This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.105-9] Ipsec Site-to-Site connection can't be established automatically

Hello,

i have a problem with a Site-to-Site IPSec tunnel between an UTM220 and a Netscreen/Juniper NS-5GT.
When the tunnel ist established, it runs for 24 hours, then PPPoE connection on the Juniper/Netscreen side is disconnected by the ISP and reconnected immediately.
but the IPSec tunnel doesn't come up automatically again. To establish the tunnel again I have to deactivate it on the UTM220 in Site-to-Site IPSec section,
wait for 10 minutes and turn it on again, then the tunnel is established immediately.

NAT-T and DPD is enabled on both sides and the UTM220 is running on version 9.105-9.

Here is a part of the UTM220 log-file:


2013:09:18-04:23:11 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1297: DPD: No response from peer - declaring peer dead

2013:09:18-04:23:11 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1297: DPD: Restarting all connections of peer

2013:09:18-04:23:11 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1297: DPD: Terminating all SAs using this connection

2013:09:18-04:23:11 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1319: deleting state (STATE_QUICK_I2)

2013:09:18-04:23:11 SOPHOS-UTM220 pluto[6772]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitVpn1" address="" local_net="" remote_net=""

2013:09:18-04:23:11 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1297: deleting state (STATE_MAIN_I4)

2013:09:18-04:23:11 SOPHOS-UTM220 pluto[6772]: DPD: Restarting connection "S_REF_IpsSitVpn1_0"

2013:09:18-04:23:11 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1323: initiating Main Mode



2013:09:18-04:36:21 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1323: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:09:18-04:36:21 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1323: starting keying attempt 2 of an unlimited number

2013:09:18-04:36:21 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1325: initiating Main Mode to replace #1323



2013:09:18-04:49:32 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1325: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:09:18-04:49:32 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1325: starting keying attempt 3 of an unlimited number

2013:09:18-04:49:32 SOPHOS-UTM220 pluto[6772]: "S_REF_IpsSitVpn1_0" #1327: initiating Main Mode to replace #1325

Here are a part of the Juniper/Netscreen log-file:


2013-09-18 04:28:02   system   info  00536  IKE   Phase 1: Initiated negotiations in main mode.

2013-09-18 04:27:49   system   info  00536  IKE  Phase 1: Retransmission limit has been reached.

2013-09-18 04:27:26   system   info  00536  IKE DPD found peer at  not responding.

2013-09-18 04:27:02   system   info  00536  IKE : Added Phase 2 session tasks to the task list.

2013-09-18 04:27:01   system   info  00536  IKE  Phase 1: Responder starts MAIN mode negotiations.

2013-09-18 04:26:29   system   info  00536  IKE  Phase 1: Retransmission limit has been reached.

2013-09-18 04:26:02   system   info  00536  IKE : Added Phase 2 session tasks to the task list.

2013-09-18 04:25:41   system   info  00536  IKE  Phase 1: Responder starts MAIN mode negotiations.

2013-09-18 04:25:10   system   info  00536  IKE  Phase 1: Retransmission limit has been reached.

2013-09-18 04:25:09   system   info  00536  IKE  Phase 1: Retransmission limit has been reached.

2013-09-18 04:25:02   system   info  00536  IKE : Added Phase 2 session tasks to the task list.

2013-09-18 04:24:23   system   info  00536  IKE DPD found peer at  not responding.

2013-09-18 04:24:22   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022ba1e8) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022bab30) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022b98a0) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022b9d44) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022b60f0) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:0424d958) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:0424e2a0) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:0424ebe8) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:0424f530) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:0424fe78) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:042507c0) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:04251108) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:04251a50) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:04252398) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:04252ce0) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:04253628) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:04253f70) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:042548b8) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:04255200) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022da7ac) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022db0f4) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022dba3c) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022dc384) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022dcccc) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022dd614) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022b5c4c) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022de400) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022ded48) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022df690) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022dffd8) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022e0920) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022e1268) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022e1bb0) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025ed51c) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025ede64) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025ee7ac) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025ef0f4) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025efa3c) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025f0384) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025f0ccc) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025f1614) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025f1f5c) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025f28a4) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025f31ec) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025f3b34) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:025f447c) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022b816c) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE : Phase 1 SA (my cookie:022b8f58) was removed due to a simultaneous rekey.

2013-09-18 04:24:21   system   info  00536  IKE  Phase 1: Responder starts MAIN mode negotiations.

2013-09-18 04:24:21   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:21   system   info  00536  IKE  Phase 1: Retransmission limit has been reached.

2013-09-18 04:24:20   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:20   system   info  00536  IKE  Phase 1: Retransmission limit has been reached.

