Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 4610 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Site to Site with draytek 5300

mgamal-it
Dear All

i have problem to establish VPN Site to Site connection with draytek 5300 and i will explain my network plane

in my side i have draytek 3300v working as load balance so i have 3 wan connection in draytek 3300 and i connected sophos from draytek lan so my network now is

draytek 192.168.5.2 for lan 

sophos in external 192.168.5.4 and GW 192.168.5.2

and on draytek 3300 i created port forward for port 500 and 4500 to forward  any traffic on wan connection to sophos 192.168.5.4 

if i created vpn between draytek 5300 and 3300 working well

but when i created vpn between sophos and draytek not working 

i got on live log the below


Live Log: IPsec VPN 
Filter: 


2014:04:21-10:55:15 OctoberFW pluto[5717]: "S_Mohandsen" #1: enabling possible NAT-traversal with method 3
2014:04:21-10:55:16 OctoberFW pluto[5717]: "S_Mohandsen" #1: NAT-Traversal: Result using RFC 3947: i am NATed
2014:04:21-10:55:16 OctoberFW pluto[5717]: "S_Mohandsen" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2014:04:21-10:55:16 OctoberFW pluto[5717]: "S_Mohandsen" #1: Peer ID is ID_IPV4_ADDR: '41.131.19.218'
2014:04:21-10:55:16 OctoberFW pluto[5717]: "S_Mohandsen" #1: Dead Peer Detection (RFC 3706) enabled
2014:04:21-10:55:16 OctoberFW pluto[5717]: "S_Mohandsen" #1: ISAKMP SA established
2014:04:21-10:55:16 OctoberFW pluto[5717]: "S_Mohandsen" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2014:04:21-10:56:26 OctoberFW pluto[5717]: "S_Mohandsen" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-10:56:26 OctoberFW pluto[5717]: "S_Mohandsen" #2: starting keying attempt 2 of an unlimited number
2014:04:21-10:56:26 OctoberFW pluto[5717]: "S_Mohandsen" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #2 {using isakmp#1}
2014:04:21-10:57:36 OctoberFW pluto[5717]: "S_Mohandsen" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-10:57:36 OctoberFW pluto[5717]: "S_Mohandsen" #3: starting keying attempt 3 of an unlimited number
2014:04:21-10:57:36 OctoberFW pluto[5717]: "S_Mohandsen" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #3 {using isakmp#1}
2014:04:21-10:58:46 OctoberFW pluto[5717]: "S_Mohandsen" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-10:58:46 OctoberFW pluto[5717]: "S_Mohandsen" #4: starting keying attempt 4 of an unlimited number
2014:04:21-10:58:46 OctoberFW pluto[5717]: "S_Mohandsen" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #4 {using isakmp#1}
2014:04:21-10:59:56 OctoberFW pluto[5717]: "S_Mohandsen" #5: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-10:59:56 OctoberFW pluto[5717]: "S_Mohandsen" #5: starting keying attempt 5 of an unlimited number
2014:04:21-10:59:56 OctoberFW pluto[5717]: "S_Mohandsen" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #5 {using isakmp#1}
2014:04:21-11:01:06 OctoberFW pluto[5717]: "S_Mohandsen" #6: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:01:06 OctoberFW pluto[5717]: "S_Mohandsen" #6: starting keying attempt 6 of an unlimited number
2014:04:21-11:01:06 OctoberFW pluto[5717]: "S_Mohandsen" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6 {using isakmp#1}
2014:04:21-11:02:16 OctoberFW pluto[5717]: "S_Mohandsen" #7: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:02:16 OctoberFW pluto[5717]: "S_Mohandsen" #7: starting keying attempt 7 of an unlimited number
2014:04:21-11:02:16 OctoberFW pluto[5717]: "S_Mohandsen" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #7 {using isakmp#1}
2014:04:21-11:03:26 OctoberFW pluto[5717]: "S_Mohandsen" #8: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:03:26 OctoberFW pluto[5717]: "S_Mohandsen" #8: starting keying attempt 8 of an unlimited number
2014:04:21-11:03:26 OctoberFW pluto[5717]: "S_Mohandsen" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #8 {using isakmp#1}
2014:04:21-11:04:36 OctoberFW pluto[5717]: "S_Mohandsen" #9: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:04:36 OctoberFW pluto[5717]: "S_Mohandsen" #9: starting keying attempt 9 of an unlimited number
