This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec yellow ligth in IPsec SA and green in ISAKMP

Astaro version 6.303

I have had a connection running for 3 days now where im using PSK to a watchguard firebox, it worked like a charm, but
yesteday after rebooting astaro, then a yellow ligth in IPsec SA woulden disapear. This was a also problem when i created this connection for the first time, i gave up on it after a few days messing with it, and 2 days later i checked on it again and both lights was green and there was a connection, i have no idea what i did. But now nothing happens just a yellow ligth. Any idea what im doing wrong?

From status screen
000
000 "S_inet_0": 192.168.15.0/24===x.x.x.x (external interface)...x.x.x.x(remote gateway)===192.168.1.0/24; unrouted; eroute owner: #0
000 "S_inet_0":     srcip=unset; dstip=unset; srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_inet_0":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "S_inet_0":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth1;
000 "S_inet_0":   dpd: action:restart; delay:30; timeout:120;
000 "S_inet_0":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "S_inet_0":   IKE algorithms wanted: 5_000-2-1, flags=-strict
000 "S_inet_0":   IKE algorithms found:  5_192-2_160-1,
000 "S_inet_0":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP768
000 "S_inet_0":   ESP algorithms wanted: 3_000-2, flags=-strict
000 "S_inet_0":   ESP algorithms loaded: 3_000-2, flags=-strict
000
000 #56: "S_inet_0":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 6s; nodpd
000 #1: "S_inet_0":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 24116s; newest ISAKMP; nodpd
000

From logs
2006:12:23-16:29:19 (none) pluto[4661]: "S_inet_0" #53: starting keying attempt 53 of an unlimited number
2006:12:23-16:29:19 (none) pluto[4661]: "S_inet_0" #54: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #53 {using isakmp#1}
2006:12:23-16:29:19 (none) pluto[4661]: "S_inet_0" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2006:12:23-16:29:19 (none) pluto[4661]: "S_inet_0" #1: received and ignored informational message
2006:12:23-16:29:29 (none) pluto[4661]: "S_inet_0" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2006:12:23-16:29:29 (none) pluto[4661]: "S_inet_0" #1: received and ignored informational message
2006:12:23-16:29:49 (none) pluto[4661]: "S_inet_0" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2006:12:23-16:29:49 (none) pluto[4661]: "S_inet_0" #1: received and ignored informational message

This thread was automatically locked due to age.

Parents

0 renny over 18 years ago

Hello

I have exactly the same problem with a Watchguard Firebox!

???
Cancel
Vote Up 0 Vote Down

Cancel
0 cotto over 18 years ago in reply to renny

does nobody have a solution?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 cotto over 18 years ago in reply to renny

does nobody have a solution?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 poero over 18 years ago in reply to cotto

i had the same problem with a site-to-site tunnel form v7.002 to v6.302. I created it, it works, but after a view days i got the same messages as DeltaDK and the IpsecSA lights yellow.
I stopped the vpn on both sides, then i've created new policies and changed to them. Since this time my tunnel worked fine again.
Cancel
Vote Up 0 Vote Down

Cancel
0 jjohnston62 over 18 years ago in reply to cotto

does nobody have a solution?

I can't think of a more overpriced piece of dung than Watchguard's stuff.
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 18 years ago in reply to jjohnston62

You have to restart the WatchGuard. Known Watchguard bug.
Cancel
Vote Up 0 Vote Down

Cancel