2013-09-18 04:24:19   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:18   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:17   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:16   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:15   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:14   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:13   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:12   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:11   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:10   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:09   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:08   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:07   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:06   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:05   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:04   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:03   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:02   system   info  00536  IKE : Added Phase 2 session tasks to the task list.

2013-09-18 04:24:02   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:01   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:24:00   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:59   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:59   system   info  00536  IKE  Phase 1: Retransmission limit has been reached.

2013-09-18 04:23:58   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:57   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:56   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:55   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:54   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:53   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:52   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:51   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:50   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:49   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:48   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:47   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:46   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:45   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:44   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:43   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:42   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:41   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:40   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:39   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:38   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:37   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:36   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:35   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:34   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:33   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:32   system   info  00536  IKE  Phase 1: Initiated negotiations in main mode.

2013-09-18 04:23:10   system   info  00536  IKE  Phase 1: Responder starts MAIN mode negotiations.

Has anyone an idea what the problem could be?

Thanks for your efforts.

- pro_mrjetter -

This thread was automatically locked due to age.

0 BAlfson over 11 years ago

Please [Go Advanced] below and attach pictures of the IPsec Policy for each side. Also of the Remote Gateway definition for the Juniper in the UTM.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 pro_mrjetter over 11 years ago in reply to BAlfson

Hi Bob,

thanks for your reply, here are some pictures of the config from inside the UTM and the Juniper device. I hope these are the right pictures. If you need more pictures or further information, just tell me.

Thanks

- pro_mrjetter -
Cancel
Vote Up 0 Vote Down

Cancel
0 pro_mrjetter over 11 years ago in reply to pro_mrjetter

Hi,

because we can't get rid of the problem, we replaced the Netscreen/Juniper NS-5GT (it's end of life anyway) with a SOPHOS UTM 120.

But the problem still remains.

When the tunnel is down because of a manual reconnect (daily at 10pm), we have to deactivate the tunnel in the UTM220, wait for 10 minutes and then activate it again. Only then a reconnect is possible.

The IPSec-policies and -settings on both machines look like the following:

UTM220 (Side A)

Firmware: 9.105-9

Gateway type: Initiate connection
Authentication type: Preshared Key

DPD enabled
NAT-T enabled and set to 60 seconds
Probing of preshared keys is enabled

IKE encryption algorithm: 3DES
IKE authentication algorithm: SHA1
IKE SA lifetime: 28800 seconds
IKE DH group: Group 2: MODP 1024

IPsec encryption algorithm: 3DES
IPsec authentication algorithm: SHA1
IPsec SA lifetime: 3600 seconds
IPsec PFS group: Group 2: MODP 1024

strict policy is on, compression is off

UTM120 (Side B)

Firmware: 9.106-17

Gateway type: respond only
Authentication type: Preshared Key

DPD enabled
NAT-T enabled and set to 60 seconds
Probing of preshared keys is enabled

IKE encryption algorithm: 3DES
IKE authentication algorithm: SHA1
IKE SA lifetime: 28800 seconds
IKE DH group: Group 2: MODP 1024

IPsec encryption algorithm: 3DES
IPsec authentication algorithm: SHA1
IPsec SA lifetime: 3600 seconds
IPsec PFS group: Group 2: MODP 1024

strict policy is on, compression is off

Has anybody an idea what the problem could be?
I am grateful for each approach.

- pro_mrjetter -
Cancel
Vote Up 0 Vote Down

Cancel

0 pro_mrjetter over 11 years ago in reply to pro_mrjetter

Here are the IPSec Log-File of UTM220 (Side A):

UTM220 (Side A)


to[6772]: "S_REF_IpsSitVpnB_0" #7793: DPD: No response from peer - declaring peer dead

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7793: DPD: Restarting all connections of peer

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7793: DPD: Terminating all SAs using this connection

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7820: deleting state (STATE_QUICK_I2)

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-1 pluto[6281]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitVpnB" address="" local_net="/14" remote_net="/24"

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-2 pluto[6772]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitVpnB" address="" local_net="/14" remote_net="/24"

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7815: deleting state (STATE_QUICK_I2)

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7793: deleting state (STATE_MAIN_I4)

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-2 pluto[6772]: DPD: Restarting connection "S_REF_IpsSitVpnB_0"

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7822: initiating Main Mode

2013:10:20-22:15:36 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7822: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:20-22:15:36 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7822: starting keying attempt 2 of an unlimited number

2013:10:20-22:15:36 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7825: initiating Main Mode to replace #7822

2013:10:20-22:28:46 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7825: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:20-22:28:46 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7825: starting keying attempt 3 of an unlimited number

2013:10:20-22:28:46 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7827: initiating Main Mode to replace #7825

2013:10:20-22:41:56 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7827: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:20-22:41:56 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7827: starting keying attempt 4 of an unlimited number

2013:10:20-22:41:56 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7829: initiating Main Mode to replace #7827

2013:10:20-22:55:06 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7829: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:20-22:55:06 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7829: starting keying attempt 5 of an unlimited number

2013:10:20-22:55:06 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7831: initiating Main Mode to replace #7829

2013:10:20-23:08:17 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7831: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:20-23:08:17 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7831: starting keying attempt 6 of an unlimited number

2013:10:20-23:08:17 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7833: initiating Main Mode to replace #7831

2013:10:20-23:21:27 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7833: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:20-23:21:27 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7833: starting keying attempt 7 of an unlimited number

2013:10:20-23:21:27 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7835: initiating Main Mode to replace #7833

2013:10:20-23:34:37 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7835: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:20-23:34:37 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7835: starting keying attempt 8 of an unlimited number

2013:10:20-23:34:37 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7837: initiating Main Mode to replace #7835

2013:10:20-23:47:47 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7837: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:20-23:47:47 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7837: starting keying attempt 9 of an unlimited number

2013:10:20-23:47:47 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7840: initiating Main Mode to replace #7837

2013:10:21-00:00:57 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7840: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-00:00:57 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7840: starting keying attempt 10 of an unlimited number

2013:10:21-00:00:57 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7842: initiating Main Mode to replace #7840

2013:10:21-00:14:07 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7842: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-00:14:07 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7842: starting keying attempt 11 of an unlimited number

2013:10:21-00:14:07 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7844: initiating Main Mode to replace #7842

2013:10:21-00:27:17 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7844: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-00:27:17 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7844: starting keying attempt 12 of an unlimited number

2013:10:21-00:27:17 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7845: initiating Main Mode to replace #7844

2013:10:21-00:40:27 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7845: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-00:40:27 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7845: starting keying attempt 13 of an unlimited number

2013:10:21-00:40:27 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7848: initiating Main Mode to replace #7845

2013:10:21-00:53:37 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7848: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-00:53:37 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7848: starting keying attempt 14 of an unlimited number

2013:10:21-00:53:37 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7850: initiating Main Mode to replace #7848

2013:10:21-01:06:47 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7850: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-01:06:47 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7850: starting keying attempt 15 of an unlimited number

2013:10:21-01:06:47 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7852: initiating Main Mode to replace #7850

2013:10:21-01:19:57 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7852: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-01:19:57 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7852: starting keying attempt 16 of an unlimited number

2013:10:21-01:19:57 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7854: initiating Main Mode to replace #7852

2013:10:21-01:33:07 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7854: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-01:33:07 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7854: starting keying attempt 17 of an unlimited number

2013:10:21-01:33:07 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7856: initiating Main Mode to replace #7854

2013:10:21-01:46:17 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7856: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-01:46:17 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7856: starting keying attempt 18 of an unlimited number

2013:10:21-01:46:17 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7860: initiating Main Mode to replace #7856

2013:10:21-01:59:27 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7860: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-01:59:27 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7860: starting keying attempt 19 of an unlimited number

2013:10:21-01:59:27 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7861: initiating Main Mode to replace #7860

2013:10:21-02:12:37 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7861: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-02:12:37 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7861: starting keying attempt 20 of an unlimited number

2013:10:21-02:12:37 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7865: initiating Main Mode to replace #7861

2013:10:21-02:25:47 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7865: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message



...



2013:10:21-07:15:29 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7913: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-07:15:29 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7913: starting keying attempt 43 of an unlimited number

2013:10:21-07:15:29 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7916: initiating Main Mode to replace #7913

2013:10:21-07:28:39 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7916: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-07:28:39 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7916: starting keying attempt 44 of an unlimited number

2013:10:21-07:28:39 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7918: initiating Main Mode to replace #7916

2013:10:21-07:30:14 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0": deleting connection

2013:10:21-07:30:14 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7918: deleting state (STATE_MAIN_I1)

2013:10:21-07:30:14 PRO-SOPHOS-UTM220-1 pluto[6281]: "S_REF_IpsSitVpnB_0": deleting connection

2013:10:21-07:30:34 PRO-SOPHOS-UTM220-2 pluto[6772]: added connection description "S_REF_IpsSitVpnB_0"

2013:10:21-07:30:34 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7919: initiating Main Mode

2013:10:21-07:33:05 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0": deleting connection

2013:10:21-07:33:05 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7919: deleting state (STATE_MAIN_I1)