2014:04:21-11:04:36 OctoberFW pluto[5717]: "S_Mohandsen" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #9 {using isakmp#1}
2014:04:21-11:05:46 OctoberFW pluto[5717]: "S_Mohandsen" #10: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:05:46 OctoberFW pluto[5717]: "S_Mohandsen" #10: starting keying attempt 10 of an unlimited number
2014:04:21-11:05:46 OctoberFW pluto[5717]: "S_Mohandsen" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #10 {using isakmp#1}
2014:04:21-11:06:56 OctoberFW pluto[5717]: "S_Mohandsen" #11: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:06:56 OctoberFW pluto[5717]: "S_Mohandsen" #11: starting keying attempt 11 of an unlimited number
2014:04:21-11:06:56 OctoberFW pluto[5717]: "S_Mohandsen" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #11 {using isakmp#1}
2014:04:21-11:08:06 OctoberFW pluto[5717]: "S_Mohandsen" #12: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:08:06 OctoberFW pluto[5717]: "S_Mohandsen" #12: starting keying attempt 12 of an unlimited number
2014:04:21-11:08:06 OctoberFW pluto[5717]: "S_Mohandsen" #13: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #12 {using isakmp#1}
2014:04:21-11:09:17 OctoberFW pluto[5717]: "S_Mohandsen" #13: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:09:17 OctoberFW pluto[5717]: "S_Mohandsen" #13: starting keying attempt 13 of an unlimited number
2014:04:21-11:09:17 OctoberFW pluto[5717]: "S_Mohandsen" #14: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #13 {using isakmp#1}
2014:04:21-11:10:27 OctoberFW pluto[5717]: "S_Mohandsen" #14: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:10:27 OctoberFW pluto[5717]: "S_Mohandsen" #14: starting keying attempt 14 of an unlimited number
2014:04:21-11:10:27 OctoberFW pluto[5717]: "S_Mohandsen" #15: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #14 {using isakmp#1}
2014:04:21-11:11:37 OctoberFW pluto[5717]: "S_Mohandsen" #15: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:11:37 OctoberFW pluto[5717]: "S_Mohandsen" #15: starting keying attempt 15 of an unlimited number
2014:04:21-11:11:37 OctoberFW pluto[5717]: "S_Mohandsen" #16: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #15 {using isakmp#1}
2014:04:21-11:12:47 OctoberFW pluto[5717]: "S_Mohandsen" #16: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:12:47 OctoberFW pluto[5717]: "S_Mohandsen" #16: starting keying attempt 16 of an unlimited number
2014:04:21-11:12:47 OctoberFW pluto[5717]: "S_Mohandsen" #17: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #16 {using isakmp#1}
2014:04:21-11:13:57 OctoberFW pluto[5717]: "S_Mohandsen" #17: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2014:04:21-11:13:57 OctoberFW pluto[5717]: "S_Mohandsen" #17: starting keying attempt 17 of an unlimited number
2014:04:21-11:13:57 OctoberFW pluto[5717]: "S_Mohandsen" #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #17 {using isakmp#1}


This thread was automatically locked due to age.
Parents
  • 0
    Hi, and welcome to the User BB!

    No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

    Part of the reason IPsec tunnels can be very secure is that IPsec can be configured to check that the IP the packet is sent by corresponds to the one expected.  That's why it's tricky to configure IPsec behind NAT.

    Is the Draytek 5300 also behind a NATting router on the other side, or does it have a public IP on the interface for the VPN?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Hi, and welcome to the User BB!

    No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

    Part of the reason IPsec tunnels can be very secure is that IPsec can be configured to check that the IP the packet is sent by corresponds to the one expected.  That's why it's tricky to configure IPsec behind NAT.

    Is the Draytek 5300 also behind a NATting router on the other side, or does it have a public IP on the interface for the VPN?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML