This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN: cannot respond to IPsec SA request

Hello Forum,

I've configured a site-to-site IPSec tunnel between an ASG 7.402 and a Checkpoint firewall using certificates.
I can successfully establish the tunnel. PH1 and PH2 are fine and both networks are reachable from eachother side.
However I get regular error messages in the IPSec Log and the SA is reset and built up again. When this is done the network connection to the remote site is lost for a short duration.

I think it has something to do with the error message "cannot respond to IPsec SA request because no connection is known for 80.121.201.70[@kerberos.eins.com]...85.126.122.178"

But I have no idea why this occurs. Bot networks are unnatted. The ASG Certificate is the one from the local authority (ID hostname, generated) and the remote certificate id is an static IP adress. For my understanding this should be ok. It works but every 2 minutes the connection is lost and built up again.

Any ideas or help is appreciated!

Reinhard

[HTML]


2009:06:02-14:21:42 kerberos pluto[403]: "S_Unknown Object" #359: cannot respond to IPsec SA request because no connection is known for 80.121.201.70[@kerberos.eins.com]...85.126.122.178

2009:06:02-14:21:42 kerberos pluto[403]: "S_Unknown Object" #359: sending encrypted notification INVALID_ID_INFORMATION to 85.126.122.178:500

2009:06:02-14:21:43 kerberos pluto[403]: packet from 85.126.122.178:500: ignoring Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138800000000...]

2009:06:02-14:21:43 kerberos pluto[403]: packet from 85.126.122.178:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2009:06:02-14:21:43 kerberos pluto[403]: "S_Unknown Object" #361: responding to Main Mode

2009:06:02-14:21:43 kerberos pluto[403]: "S_Unknown Object" #361: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected

2009:06:02-14:21:44 kerberos pluto[403]: "S_Unknown Object" #361: Peer ID is ID_IPV4_ADDR: '85.126.122.178'

2009:06:02-14:21:44 kerberos pluto[403]: "S_Unknown Object" #361: crl not found

2009:06:02-14:21:44 kerberos pluto[403]: "S_Unknown Object" #361: certificate status unknown

2009:06:02-14:21:44 kerberos pluto[403]: "S_Unknown Object" #361: we have a cert and are sending it

2009:06:02-14:21:44 kerberos pluto[403]: "S_Unknown Object" #361: sent MR3, ISAKMP SA established

2009:06:02-14:21:44 kerberos pluto[403]: "S_Unknown Object" #361: received Delete SA payload: replace IPSEC State #360 in 10 seconds

2009:06:02-14:21:54 kerberos pluto[403]: "S_Unknown Object" #362: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+UP to replace #360 {using isakmp#361}

2009:06:02-14:21:54 kerberos pluto[403]: "S_Unknown Object" #362: sent QI2, IPsec SA established {ESP=>0xba336ddc

[/HTML]

This thread was automatically locked due to age.

Parents

0 RedChili over 16 years ago

Just for the records...

I'v found the reason for this behavior.
I've set up the Site-to-Site Configuration with all policies, gateways and local and remote network definitions.
Some time after that I've changed the network definition from a /24 net to a /27 net and this seemed to influence the Site-to-Site configuration.
After removing the remote network from the configuration and adding the "new" definition everything worked fine.

/Reinhard
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 RedChili over 16 years ago

Just for the records...

I'v found the reason for this behavior.
I've set up the Site-to-Site Configuration with all policies, gateways and local and remote network definitions.
Some time after that I've changed the network definition from a /24 net to a /27 net and this seemed to influence the Site-to-Site configuration.
After removing the remote network from the configuration and adding the "new" definition everything worked fine.

/Reinhard
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data