2013:10:21-07:33:22 PRO-SOPHOS-UTM220-2 pluto[6772]: added connection description "S_REF_IpsSitVpnB_0"

2013:10:21-07:33:22 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7920: initiating Main Mode

2013:10:21-07:46:32 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7920: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

2013:10:21-07:46:32 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7920: starting keying attempt 2 of an unlimited number

2013:10:21-07:46:32 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7922: initiating Main Mode to replace #7920

2013:10:21-07:48:06 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0": deleting connection

2013:10:21-07:48:06 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7922: deleting state (STATE_MAIN_I1)

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: initiating Main Mode

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: received Vendor ID payload [strongSwan]

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: ignoring Vendor ID payload [Cisco-Unity]

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: received Vendor ID payload [XAUTH]

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: received Vendor ID payload [Dead Peer Detection]

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: received Vendor ID payload [RFC 3947]

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: enabling possible NAT-traversal with method 3

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: NAT-Traversal: Result using RFC 3947: no NAT detected

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: Peer ID is ID_IPV4_ADDR: ''

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: Dead Peer Detection (RFC 3706) enabled

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7925: ISAKMP SA established

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7926: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#7925}

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitVpnB" address="" local_net="/14" remote_net="/24"

2013:10:21-07:59:16 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7926: sent QI2, IPsec SA established {ESP=>0xed5f8a47 " local_net="/14" remote_net="/24">

- pro_mrjetter -

0 pro_mrjetter over 11 years ago in reply to pro_mrjetter

Here are the IPSec Log-File of UTM120 (Side B):

UTM120 (Side B)


2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: forgetting secrets
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: "S_REF_IpsSitVpnA_0": deleting connection
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: "S_REF_IpsSitVpnA_0"[1] : deleting connection "S_REF_IpsSitVpnA_0"[1] instance with peer  {isakmp=#23/ipsec=#29}
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: "S_REF_IpsSitVpnA_0" #29: deleting state (STATE_QUICK_R2)
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: "S_REF_IpsSitVpnA_0" #29: HA System: failed to send message (-1/8): Bad file descriptor (9)
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: ERROR: "S_REF_IpsSitVpnA_0" #29: sendto on ppp0 to :500 failed in delete notify. Errno 22: Invalid argument
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitVpnA" address="" local_net="/24" remote_net="/14"
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: "S_REF_IpsSitVpnA_0" #28: deleting state (STATE_QUICK_R2)
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: "S_REF_IpsSitVpnA_0" #28: HA System: failed to send message (-1/8): Bad file descriptor (9)
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: ERROR: "S_REF_IpsSitVpnA_0" #28: sendto on ppp0 to :500 failed in delete notify. Errno 22: Invalid argument
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: "S_REF_IpsSitVpnA_0" #23: deleting state (STATE_MAIN_R3)
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: "S_REF_IpsSitVpnA_0" #23: HA System: failed to send message (-1/8): Bad file descriptor (9)
2013:10:20-22:00:05 PRO-SOPHOS-UTM120-1 pluto[1070]: ERROR: "S_REF_IpsSitVpnA_0" #23: sendto on ppp0 to :500 failed in delete notify. Errno 22: Invalid argument
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: updown: /sbin/ip -4 route del /14 dev ppp0 src  proto ipsec metric 0 failed with status 1:
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: updown: Cannot find device "ppp0"
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down interface lo/lo ::1
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down interface lo/lo 127.0.0.1
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down interface lo/lo 127.0.0.1
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down interface eth3/eth3 198.19.250.1
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down interface eth3/eth3 198.19.250.1
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down interface eth0/eth0 
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down interface eth0/eth0 
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down interface ppp0/ppp0 
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 pluto[1070]: shutting down interface ppp0/ppp0 
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 ipsec_starter[1064]: pluto stopped after 240 ms
2013:10:20-22:00:06 PRO-SOPHOS-UTM120-1 ipsec_starter[1064]: ipsec starter stopped
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 ipsec_starter[9374]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 ipsec_starter[9380]: pluto (9386) started after 20 ms
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve 
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]:   including NAT-Traversal patch (Version 0.6c)
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: Using Linux 2.6 IPsec interface code
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: HA system enabled and listening on interface eth3
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: Initial HA switch to master mode
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: loading ca certificates from '/etc/ipsec.d/cacerts'
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]:   loaded ca certificate from '/etc/ipsec.d/cacerts/REF_CaSigVpnSigniCa.pem'
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: loading aa certificates from '/etc/ipsec.d/aacerts'
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: Changing to directory '/etc/ipsec.d/crls'
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: loading attribute certificates from '/etc/ipsec.d/acerts'
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: listening for IKE messages
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: adding interface ppp0/ppp0 :500
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: adding interface ppp0/ppp0 :4500
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: adding interface eth0/eth0 :500
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: adding interface eth0/eth0 :4500
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: adding interface eth3/eth3 198.19.250.1:500
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: adding interface eth3/eth3 198.19.250.1:4500
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: adding interface lo/lo 127.0.0.1:500
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: adding interface lo/lo 127.0.0.1:4500
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: adding interface lo/lo ::1:500
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: loading secrets from "/etc/ipsec.secrets"
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]:   loaded private key from 'REF_CaHosLocalX509Cert.pem'
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]:   loaded PSK secret for  %any 
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: added connection description "S_REF_IpsSitVpnA_0"
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]:   loaded host certificate from '/etc/ipsec.d/certs/REF_CaHosLocalX509Cert.pem'
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]:   loaded host certificate from '/etc/ipsec.d/certs/REF_IpsX502_9b405eb1.pem'
2013:10:20-22:00:14 PRO-SOPHOS-UTM120-1 pluto[9386]: HA System: pluto already is in master mode
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: packet from :500: received Vendor ID payload [strongSwan]
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: packet from :500: ignoring Vendor ID payload [Cisco-Unity]
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: packet from :500: received Vendor ID payload [XAUTH]
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: packet from :500: received Vendor ID payload [Dead Peer Detection]
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: packet from :500: received Vendor ID payload [RFC 3947]
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: "S_REF_IpsSitVpnA_0"[1]  #1: responding to Main Mode from unknown peer 
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: "S_REF_IpsSitVpnA_0"[1]  #1: NAT-Traversal: Result using RFC 3947: no NAT detected
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: "S_REF_IpsSitVpnA_0"[1]  #1: Peer ID is ID_IPV4_ADDR: ''
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: "S_REF_IpsSitVpnA_0"[1]  #1: Dead Peer Detection (RFC 3706) enabled
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: "S_REF_IpsSitVpnA_0"[1]  #1: sent MR3, ISAKMP SA established
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: "S_REF_IpsSitVpnA_0"[1]  #2: responding to Quick Mode
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="site-to-site VPN up" variant="ipsec" connection="REF_IpsSitVpnA" address="" local_net="/24" remote_net="/14"
2013:10:21-07:59:16 PRO-SOPHOS-UTM120-1 pluto[9386]: "S_REF_IpsSitVpnA_0"[1]  #2: IPsec SA established {ESP=>0x27139c35 " local_net="/24" remote_net="/14">

- pro_mrjetter -

0 BAlfson over 11 years ago

Strange. What does Sophos Support say about this?

Thinking about workarounds... Have you tried forcing a failover to the Slave?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 pro_mrjetter over 11 years ago in reply to BAlfson

Hi Bob,

thanks for your reply. We only have standard support, so this leads us to our "partner". I told him the problem, but till now I don't get an approach reagarding the problem, he just told me: "We are waiting for an answer". So my hope was that someone here in the forum can help me solve the problem.

What do you mean by a failover to slave? Isn't it all the same if I use the one or the other?

Last evening I changed the gateway types of both machines, now the UTM 220 has gateway type "respond only" and the UTM 120 has gateway type "initiate connection". But the problem still remains. But now I have to turn off the IPSec connection on UTM 120-side and wait 10 minutes.

Is there a hidden timeout restriction somewhere in the IPSec VPN settings or regulatories regarding this 10 minutes? When I try to start the connection before the 10 minutes are over it won't come up.

I have no more ideas, what I can try.

Thanks

- pro_mrjetter -
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels over 11 years ago

Have you tried setting up both gateways as initiate?
I usually make connections initiate from both sides, so both sides can initiate a new connection.

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel
0 pro_mrjetter over 11 years ago in reply to apijnappels

That's what I try in the first 2 days the connection was established, set both gateways as "initiate", but the result was the same.
On one side (all the same which side you take) you have to deactivate the connection and wait for 10 minutes, after that you could reconnect.

These "10 minutes" gives me thinking...

- pro_mrjetter -
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 11 years ago

2013:10:20-22:02:26 PRO-SOPHOS-UTM220-2 pluto[6772]: "S_REF_IpsSitVpnB_0" #7822: initiating Main Mode

I just realized that you deleted the lines that came after that in the 220, and that the 120 log lines aren't from the same connection attempt. Please show the other lines from the 220 log after the one above and the corresponding lines from the 120 log.

What do you mean by a failover to slave? Isn't it all the same if I use the one or the other?

Yes, but this would help to eliminate the possibility of a hardware problem.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel