I have had an IPSec/IKE site-to-site VPN from home to work for many years. I've been using Astaro at home for most of that time. The VPN has always been rock solid until now. It seemed to be fine after I did a fresh install of 8.100 on a new, faster PC. However, when I upgraded to 8.101 (I'm not on 8.102), I began having pretty serious issues with this VPN. The firewall at work is McAfee Firewall Enterprise (formerly Secure Computing Sidewinder) 7.0.1.0.2. The biggest problem is that the VPN will not establish itself from work to home. Sometimes if left for a long time with pings going to home, it will come up. In the other direction, it seems to be more reliable, but I still have had to disable and re-enable on one end or the other to get it to come up on occasion.
I have tried changing numerous settings, encryption methods, timeouts, etc. Nothing has improved reliability. I have a coworker with a very similar setup (Astaro at home on the same version), and his is still fine. I've checked his settings (I'm the primary firewall admin at work) and they matched mine initially, and what they are set to again (see below).
When I check the log on the Sidewinder side, what I see while it's trying unsuccessfully to establish the VPN is this:
invalid request for QUICK_MODE exchange, no IKE SA exists which matches request
This would imply a mismatch in Phase 1 parameters, but I have verified time and time again this is not the case. The fact that eventually it will be successful also implies this is not the case. It seems like Astaro has started, for some reason, to send bad data during renegotiations sometimes. I've had a hard time wading through the Astaro log to find a definitive error (I'm not as familiar with Astaro as I am Sidewinders).
Is it necessary to create packet filter rules to allow IKE traffic to and from the firewall's external interface for these VPNs to work? I noticed I had a rule created to allow *from* Astaro to Any but not from Any to Astaro.
This thread was automatically locked due to age.
