Everything was working fine under 7.306 (and below). Besides maintaining S2S connectivity between our own offices (the other runs Novell Security Manager 6), and a remote site running a SonicWALL TZ-170, we maintain S2S connections with our clients running ASGs.
From my site running the SonicWALL TZ-170, I have eight networks defined for the tunnel back to our ASG. Of the 8 networks, 4 of them are client networks. These nets are then defined in our ASG as "local" nets, for the connection to the SonicWALL, and each client site then lists the SonicWALL-protected LAN as an additional network for us. This setup has worked well, allowing me to essentially hop through our ASG from the SonicWALL site to get to a client's network on the other side.
After the upgrade to 7.402, however, I notice the following behavior:
The status page is not properly updated to reflect either changes to the VPN configurations or changes in status (Firefox 3.0.6). For example, if I delete 4 nets from the VPN configuration in the above example, they are not removed from the status page. In fact, they still show as green, even when they aren't up or have been deleted.
Removing the VPN configuration completely does remove it from the status page; however, adding it back results in it not being shown (or listed as one of the number of connected S2S VPNs on the dashboard).
In addition, I am now seeing difficulty maintaining S2S VPN connections with other ASGs (running 7.305 & 7.306). I am getting log entries similar to the following:
(where ***.***.***.*** is the far side public IP and yyy.yyy.yyy.yyy is our public IP)
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: ignoring Vendor ID payload [strongSwan 4.2.3]
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: ignoring Vendor ID payload [Cisco-Unity]
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: received Vendor ID payload [XAUTH]
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: received Vendor ID payload [Dead Peer Detection]
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: received Vendor ID payload [RFC 3947]
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2009:04:30-22:23:47 secmgr-va pluto[3532]: packet from ***.***.***.***:500: initial Main Mode message received on yyy.yyy.yyy.yyy:500 but no connection has been authorized with policy=PSK
I did not have any trouble with these connections before the upgrade (policy is AES-256 PFS, and encryption is PSK).
Any ideas? Did something change between 7.3xx and 7.4xx?
TIA
This thread was automatically locked due to age.