Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 40728 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site IPsec Problem

FICS
Hey all,

I've set up a few Site-to-Site VPNs using Astaro and Sophos product in my time and it's always been a slam-dunk experience.

Until now.  I'm having a problem connecting an SG210 to a UTM110 via IPsec and it's really getting to my head!  Hopefully another set of eyes on this issue will reveal some stupid fat-finger mistake or something.

I don't have time to go screenshot everything in the config right now but here's the logs off the SG210 at the head-office: 
2014:07:08-11:49:23  pluto[6069]: "L_for admin"[228] :4500 #378: max number of retransmissions (2) reached STATE_MAIN_R2

2014:07:08-11:49:23  pluto[6069]: "L_for admin"[228] :4500: deleting connection "L_for admin"[228] instance with peer  {isakmp=#0/ipsec=#0}

2014:07:08-11:49:23  pluto[6069]: packet from :4500: received Vendor ID payload [strongSwan]

2014:07:08-11:49:23  pluto[6069]: packet from :4500: ignoring Vendor ID payload [Cisco-Unity]

2014:07:08-11:49:23  pluto[6069]: packet from :4500: received Vendor ID payload [XAUTH]

2014:07:08-11:49:23  pluto[6069]: packet from :4500: received Vendor ID payload [Dead Peer Detection]

2014:07:08-11:49:23  pluto[6069]: packet from :4500: received Vendor ID payload [RFC 3947]

2014:07:08-11:49:23  pluto[6069]: packet from :4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

2014:07:08-11:49:23  pluto[6069]: packet from :4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

2014:07:08-11:49:23  pluto[6069]: packet from :4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2014:07:08-11:49:23  pluto[6069]: packet from :4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

2014:07:08-11:49:23  pluto[6069]: "L_for admin"[229] :4500 #379: responding to Main Mode from unknown peer :4500

2014:07:08-11:49:23  pluto[6069]: "L_for admin"[229] :4500 #379: NAT-Traversal: Result using RFC 3947: peer is NATed

2014:07:08-11:49:23  pluto[6069]: "L_for admin"[229] :4500 #379: next payload type of ISAKMP Identification Payload has an unknown value: 28

2014:07:08-11:49:23  pluto[6069]: "L_for admin"[229] :4500 #379: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)

2014:07:08-11:49:23  pluto[6069]: "L_for admin"[229] :4500 #379: sending encrypted notification PAYLOAD_MALFORMED to :4500

2014:07:08-11:49:33  pluto[6069]: "L_for admin"[229] :4500 #379: next payload type of ISAKMP Identification Payload has an unknown value: 28

2014:07:08-11:49:33  pluto[6069]: "L_for admin"[229] :4500 #379: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)

2014:07:08-11:49:33  pluto[6069]: "L_for admin"[229] :4500 #379: sending encrypted notification PAYLOAD_MALFORMED to :4500


I'll post the log from the remote unit in the next post.

Before anyone suggests it: YES!  I've made sure the secrets match.  (replaced the 30+ character randomly generated key with something much simpler)


This thread was automatically locked due to age.
  • 0
    Here's the IPsec live log from the remote UTM110:

