Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 11754 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to site VPN suddenly went down

ChristopherMaratas

Our IPsec VPn suddenly went down, we did not change anything from configuration.

We have a DUAL wan connection the other ISP is running normally but this never had sucessful connection. Please help

see log error:

2016:05:18-17:01:58 122 pluto[6392]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2016:05:18-17:01:58 122 pluto[6392]: loading aa certificates from '/etc/ipsec.d/aacerts'
2016:05:18-17:01:58 122 pluto[6392]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2016:05:18-17:01:58 122 pluto[6392]: loading attribute certificates from '/etc/ipsec.d/acerts'
2016:05:18-17:01:58 122 pluto[6392]: Changing to directory '/etc/ipsec.d/crls'
2016:05:18-17:01:58 122 ipsec_starter[6384]: no default route - cannot cope with %defaultroute!!!
2016:05:18-17:01:58 122 pluto[6392]: added connection description "S_GUADALUPE"
2016:05:18-17:01:58 122 pluto[6392]: "S_GUADALUPE" #38: initiating Main Mode
2016:05:18-17:02:45 122 pluto[6392]: packet from 222.127.162.14:500: received Vendor ID payload [Dead Peer Detection]
2016:05:18-17:02:45 122 pluto[6392]: packet from 222.127.162.14:500: initial Main Mode message received on 122.52.125.140:500 but no connection has been authorized with policy=PSK
2016:05:18-17:04:06 122 pluto[6392]: packet from 222.127.162.14:500: received Vendor ID payload [Dead Peer Detection]
2016:05:18-17:04:06 122 pluto[6392]: packet from 222.127.162.14:500: initial Main Mode message received on 122.52.125.140:500 but no connection has been authorized with policy=PSK
2016:05:18-17:05:26 122 pluto[6392]: packet from 222.127.162.14:500: received Vendor ID payload [Dead Peer Detection]
2016:05:18-17:05:26 122 pluto[6392]: packet from 222.127.162.14:500: initial Main Mode message received on 122.52.125.140:500 but no connection has been authorized with policy=PSK
2016:05:18-17:06:46 122 pluto[6392]: packet from 222.127.162.14:500: received Vendor ID payload [Dead Peer Detection]
2016:05:18-17:06:46 122 pluto[6392]: packet from 222.127.162.14:500: initial Main Mode message received on 122.52.125.140:500 but no connection has been authorized with policy=PSK
2016:05:18-17:08:05 122 pluto[6392]: packet from 222.127.162.14:500: received Vendor ID payload [Dead Peer Detection]
2016:05:18-17:08:05 122 pluto[6392]: packet from 222.127.162.14:500: initial Main Mode message received on 122.52.125.140:500 but no connection has been authorized with policy=PSK


This thread was automatically locked due to age.
Parents
  • 0

    Not sure what your problem is, is it that you can only make a connection using one of your WAN connections and not both or do you have another problem?

    If this is your problem, the remote site should be setup to accept connections from both your WAN-connections. If the other site is a Sophos UTM, you can make an availability group with both of the WAN-IP's from your site and make sure the main connection is the top one in the availability list.

    As soon as the top WAN is not accessible, the availability list will automatically skip to the next lower WAN-IP address. If you use this availability group as the remote for the site-2-site connection, it will accept the second connection once the first connection has a problem.

  • 0 in reply to apijnappels

    Thanks for the reply,

    Yes you're correct one of my  WANs cannot connect VPN but its internet is perfectly okay I just cant figure out what triggers it since I didnt change anything from the UTM or from other branches.

    Yes, my branches also accepts connect from both WANs and automatically connects when one goes down. But now it will no switch since it detected the main WAN as okay since it has internet connection is perfectly running so I have to manually transfer the connection to my 2nd WAN just to connect a VPN.

    My main problem is why I cant connect with our second ISP while the internet is perfectly okay, external IP is still the same and connection is strong.

  • 0 in reply to ChristopherMaratas

    I tried contacting our ISP but they have to ISOLATE the problem on my side first. I just dont know how to run this syntax:   telnet "vpn concentrator IP" 500 which they me to execute first.

    Is there a tool to verify if IPSEC is blocked or not  from ISP?

  • 0 in reply to ChristopherMaratas

    Hi,

    You can monitor tcpdump on port 500 & 4500 on the remote gateway connected to XG. Check whether the packets on these ports are received on the other end.

    This will verify if the ports are open.

    Thanks 

  • 0 in reply to sachingurung

    Hello,

    Thanks for your help.

    I figured out a solution by turning On the NAT traversal. I just dont knowwhy my network needs it, infact I was running the site to site for almost a year. without the the NAT traversal. I think one of the ISP change something then required us to do that for a successful IPSEC connection

Reply
  • 0 in reply to sachingurung

    Hello,

    Thanks for your help.

    I figured out a solution by turning On the NAT traversal. I just dont knowwhy my network needs it, infact I was running the site to site for almost a year. without the the NAT traversal. I think one of the ISP change something then required us to do that for a successful IPSEC connection

Children
No Data