responder cookie:
2014:04:17-15:32:28 vipsec pluto[6087]: |   f2 2c f1 21  70 f3 c0 7f
2014:04:17-15:32:28 vipsec pluto[6087]: |    next payload type: ISAKMP_NEXT_HASH
2014:04:17-15:32:28 vipsec pluto[6087]: |    ISAKMP version: ISAKMP Version 1.0
2014:04:17-15:32:28 vipsec pluto[6087]: |    exchange type: ISAKMP_XCHG_INFO
2014:04:17-15:32:28 vipsec pluto[6087]: |    flags: ISAKMP_FLAG_ENCRYPTION
2014:04:17-15:32:28 vipsec pluto[6087]: |    message ID:  ff 94 31 bd
2014:04:17-15:32:28 vipsec pluto[6087]: | ***emit ISAKMP Hash Payload:
2014:04:17-15:32:28 vipsec pluto[6087]: |    next payload type: ISAKMP_NEXT_N
2014:04:17-15:32:28 vipsec pluto[6087]: | emitting 20 zero bytes of HASH into ISAKMP Hash Payload
2014:04:17-15:32:28 vipsec pluto[6087]: | emitting length of ISAKMP Hash Payload: 24
2014:04:17-15:32:28 vipsec pluto[6087]: | ***emit ISAKMP Notification Payload:
2014:04:17-15:32:28 vipsec pluto[6087]: |    next payload type: ISAKMP_NEXT_NONE
2014:04:17-15:32:28 vipsec pluto[6087]: |    DOI: ISAKMP_DOI_IPSEC
2014:04:17-15:32:28 vipsec pluto[6087]: |    protocol ID: 1
2014:04:17-15:32:28 vipsec pluto[6087]: |    SPI size: 16
2014:04:17-15:32:28 vipsec pluto[6087]: |    Notify Message Type: R_U_THERE
2014:04:17-15:32:28 vipsec pluto[6087]: | emitting 8 raw bytes of notify icookie into ISAKMP Notification Payload
2014:04:17-15:32:28 vipsec pluto[6087]: | notify icookie  1c 58 ed 2e  13 b3 63 0d
2014:04:17-15:32:28 vipsec pluto[6087]: | emitting 8 raw bytes of notify rcookie into ISAKMP Notification Payload
2014:04:17-15:32:28 vipsec pluto[6087]: | notify rcookie  f2 2c f1 21  70 f3 c0 7f
2014:04:17-15:32:28 vipsec pluto[6087]: | emitting 4 raw bytes of notify data into ISAKMP Notification Payload
2014:04:17-15:32:28 vipsec pluto[6087]: | notify data  00 00 7a 07
2014:04:17-15:32:28 vipsec pluto[6087]: | emitting length of ISAKMP Notification Payload: 32
2014:04:17-15:32:28 vipsec pluto[6087]: | emitting length of ISAKMP Message: 84
2014:04:17-15:32:28 vipsec pluto[6087]: | sent DPD notification R_U_THERE with seqno = 31239
2014:04:17-15:32:28 vipsec pluto[6087]: | inserting event EVENT_DPD, timeout in 30 seconds for #21
2014:04:17-15:32:28 vipsec pluto[6087]: | next event EVENT_DPD_UPDATE in 2 seconds for #16

Thanks,
playersons

This thread was automatically locked due to age.

Parents

0 BarryG over 11 years ago

I'm thinking maybe VMWare changed the MAC, which could cause the UTM to get confused.

However, I don't know what VMWare's rules are for keeping/changing the MACs.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 11 years ago

I'm thinking maybe VMWare changed the MAC, which could cause the UTM to get confused.

However, I don't know what VMWare's rules are for keeping/changing the MACs.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data