Hi,
we just got a new ASG appliance with 7.101 and I'm not able to get IPsec connections to work which use CA-authentication with (stock WinXP) clients that are behind a NAT. This used to work fine in V6 before. The connection handshake fails with the error "cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24===x.x.x.170:4500[@abc.acme.de]...y.y.y.32:32843[C=de, ...]===172.16.5.15/32".
When looking at the ipsec.conf files from V6 and V7, the only significant difference is that in the V6 config file, there is an entry "rightsubnetwithin=0.0.0.0/0.0.0.0" which is missing in V7. Even more, if I add this line to the "conn %default" section in the ipsec.conf-default file of the ASG 7, the IPSec connection finally succeeds!
What's the deal with this? This looks very similar to a problem I reported against V5 back in 2004: https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/51899. Is this a regression or is there some setting I missed in the several "Advanced" sections that deal with IPSec in the WebAdmin?
Thanks.
This thread was automatically locked due to age.