    2014:07:08-12:03:38 UTM110 openl2tpd[7390]: Exiting
    2014:07:08-12:03:38 UTM110 openl2tpd[7390]: Cleaning up before exiting
    2014:07:08-12:03:38 UTM110 openl2tpd[7390]: Unloading plugin /usr/lib/openl2tp/ppp_unix.so
    2014:07:08-12:03:39 UTM110 pluto[5526]: listening for IKE messages
    2014:07:08-12:03:39 UTM110 pluto[5526]: shutting down interface eth1/eth1 
    2014:07:08-12:03:39 UTM110 pluto[5526]: shutting down interface eth1/eth1 
    2014:07:08-12:03:39 UTM110 pluto[5526]: forgetting secrets
    2014:07:08-12:03:39 UTM110 pluto[5526]: loading secrets from "/etc/ipsec.secrets"
    2014:07:08-12:03:39 UTM110 pluto[5526]: loaded PSK secret for  
    2014:07:08-12:03:39 UTM110 pluto[5526]: forgetting secrets
    2014:07:08-12:03:39 UTM110 pluto[5526]: loading secrets from "/etc/ipsec.secrets"
    2014:07:08-12:03:39 UTM110 pluto[5526]: loaded PSK secret for  
    2014:07:08-12:03:39 UTM110 pluto[5526]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2014:07:08-12:03:39 UTM110 pluto[5526]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2014:07:08-12:03:39 UTM110 pluto[5526]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2014:07:08-12:03:39 UTM110 pluto[5526]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2014:07:08-12:03:39 UTM110 pluto[5526]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2014:07:08-12:03:39 UTM110 pluto[5526]: Changing to directory '/etc/ipsec.d/crls'
    2014:07:08-12:03:39 UTM110 ipsec_starter[5518]: could not read interface data, ignoring route
    2014:07:08-12:03:39 UTM110 ipsec_starter[5518]: no default route - cannot cope with %defaultroute!!!
    2014:07:08-12:03:39 UTM110 pluto[5526]: "L_for admin": deleting connection
    2014:07:08-12:03:39 UTM110 pluto[5526]: "L_for admin": deleting connection
    2014:07:08-12:03:39 UTM110 pluto[5526]: listening for IKE messages
    2014:07:08-12:03:39 UTM110 pluto[5526]: forgetting secrets
    2014:07:08-12:03:39 UTM110 pluto[5526]: loading secrets from "/etc/ipsec.secrets"
    2014:07:08-12:03:39 UTM110 pluto[5526]: loaded PSK secret for  
    2014:07:08-12:03:46 UTM110 openl2tpd[8414]: Start, trace_flags=00000000
    2014:07:08-12:03:46 UTM110 openl2tpd[8414]: OpenL2TP V1.8, (c) Copyright 2004-2010 Katalix Systems Ltd.
    2014:07:08-12:03:46 UTM110 openl2tpd[8414]: Loading plugin /usr/lib/openl2tp/ppp_unix.so, version V1.5
    2014:07:08-12:03:46 UTM110 openl2tpd[8414]: Using config file: /etc/openl2tpd.conf
    2014:07:08-12:03:46 UTM110 pluto[5526]: listening for IKE messages
    2014:07:08-12:03:46 UTM110 pluto[5526]: adding interface eth1/eth1 :500
    2014:07:08-12:03:46 UTM110 pluto[5526]: adding interface eth1/eth1 :4500
    2014:07:08-12:03:46 UTM110 pluto[5526]: forgetting secrets
    2014:07:08-12:03:46 UTM110 pluto[5526]: loading secrets from "/etc/ipsec.secrets"
    2014:07:08-12:03:46 UTM110 pluto[5526]: loaded PSK secret for  
    2014:07:08-12:03:46 UTM110 pluto[5526]: loaded PSK secret for  %any
    2014:07:08-12:03:46 UTM110 pluto[5526]: forgetting secrets
    2014:07:08-12:03:46 UTM110 pluto[5526]: loading secrets from "/etc/ipsec.secrets"
    2014:07:08-12:03:46 UTM110 pluto[5526]: loaded PSK secret for  
    2014:07:08-12:03:46 UTM110 pluto[5526]: loaded PSK secret for  %any
    2014:07:08-12:03:46 UTM110 pluto[5526]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2014:07:08-12:03:46 UTM110 pluto[5526]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2014:07:08-12:03:46 UTM110 pluto[5526]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2014:07:08-12:03:46 UTM110 pluto[5526]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2014:07:08-12:03:46 UTM110 pluto[5526]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2014:07:08-12:03:46 UTM110 pluto[5526]: Changing to directory '/etc/ipsec.d/crls'
    2014:07:08-12:03:47 UTM110 pluto[5526]: listening for IKE messages
    2014:07:08-12:03:47 UTM110 pluto[5526]: forgetting secrets
    2014:07:08-12:03:47 UTM110 pluto[5526]: loading secrets from "/etc/ipsec.secrets"
    2014:07:08-12:03:47 UTM110 pluto[5526]: loaded PSK secret for  
    2014:07:08-12:03:47 UTM110 pluto[5526]: loaded PSK secret for  %any
    2014:07:08-12:03:47 UTM110 pluto[5526]: added connection description "L_for admin"
    2014:07:08-12:03:47 UTM110 pluto[5526]: added connection description "L_for admin"
    2014:07:08-12:03:58 UTM110 pluto[5526]: "S_" #19: next payload type of ISAKMP Hash Payload has an unknown value: 176
    2014:07:08-12:03:58 UTM110 pluto[5526]: "S_" #19: malformed payload in packet
    2014:07:08-12:03:58 UTM110 pluto[5526]: "S_" #19: discarding duplicate packet; already STATE_MAIN_I3
    2014:07:08-12:04:38 UTM110 pluto[5526]: "S_" #19: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2014:07:08-12:04:38 UTM110 pluto[5526]: "S_" #19: starting keying attempt 20 of an unlimited number
    2014:07:08-12:04:38 UTM110 pluto[5526]: "S_" #20: initiating Main Mode to replace #19
    2014:07:08-12:04:38 UTM110 pluto[5526]: "S_" #20: received Vendor ID payload [strongSwan]
    2014:07:08-12:04:38 UTM110 pluto[5526]: "S_" #20: ignoring Vendor ID payload [Cisco-Unity]
    2014:07:08-12:04:38 UTM110 pluto[5526]: "S_" #20: received Vendor ID payload [XAUTH]
    2014:07:08-12:04:38 UTM110 pluto[5526]: "S_" #20: received Vendor ID payload [Dead Peer Detection]
    2014:07:08-12:04:38 UTM110 pluto[5526]: "S_" #20: received Vendor ID payload [RFC 3947]
    2014:07:08-12:04:38 UTM110 pluto[5526]: "S_" #20: enabling possible NAT-traversal with method 3
    2014:07:08-12:04:39 UTM110 pluto[5526]: "S_" #20: NAT-Traversal: Result using RFC 3947: i am NATed
    2014:07:08-12:04:39 UTM110 pluto[5526]: "S_" #20: next payload type of ISAKMP Hash Payload has an unknown value: 255
    2014:07:08-12:04:39 UTM110 pluto[5526]: "S_" #20: malformed payload in packet
    2014:07:08-12:04:48 UTM110 pluto[5526]: "S_" #20: discarding duplicate packet; already STATE_MAIN_I3
    2014:07:08-12:04:49 UTM110 pluto[5526]: "S_" #20: next payload type of ISAKMP Hash Payload has an unknown value: 136
    2014:07:08-12:04:49 UTM110 pluto[5526]: "S_" #20: malformed payload in packet


    I'll post the config screenshots later this afternoon.
  • 0
    Yeah, IPsec is a PITA...

    Just to be sure:
    Do you may have multiple VPNs with different PSKs?
  • 0 in reply to UrsWeiss
    Yeah, IPsec is a PITA...

    Just to be sure:
    Do you may have multiple VPNs with different PSKs?


    No, this is the first of many that I am building right now.
  • 0
    Hmmm... Even if you only have one, try to set "Enable probing of preshared keys" on both firewalls (IPsec >> Advanced). That looks like a PSK issue.
  • 0
    Okay, thanks Whity, I did that and I also addressed the following:

    - Fixed the hostnames on the devices to FQDN, public resolvable DNS names
    - Changed the "Local interface" in the Connections Tab to the WAN interface

    Now the connection says "established" on the remote side but it's not established on the head-office side.  Odd.
  • 0
    I think that possibly, another issue was that I was attempting to use the eth3 (normally high-availability) port on the SG210 as the local interface for the VPN...  As soon as I moved it to eth0 everything came to life.  Both sides say connected now.

    I appreciate your help Whity.
Unfiltered HTML