Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 1 subscriber
  • Views 8320 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN issues...

ccnaman
Hello everyone.

 I have set up a site to site VPN with a Cisco ASA. Tunnel is up and I can ping the remote network from my ASG, but not from my local network. I think I am missing something stupid but don't know what. Any ideas?

Thanks in advance.

Richard


This thread was automatically locked due to age.
  • 0
    See attached Bob, and thanks... Also, I just noticed this in the IPSec log.

     packet from ***.xx.***.x:500: initial Main Mode message received on 66.152.200.154:500 but no connection has been authorized with policy=PSK

    And also..

    cannot respond to IPsec SA request because no connection is known for ***.xx.xx.***= etc.
  • 0
    The easy answers are to check that both sides are using the same PSK, confirm that both are using the same setting for NAT-T and that both sides are not behind NATting routers - that both interfaces have a public IP.

    If it wasn't any of those, disable the IPsec Connection, disable debugging if any selections were made, start the IPsec Live Log, enable the IPsec Connection and then show the lines (about 50) from a single connection attempt.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Here are the lines from the IPsec live log when enabling the connection...

    Thanks,

    2013:11:25-10:33:40 dartmofw01 pluto[29783]: listening for IKE messages
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: forgetting secrets
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading secrets from "/etc/ipsec.secrets"
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded PSK secret for xx.***.***.*** 2xx.***.***.***
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded private key from 'dartmofw01.bcso-ma.org.pem'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: added connection description "S_NEW_TRI"
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: initiating Main Mode
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: forgetting secrets
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading secrets from "/etc/ipsec.secrets"
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded PSK secret for xx.***.***.*** xx.***.xx.***
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded private key from 'dartmofw01.bcso-ma.org.pem'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: Changing to directory '/etc/ipsec.d/crls'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [FRAGMENTATION c0000000]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: enabling possible NAT-traversal with method RFC 3947
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [Cisco-Unity]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: received Vendor ID payload [XAUTH]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [8296ef3de06aa4bf11b4d422eb0c576f]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: received Vendor ID payload [Dead Peer Detection]
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: Peer ID is ID_IPV4_ADDR: '***.xx.***.***'
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #124: ISAKMP SA established
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #125: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#124}
    2013:11:25-10:33:40 dartmofw01 pluto[29783]: "S_NEW_TRI" #125: sent QI2, IPsec SA established {ESP=>0x7da72ac7 
  • 0
    Thanks for all your help Bob and Barry. I figured it out. Default route on the local machines. I had to add a route pointing to the firewall for the remote network... 
    Thanks again...

    Richard
  • 0
    Hi, if that was on the Cisco end, you could set a PBR (policy route) on the Cisco router or L3 switch.

    On the UTM, the routing _should_ be automatic if everything is setup correctly.

    Barry
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML