Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 1 subscriber
  • Views 8089 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site VPN - no traffic

jpvj
Hi,

I am trying to configure site to site VPN between an Sophos UTM 9.006_5 on site "A" against a WatchGuard on site "B".

Right after the initial configuration, I was able to ping an IP address on the remote subnet. The day after it stopped and has never worked ever since.

Nothing was changed on the Astaro and the "other guy" claims nothing was changed on the WatchGuard. 

Both firewalls shows the tunnel is up, but neither can ping to the other side.

I am quite sure all parameters for main and quick mode is correct (checked multiple times) but I cannot seem to spot the problem.

I enabled debug logging and collected this log from the ASG. Hope someone can provide some input.

Thx.


This thread was automatically locked due to age.
ASG.zip
Parents
  • 0
    Thanks!  That looks good so far. Please edit that post and add the next 10-20 lines.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Thanks!  That looks good so far. Please edit that post and add the next 10-20 lines.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    Hi,

    I stopped and started the IPSec connection about 13:12 and as you can see not much happens for almost one hour...


    [FONT="Courier New"][SIZE="2"]2013:04:28-13:12:59 Astaro ipsec_starter[21739]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2013:04:28-13:12:59 Astaro pluto[21747]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2013:04:28-13:12:59 Astaro pluto[21747]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2013:04:28-13:12:59 Astaro pluto[21747]: including NAT-Traversal patch (Version 0.6c) [disabled]
    2013:04:28-13:12:59 Astaro pluto[21747]: Using Linux 2.6 IPsec interface code
    2013:04:28-13:12:59 Astaro ipsec_starter[21745]: pluto (21747) started after 20 ms
    2013:04:28-13:12:59 Astaro pluto[21747]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2013:04:28-13:12:59 Astaro pluto[21747]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2013:04:28-13:12:59 Astaro pluto[21747]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2013:04:28-13:12:59 Astaro pluto[21747]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2013:04:28-13:12:59 Astaro pluto[21747]: Changing to directory '/etc/ipsec.d/crls'
    2013:04:28-13:12:59 Astaro pluto[21747]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2013:04:28-13:12:59 Astaro pluto[21747]: listening for IKE messages
    2013:04:28-13:12:59 Astaro pluto[21747]: adding interface eth1/eth1 87.104.238.42:500
    2013:04:28-13:12:59 Astaro pluto[21747]: adding interface eth0/eth0 192.168.30.254:500
    2013:04:28-13:12:59 Astaro pluto[21747]: adding interface lo/lo 127.0.0.1:500
    2013:04:28-13:12:59 Astaro pluto[21747]: adding interface lo/lo ::1:500
    2013:04:28-13:12:59 Astaro pluto[21747]: loading secrets from "/etc/ipsec.secrets"
    2013:04:28-13:12:59 Astaro pluto[21747]: loaded PSK secret for 87.104.238.42 77.233.239.228
    2013:04:28-13:12:59 Astaro pluto[21747]: added connection description "S_AAO"
    2013:04:28-13:12:59 Astaro pluto[21747]: "S_AAO" #1: initiating Main Mode
    2013:04:28-13:12:59 Astaro pluto[21747]: "S_AAO" #1: received Vendor ID payload [XAUTH]
    2013:04:28-13:12:59 Astaro pluto[21747]: "S_AAO" #1: received Vendor ID payload [Dead Peer Detection]
    2013:04:28-13:12:59 Astaro pluto[21747]: "S_AAO" #1: Peer ID is ID_IPV4_ADDR: '77.233.239.228'
    2013:04:28-13:12:59 Astaro pluto[21747]: "S_AAO" #1: ISAKMP SA established
    2013:04:28-13:12:59 Astaro pluto[21747]: "S_AAO" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
    2013:04:28-13:12:59 Astaro pluto[21747]: "S_AAO" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
    2013:04:28-13:12:59 Astaro pluto[21747]: "S_AAO" #2: sent QI2, IPsec SA established {ESP=>0x5b6d212a 
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?