Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 7294 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN IPSec - Sophos x Sonicwall

Siarom
We have a problem of connection and reconnection between a Sophos UTM and a Sonicwall. The client complains about disconnection between the sites, but we can't detect anything wrong in the settings.

Does anyone have a light? [:S]


This thread was automatically locked due to age.
  • 0 
    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: listening for IKE messages

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: forgetting secrets

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loading secrets from "/etc/ipsec.secrets"

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded PSK secret for 200.194.106.246 %any

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded PSK secret for 200.194.106.246 %any

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded PSK secret for 200.194.106.246 %any

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded PSK secret for 200.194.106.246 201.20.105.146

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: forgetting secrets

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loading secrets from "/etc/ipsec.secrets"

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded PSK secret for 200.194.106.246 %any

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded PSK secret for 200.194.106.246 %any

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded PSK secret for 200.194.106.246 %any

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded PSK secret for 200.194.106.246 201.20.105.146

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loading ca certificates from '/etc/ipsec.d/cacerts'

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA (Fri Apr 27 12:26:36 2012).pem'

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loading aa certificates from '/etc/ipsec.d/aacerts'

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: loading attribute certificates from '/etc/ipsec.d/acerts'

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: Changing to directory '/etc/ipsec.d/crls'

    2014:04:08-14:11:43 UTM-VM-SECG67 pluto[10714]: added connection description "S_ENERGY"

    2014:04:08-14:12:22 UTM-VM-SECG67 pluto[10714]: "S_ENERGY"[1] 177.184.130.52 #11: responding to Quick Mode

    2014:04:08-14:12:22 UTM-VM-SECG67 pluto[10714]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="ENERGY" address="200.194.106.246" local_net="200.194.96.32/32" remote_net="172.16.10.0/24"

    2014:04:08-14:12:22 UTM-VM-SECG67 pluto[10714]: "S_ENERGY"[1] 177.184.130.52 #11: IPsec SA established {ESP=>0x1765fef9 


    SA:	200.194.96.32/32=200.194.106.246		177.184.130.52=172.16.10.0/24

    VPN ID: 200.194.106.246

    IKE: Auth PSK / Enc 3DES_CBC / Hash HMAC_MD5 / Lifetime 7800s / DPD

    ESP: Enc AES_CBC_256 / Hash HMAC_MD5 / Lifetime 3600s



    The interesting thing is that after a while is that the problem occurs, and have several messages stating: 


    2014:04:08-22:53:46 UTM-VM-SECG67 pluto[10714]: "S_REF_IpsSitEnergy_0"[5] 177.158.115.10 #353: next payload type of ISAKMP Hash Payload has an unknown value: 208

    2014:04:08-22:53:46 UTM-VM-SECG67 pluto[10714]: "S_REF_IpsSitEnergy_0"[5] 177.158.115.10 #353: malformed payload in packet

    2014:04:08-22:53:46 UTM-VM-SECG67 pluto[10714]: "S_REF_IpsSitEnergy_0"[5] 177.158.115.10 #353: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:08-22:53:59 UTM-VM-SECG67 pluto[10714]: packet from 177.184.130.52:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN



    Until disconnection occurs and the process only reconnects after deactivate and activate several times the setting to its Peer.

    The Sophos UTM is operating as ANSWER ONLY and the SonicWall is initiating the connection.

    I don't detect any problem or connectivity links between both clients.
    Log Sonicwall.zip
  • 0
    In the second list of lines from the IPsec log, only the last line is related to this connection.  Please attach a picture of the IPsec Policy used in the UTM.  Are DPD and NAT-T enabled on both sides?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    @BAlfson following files ...

    Just go up another VPN with Sonicwall x Sophos, and other hash encryption algorithms, new equipment, and the same problem of reconnection happens ...
  • 0
    Your Sonicwall is using DH Group 2 on phase 1 while Sophos is using DH Group 5. You may try to use the same setting on both sides.
  • 0
    @siuswat it had already been fixed ... the problem still remains!
  • 0
    The key for me is "no acceptable response to our first encrypted message."  That would mean that the tunnel never should have established in the first place.  That would mean that either the SonicWall or the UTM has a bug, and I'm betting that it's with the SonicWall. [;)]

    Rather than pointing fingers, get a DynDNS account so that you can use a fixed FQDN and change the authentication from PSK to X509 certificates.  This will allow you to change the Remote Gateway to 'Initiate connection' and will, I think, resolve the problem of failing to reconnect.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    We changed the direction of establishing the VPN. Our Sophos now initiates the connection. Other parameters were not changed ... 

