we have an established IPSec VPN Tunnel between and Astaro 320 and a CheckPoint-firewall.
Our local networks behind the Astaro are
10.1.4.0/24
10.1.5.0/24
10.1.6.0/24
Our customers behind the checkpoint (172.20.0.0/16) can reach the network 10.1.6.0/24 behind our Astaro.
But they can not reach 10.1.5.0/24 and 10.1.4.0/24
The IPSec Log says:
2010:09:10-12:55:44 fw-1 pluto[28263]: packet from 212.29.x.x:500: ignoring Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d4c8a0eb0...]
2010:09:10-12:55:44 fw-1 pluto[28263]: "S_VPNTunnel-customer1" #15: responding to Main Mode
2010:09:10-12:55:44 fw-1 pluto[28263]: "S_VPNTunnel-customer1" #15: Peer ID is ID_IPV4_ADDR: '212.29.x.x'
2010:09:10-12:55:44 fw-1 pluto[28263]: "S_VPNTunnel-customer1" #15: sent MR3, ISAKMP SA established
2010:09:10-12:55:44 fw-1 pluto[28263]: "S_VPNTunnel-customer1" #15: cannot respond to IPsec SA request because no connection is known for 10.1.4.0/24===212.29.y.y...212.29.x.x===172.20.0.0/16
2010:09:10-12:55:44 fw-1 pluto[28263]: "S_VPNTunnel-customer1" #15: sending encrypted notification INVALID_ID_INFORMATION to 212.29.x.x:500
2010:09:10-12:55:46 fw-1 pluto[28263]: "S_VPNTunnel-customer1" #15: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf8180021 (perhaps this is a duplicated packet)
2010:09:10-12:55:46 fw-1 pluto[28263]: "S_VPNTunnel-customer1" #15: sending encrypted notification INVALID_MESSAGE_ID to 212.29.x.x:500
2010:09:10-12:55:48 fw-1 pluto[28263]: "S_VPNTunnel-customer1" #15: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf8180021 (perhaps this is a duplicated packet)
2010:09:10-12:55:48 fw-1 pluto[28263]: "S_VPNTunnel-customer1" #15: sending encrypted notification INVALID_MESSAGE_ID to 212.29.x.x:500
The CheckPoint FW on the remote-site as well says "invalid SA".
Can anyone help?
This thread was automatically locked due to age.