    The problem continues ... Sophos would test and confirm if this is really a bug? 

    Note: We will change the authentication for RSA keys. Post the result and logs and then. 



    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21543: starting keying attempt 226 of an unlimited number

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: initiating Main Mode to replace #21543

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21548: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: received Vendor ID payload [RFC 3947]

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: ignoring Vendor ID payload [FRAGMENTATION c0000000]

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: enabling possible NAT-traversal with method 3

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: ignoring Vendor ID payload [Cisco-Unity]

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: received Vendor ID payload [XAUTH]

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: ignoring Vendor ID payload [5879f23a527c1950ea902a1d9bdf046d]

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: ignoring Vendor ID payload [Cisco VPN 3000 Series]

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: NAT-Traversal: Result using RFC 3947: no NAT detected

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: Informational Exchange message must be encrypted

    2014:04:23-23:46:17 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21546: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:25 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21548: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:25 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21546: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:28 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:29 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21546: next payload type of ISAKMP Hash Payload has an unknown value: 254

    2014:04:23-23:46:29 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21546: malformed payload in packet

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21544: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21544: starting keying attempt 31 of an unlimited number

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: initiating Main Mode to replace #21544

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: received Vendor ID payload [RFC 3947]

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: ignoring Vendor ID payload [FRAGMENTATION c0000000]

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: enabling possible NAT-traversal with method 3

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: ignoring Vendor ID payload [Cisco-Unity]

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: received Vendor ID payload [XAUTH]

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: ignoring Vendor ID payload [6f99318a439ee1f1e543353ed54584ef]

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: ignoring Vendor ID payload [Cisco VPN 3000 Series]

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: NAT-Traversal: Result using RFC 3947: no NAT detected

    2014:04:23-23:46:32 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: Informational Exchange message must be encrypted

    2014:04:23-23:46:33 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteNatal_0" #21031: ignoring informational payload, type NO_PROPOSAL_CHOSEN

    2014:04:23-23:46:33 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21548: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:36 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:37 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21548: next payload type of ISAKMP Hash Payload has an unknown value: 134

    2014:04:23-23:46:37 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21548: malformed payload in packet

    2014:04:23-23:46:42 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:44 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:47 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: next payload type of ISAKMP Hash Payload has an unknown value: 188

    2014:04:23-23:46:47 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21549: malformed payload in packet

    2014:04:23-23:46:50 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21545: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21545: starting keying attempt 80 of an unlimited number

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: initiating Main Mode to replace #21545

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: received Vendor ID payload [RFC 3947]

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: ignoring Vendor ID payload [FRAGMENTATION c0000000]

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: enabling possible NAT-traversal with method 3

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: ignoring Vendor ID payload [Cisco-Unity]

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: received Vendor ID payload [XAUTH]

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: ignoring Vendor ID payload [29be875b04fe7b400fd6926cf858ab34]

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: ignoring Vendor ID payload [Cisco VPN 3000 Series]

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: NAT-Traversal: Result using RFC 3947: no NAT detected

    2014:04:23-23:46:51 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: Informational Exchange message must be encrypted

    2014:04:23-23:46:58 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:47:01 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:47:02 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: next payload type of ISAKMP Hash Payload has an unknown value: 182

    2014:04:23-23:47:02 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21550: malformed payload in packet

    2014:04:23-23:47:09 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21551: discarding duplicate packet; already STATE_MAIN_I3

    2014:04:23-23:47:09 UTM-VM-CLIG285-FANCARD pluto[5888]: "S_REF_IpsSitDataCenteLinx_0"[5] 200.213.30.250 #21546: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
  • 0
    The problem also occurs in version 9.2.
Unfiltered HTML