This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Connection only for some Target Addresses

Hi,

I've kind of a special requirement:
I've an Internet connection with a govermental firewall and so I have a VPN Connection, to allow access to some needed blocked websites.
But the traffic through the VPN is slower so I want to route the traffic depending on a configurable list of IPs/Hostnames.
But now after establishing the SSL-VPN with Sophos all the traffic is routet through this VPN. I couldn't find a configuration menu to change this. Is there a way directly with Sophos to handle this or how can you run this setup with sophos?

thanks,
linuxadmin

This thread was automatically locked due to age.

0 linuxadmin_01 over 10 years ago

I forgot: it shouldn't be a Site-Site VPN, only a Client (Sophos UTM) to Server VPN. The Server should not have any access to the Sophos and the network behind the Sophos.

Thanks,
linuxadmin
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 10 years ago

Hi, linuxadmin, and welcome to the User BB!

The trick to achieve what you want is the use of a phantom subnet in 'Local networks' in the IPsec Connection.  'Strict routing' must not be selected.

That is, if your LAN is 172.16.1.0/24, the phantom subnet might be "Phantom Subnet"=10.10.10.0/24 or some other subnet that doesn't exist in your environment.  Of course the VPN endpoint for the government would need to be configured for your phantom subnet instead of your LAN's subnet.  The resulting tunnel is:
10.10.10.0/24={your public IP}{their public IP}=0.0.0.0/0

The next step is to SNAT the desired traffic into the tunnel.  I think that, instead of a simple SNAT, you can use a 1-to-1 Source NAT to be able to identify the local IP in your LAN:
1-to-1 NAT : Internal (Network) -> Any -> {select IPs} : Map Source to Phantom Subnet

Please let us know if that does what you want.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 linuxadmin_01 over 10 years ago in reply to BAlfson

thank you for your help! I'll try that tomorrow. Hope it works [:)]

thanks,
linuxadmin
Cancel
Vote Up 0 Vote Down

Cancel
0 linuxadmin_01 over 10 years ago

oh, one more question:
I'm using the SSL (Openssl) VPN, not the IPsec VPN, the SSL does not have that option, so is it only possible with the IPsec VPNs?
My VPN Service Provider only supports OpenVPN and PPTP/L2TP. So I would like to choose the OpenVPN, because PPTP is not very secure.

thanks,
linuxadmin
Cancel
Vote Up 0 Vote Down

Cancel
0 linuxadmin_01 over 10 years ago in reply to linuxadmin_01

After some trying, I also think this could work.
But I still have problems to establish a L2TP/IPsec connection.
It is working emediatly with Standard Settings from my macbook (only username/Password + preshared key) but I cannot get it working from the sophos utm.
It's the VPN service Buy Vpn Accounts at Saturnvpn

Sorry for bothering you with this, I attached the logfiles in the next threads. I have no idea...:
Cancel
Vote Up 0 Vote Down

Cancel

0 linuxadmin_01 over 10 years ago

Connection Log from Mac (working, Client IP 172.21.6.106)


Sun Aug 17 10:27:22 2014 : publish_entry SCDSet() failed: Success!
Sun Aug 17 10:27:22 2014 : publish_entry SCDSet() failed: Success!
Sun Aug 17 10:27:22 2014 : L2TP connecting to server 'ca1.saturnvpn.com' (199.168.100.253)...
Sun Aug 17 10:27:22 2014 : IPSec connection started
Sun Aug 17 10:27:22 2014 : IPSec phase 1 client started
Sun Aug 17 10:27:23 2014 : IPSec phase 1 server replied
Sun Aug 17 10:27:23 2014 : IPSec phase 2 started
Sun Aug 17 10:27:24 2014 : IPSec phase 2 established
Sun Aug 17 10:27:24 2014 : IPSec connection established
Sun Aug 17 10:27:24 2014 : L2TP sent SCCRQ
Sun Aug 17 10:27:24 2014 : L2TP received SCCRP
Sun Aug 17 10:27:24 2014 : L2TP sent SCCCN
Sun Aug 17 10:27:24 2014 : L2TP sent ICRQ
Sun Aug 17 10:27:24 2014 : L2TP received ICRP
Sun Aug 17 10:27:24 2014 : L2TP sent ICCN
Sun Aug 17 10:27:24 2014 : L2TP connection established.
Sun Aug 17 10:27:24 2014 : L2TP set port-mapping for en0, interface: 4, protocol: 0, privatePort: 0
Sun Aug 17 10:27:24 2014 : using link 0
Sun Aug 17 10:27:24 2014 : Using interface ppp0
Sun Aug 17 10:27:24 2014 : Connect: ppp0  socket[34:18]
Sun Aug 17 10:27:24 2014 : sent [LCP ConfReq id=0x1    ]
Sun Aug 17 10:27:24 2014 : rcvd [LCP ConfReq id=0x0         ]
Sun Aug 17 10:27:24 2014 : lcp_reqci: rcvd unknown option 13
Sun Aug 17 10:27:24 2014 : lcp_reqci: rcvd unknown option 23
Sun Aug 17 10:27:24 2014 : lcp_reqci: returning CONFREJ.
Sun Aug 17 10:27:24 2014 : sent [LCP ConfRej id=0x0   ]
Sun Aug 17 10:27:24 2014 : rcvd [LCP ConfAck id=0x1    ]
Sun Aug 17 10:27:24 2014 : rcvd [LCP ConfReq id=0x1      ]
Sun Aug 17 10:27:24 2014 : lcp_reqci: returning CONFACK.
Sun Aug 17 10:27:24 2014 : sent [LCP ConfAck id=0x1      ]
Sun Aug 17 10:27:24 2014 : sent [LCP EchoReq id=0x0 magic=0xc591b74]
Sun Aug 17 10:27:25 2014 : rcvd [CHAP Challenge id=0x0 , name = "VPS-P123"]
Sun Aug 17 10:27:25 2014 : sent [CHAP Response id=0x0 , name = "12m623944"]
Sun Aug 17 10:27:25 2014 : rcvd [LCP EchoRep id=0x0 magic=0x1ed225e4]
Sun Aug 17 10:27:25 2014 : rcvd [CHAP Success id=0x0 "\nAuthentication Successful.\n"]
Sun Aug 17 10:27:25 2014 : CHAP authentication succeeded: ^JAuthentication Successful.^J
Sun Aug 17 10:27:25 2014 : sent [IPCP ConfReq id=0x1   ]
Sun Aug 17 10:27:25 2014 : sent [IPV6CP ConfReq id=0x1 ]
Sun Aug 17 10:27:25 2014 : rcvd [CCP ConfReq id=0x3 ]
Sun Aug 17 10:27:25 2014 : Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Sun Aug 17 10:27:25 2014 : sent [LCP ProtRej id=0x2 80 fd 01 03 00 0a 12 06 01 00 00 01]
Sun Aug 17 10:27:25 2014 : rcvd [IPCP ConfReq id=0x4 ]
Sun Aug 17 10:27:25 2014 : ipcp: returning Configure-ACK
Sun Aug 17 10:27:25 2014 : sent [IPCP ConfAck id=0x4 ]
Sun Aug 17 10:27:25 2014 : rcvd [IPCP ConfNak id=0x1   ]
Sun Aug 17 10:27:25 2014 : sent [IPCP ConfReq id=0x2   ]
Sun Aug 17 10:27:25 2014 : rcvd [LCP ProtRej id=0x5 80 57 01 01 00 0e 01 0a ba e8 56 ff fe 49 ef d0]
Sun Aug 17 10:27:25 2014 : rcvd [IPCP ConfAck id=0x2   ]
Sun Aug 17 10:27:25 2014 : ipcp: up
Sun Aug 17 10:27:25 2014 : local  IP address 192.168.1.6
Sun Aug 17 10:27:25 2014 : remote IP address 192.168.1.1
Sun Aug 17 10:27:25 2014 : primary   DNS address 208.67.222.222
Sun Aug 17 10:27:25 2014 : secondary DNS address 4.2.2.2
Sun Aug 17 10:27:25 2014 : Received protocol dictionaries
Sun Aug 17 10:27:25 2014 : Committed PPP store
Sun Aug 17 10:27:25 2014 : l2tp_wait_input: Address added. previous interface setting (name: en0, address: 172.21.6.106), current interface setting (name: ppp0, family: PPP, address: 192.168.1.6, subnet: 255.255.255.0, destination: 192.168.1.1).
Sun Aug 17 10:27:29 2014 : L2TP port-mapping update for en0 ignored: VPN is the Primary interface. Public Address: 0, Protocol: None, Private Port: 0, Public Port: 0
Sun Aug 17 10:27:29 2014 : L2TP clearing port-mapping for en0

0 linuxadmin_01 over 10 years ago

Connection Log From Sophos UTM (not working, Sophos Client IP 192.168.2.1):


2014:08:17-10:34:25 firewall pluto[16031]: |
2014:08:17-10:34:25 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:25 firewall pluto[16031]: "X_Saturn VPN L2TP/IPSec": deleting connection
2014:08:17-10:34:25 firewall pluto[16031]: | delete eroute 192.168.10.0/24:0 -> 192.168.0.0/24:0 => int.0@192.168.2.1:0
2014:08:17-10:34:25 firewall pluto[16031]: | eroute_connection delete eroute 192.168.0.0/24:0 -> 192.168.10.0/24:0 => int.0@0.0.0.0:0
2014:08:17-10:34:25 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL
2014:08:17-10:34:25 firewall pluto[16031]: | executing unroute-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='unroute-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16617' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.0.0/24' PLUTO_MY_CLIENT_NET='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.10.0/24' PLUTO_PEER_CLIENT_NET='192.168.10.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:25 firewall pluto[16031]: | certs and keys locked by 'delete_connection'
2014:08:17-10:34:25 firewall pluto[16031]: | certs and keys unlocked by 'delete_connection'
2014:08:17-10:34:25 firewall pluto[16031]: | next event EVENT_REINIT_SECRET in 2587 seconds
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16633' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.10.0/24' PLUTO_MY_CLIENT_NET='192.168.10.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.10.0/24' PLUTO_PEER_CLIENT_NET='192.168.10.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --esp=aes128-sha1,3des-sha1
2014:08:17-10:34:33 firewall pluto[16031]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
2014:08:17-10:34:33 firewall pluto[16031]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
2014:08:17-10:34:33 firewall pluto[16031]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:34:33 firewall pluto[16031]: | 192.168.3.0/24===192.168.2.1[192.168.2.1]...255.255.255.255[255.255.255.255]===192.168.10.0/24
2014:08:17-10:34:33 firewall pluto[16031]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PFS+PASS+NEVER_NEGOTIATE
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute with c: X_Saturn VPN L2TP/IPSec (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
2014:08:17-10:34:33 firewall pluto[16031]: | add eroute 192.168.10.0/24:0 -> 192.168.3.0/24:0 => int.100@192.168.2.1:0
2014:08:17-10:34:33 firewall pluto[16031]: | eroute_connection add eroute 192.168.3.0/24:0 -> 192.168.10.0/24:0 => %pass:0
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute: firewall_notified: true
2014:08:17-10:34:33 firewall pluto[16031]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16637' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.3.0/24' PLUTO_MY_CLIENT_NET='192.168.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.10.0/24' PLUTO_PEER_CLIENT_NET='192.168.10.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16637' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.3.0/24' PLUTO_MY_CLIENT_NET='192.168.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.10.0/24' PLUTO_PEER_CLIENT_NET='192.168.10.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --esp=aes128-sha1,3des-sha1
2014:08:17-10:34:33 firewall pluto[16031]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
2014:08:17-10:34:33 firewall pluto[16031]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
2014:08:17-10:34:33 firewall pluto[16031]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:34:33 firewall pluto[16031]: | 192.168.2.0/24===192.168.2.1[192.168.2.1]...255.255.255.255[255.255.255.255]===192.168.3.0/24
2014:08:17-10:34:33 firewall pluto[16031]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PFS+PASS+NEVER_NEGOTIATE
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute with c: X_Saturn VPN L2TP/IPSec (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
2014:08:17-10:34:33 firewall pluto[16031]: | add eroute 192.168.3.0/24:0 -> 192.168.2.0/24:0 => int.100@192.168.2.1:0
2014:08:17-10:34:33 firewall pluto[16031]: | eroute_connection add eroute 192.168.2.0/24:0 -> 192.168.3.0/24:0 => %pass:0
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute: firewall_notified: true
2014:08:17-10:34:33 firewall pluto[16031]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16641' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.2.0/24' PLUTO_MY_CLIENT_NET='192.168.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.3.0/24' PLUTO_PEER_CLIENT_NET='192.168.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16641' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.2.0/24' PLUTO_MY_CLIENT_NET='192.168.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.3.0/24' PLUTO_PEER_CLIENT_NET='192.168.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --esp=aes128-sha1,3des-sha1
2014:08:17-10:34:33 firewall pluto[16031]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
2014:08:17-10:34:33 firewall pluto[16031]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
2014:08:17-10:34:33 firewall pluto[16031]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:34:33 firewall pluto[16031]: | 192.168.0.0/24===192.168.2.1[192.168.2.1]...255.255.255.255[255.255.255.255]===192.168.3.0/24
2014:08:17-10:34:33 firewall pluto[16031]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PFS+PASS+NEVER_NEGOTIATE
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute with c: X_Saturn VPN L2TP/IPSec (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
2014:08:17-10:34:33 firewall pluto[16031]: | add eroute 192.168.3.0/24:0 -> 192.168.0.0/24:0 => int.100@192.168.2.1:0
2014:08:17-10:34:33 firewall pluto[16031]: | eroute_connection add eroute 192.168.0.0/24:0 -> 192.168.3.0/24:0 => %pass:0
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute: firewall_notified: true
2014:08:17-10:34:33 firewall pluto[16031]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16645' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.0.0/24' PLUTO_MY_CLIENT_NET='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.3.0/24' PLUTO_PEER_CLIENT_NET='192.168.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16645' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.0.0/24' PLUTO_MY_CLIENT_NET='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.3.0/24' PLUTO_PEER_CLIENT_NET='192.168.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --esp=aes128-sha1,3des-sha1
2014:08:17-10:34:33 firewall pluto[16031]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
2014:08:17-10:34:33 firewall pluto[16031]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
2014:08:17-10:34:33 firewall pluto[16031]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:34:33 firewall pluto[16031]: | 192.168.10.0/24===192.168.2.1[192.168.2.1]...255.255.255.255[255.255.255.255]===192.168.3.0/24
2014:08:17-10:34:33 firewall pluto[16031]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PFS+PASS+NEVER_NEGOTIATE
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute with c: X_Saturn VPN L2TP/IPSec (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
2014:08:17-10:34:33 firewall pluto[16031]: | add eroute 192.168.3.0/24:0 -> 192.168.10.0/24:0 => int.100@192.168.2.1:0
2014:08:17-10:34:33 firewall pluto[16031]: | eroute_connection add eroute 192.168.10.0/24:0 -> 192.168.3.0/24:0 => %pass:0
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute: firewall_notified: true
2014:08:17-10:34:33 firewall pluto[16031]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16649' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.10.0/24' PLUTO_MY_CLIENT_NET='192.168.10.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.3.0/24' PLUTO_PEER_CLIENT_NET='192.168.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16649' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.10.0/24' PLUTO_MY_CLIENT_NET='192.168.10.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.3.0/24' PLUTO_PEER_CLIENT_NET='192.168.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --esp=aes128-sha1,3des-sha1
2014:08:17-10:34:33 firewall pluto[16031]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
2014:08:17-10:34:33 firewall pluto[16031]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
2014:08:17-10:34:33 firewall pluto[16031]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:34:33 firewall pluto[16031]: | 192.168.3.0/24===192.168.2.1[192.168.2.1]...255.255.255.255[255.255.255.255]===192.168.3.0/24
2014:08:17-10:34:33 firewall pluto[16031]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PFS+PASS+NEVER_NEGOTIATE
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute with c: X_Saturn VPN L2TP/IPSec (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
2014:08:17-10:34:33 firewall pluto[16031]: | add eroute 192.168.3.0/24:0 -> 192.168.3.0/24:0 => int.100@192.168.2.1:0
2014:08:17-10:34:33 firewall pluto[16031]: | eroute_connection add eroute 192.168.3.0/24:0 -> 192.168.3.0/24:0 => %pass:0
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute: firewall_notified: true
2014:08:17-10:34:33 firewall pluto[16031]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16653' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.3.0/24' PLUTO_MY_CLIENT_NET='192.168.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.3.0/24' PLUTO_PEER_CLIENT_NET='192.168.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16653' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.3.0/24' PLUTO_MY_CLIENT_NET='192.168.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.3.0/24' PLUTO_PEER_CLIENT_NET='192.168.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --esp=aes128-sha1,3des-sha1
2014:08:17-10:34:33 firewall pluto[16031]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
2014:08:17-10:34:33 firewall pluto[16031]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
2014:08:17-10:34:33 firewall pluto[16031]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:34:33 firewall pluto[16031]: | 192.168.3.0/24===192.168.2.1[192.168.2.1]...255.255.255.255[255.255.255.255]===192.168.1.0/24
2014:08:17-10:34:33 firewall pluto[16031]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PFS+PASS+NEVER_NEGOTIATE
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute with c: X_Saturn VPN L2TP/IPSec (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
2014:08:17-10:34:33 firewall pluto[16031]: | add eroute 192.168.1.0/24:0 -> 192.168.3.0/24:0 => int.100@192.168.2.1:0
2014:08:17-10:34:33 firewall pluto[16031]: | eroute_connection add eroute 192.168.3.0/24:0 -> 192.168.1.0/24:0 => %pass:0
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute: firewall_notified: true
2014:08:17-10:34:33 firewall pluto[16031]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16657' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.3.0/24' PLUTO_MY_CLIENT_NET='192.168.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.1.0/24' PLUTO_PEER_CLIENT_NET='192.168.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16657' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.3.0/24' PLUTO_MY_CLIENT_NET='192.168.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.1.0/24' PLUTO_PEER_CLIENT_NET='192.168.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --esp=aes128-sha1,3des-sha1
2014:08:17-10:34:33 firewall pluto[16031]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
2014:08:17-10:34:33 firewall pluto[16031]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
2014:08:17-10:34:33 firewall pluto[16031]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:34:33 firewall pluto[16031]: | 192.168.10.0/24===192.168.2.1[192.168.2.1]...255.255.255.255[255.255.255.255]===192.168.2.0/24
2014:08:17-10:34:33 firewall pluto[16031]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PFS+PASS+NEVER_NEGOTIATE
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute with c: X_Saturn VPN L2TP/IPSec (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
2014:08:17-10:34:33 firewall pluto[16031]: | add eroute 192.168.2.0/24:0 -> 192.168.10.0/24:0 => int.100@192.168.2.1:0
2014:08:17-10:34:33 firewall pluto[16031]: | eroute_connection add eroute 192.168.10.0/24:0 -> 192.168.2.0/24:0 => %pass:0
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute: firewall_notified: true
2014:08:17-10:34:33 firewall pluto[16031]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16661' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.10.0/24' PLUTO_MY_CLIENT_NET='192.168.10.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.2.0/24' PLUTO_PEER_CLIENT_NET='192.168.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16661' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.10.0/24' PLUTO_MY_CLIENT_NET='192.168.10.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.2.0/24' PLUTO_PEER_CLIENT_NET='192.168.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --esp=aes128-sha1,3des-sha1
2014:08:17-10:34:33 firewall pluto[16031]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
2014:08:17-10:34:33 firewall pluto[16031]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
2014:08:17-10:34:33 firewall pluto[16031]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:34:33 firewall pluto[16031]: | 192.168.3.0/24===192.168.2.1[192.168.2.1]...255.255.255.255[255.255.255.255]===192.168.2.0/24
2014:08:17-10:34:33 firewall pluto[16031]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PFS+PASS+NEVER_NEGOTIATE
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute with c: X_Saturn VPN L2TP/IPSec (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
2014:08:17-10:34:33 firewall pluto[16031]: | add eroute 192.168.2.0/24:0 -> 192.168.3.0/24:0 => int.100@192.168.2.1:0
2014:08:17-10:34:33 firewall pluto[16031]: | eroute_connection add eroute 192.168.3.0/24:0 -> 192.168.2.0/24:0 => %pass:0
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute: firewall_notified: true
2014:08:17-10:34:33 firewall pluto[16031]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16665' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.3.0/24' PLUTO_MY_CLIENT_NET='192.168.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.2.0/24' PLUTO_PEER_CLIENT_NET='192.168.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16665' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.3.0/24' PLUTO_MY_CLIENT_NET='192.168.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.2.0/24' PLUTO_PEER_CLIENT_NET='192.168.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received 68 bytes from 199.168.100.253:500 on eth2
2014:08:17-10:34:33 firewall pluto[16031]: | **parse ISAKMP Message:
2014:08:17-10:34:33 firewall pluto[16031]: | initiator cookie:
2014:08:17-10:34:33 firewall pluto[16031]: | ae bd 9f 94 e1 48 8d c8
2014:08:17-10:34:33 firewall pluto[16031]: | responder cookie:
2014:08:17-10:34:33 firewall pluto[16031]: | c4 eb a3 2a 65 71 a9 00
2014:08:17-10:34:33 firewall pluto[16031]: | next payload type: ISAKMP_NEXT_N
2014:08:17-10:34:33 firewall pluto[16031]: | ISAKMP version: ISAKMP Version 1.0
2014:08:17-10:34:33 firewall pluto[16031]: | exchange type: ISAKMP_XCHG_INFO
2014:08:17-10:34:33 firewall pluto[16031]: | flags: none
2014:08:17-10:34:33 firewall pluto[16031]: | message ID: 6f b5 a9 d5
2014:08:17-10:34:33 firewall pluto[16031]: | length: 68
2014:08:17-10:34:33 firewall pluto[16031]: | ICOOKIE: ae bd 9f 94 e1 48 8d c8
2014:08:17-10:34:33 firewall pluto[16031]: | RCOOKIE: c4 eb a3 2a 65 71 a9 00
2014:08:17-10:34:33 firewall pluto[16031]: | peer: c7 a8 64 fd
2014:08:17-10:34:33 firewall pluto[16031]: | state hash entry 27
2014:08:17-10:34:33 firewall pluto[16031]: | state object not found
2014:08:17-10:34:33 firewall pluto[16031]: | ***parse ISAKMP Notification Payload:
2014:08:17-10:34:33 firewall pluto[16031]: | next payload type: ISAKMP_NEXT_NONE
2014:08:17-10:34:33 firewall pluto[16031]: | length: 40
2014:08:17-10:34:33 firewall pluto[16031]: | DOI: ISAKMP_DOI_IPSEC
2014:08:17-10:34:33 firewall pluto[16031]: | protocol ID: 1
2014:08:17-10:34:33 firewall pluto[16031]: | SPI size: 16
2014:08:17-10:34:33 firewall pluto[16031]: | Notify Message Type: NO_PROPOSAL_CHOSEN
2014:08:17-10:34:33 firewall pluto[16031]: packet from 199.168.100.253:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2014:08:17-10:34:33 firewall pluto[16031]: | info: ae bd 9f 94 e1 48 8d c8 c4 eb a3 2a 65 71 a9 00
2014:08:17-10:34:33 firewall pluto[16031]: | 0d 00 34 00 01 00 00 00 01 00 00 00
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --esp=aes128-sha1,3des-sha1
2014:08:17-10:34:33 firewall pluto[16031]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
2014:08:17-10:34:33 firewall pluto[16031]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
2014:08:17-10:34:33 firewall pluto[16031]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
2014:08:17-10:34:33 firewall pluto[16031]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:34:33 firewall pluto[16031]: | 192.168.2.0/24===192.168.2.1[192.168.2.1]...255.255.255.255[255.255.255.255]===192.168.0.0/24
2014:08:17-10:34:33 firewall pluto[16031]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PFS+PASS+NEVER_NEGOTIATE
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7
2014:08:17-10:34:33 firewall pluto[16031]: |
2014:08:17-10:34:33 firewall pluto[16031]: | *received whack message
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route owner of "X_Saturn VPN L2TP/IPSec" unrouted: NULL; eroute owner: NULL
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute with c: X_Saturn VPN L2TP/IPSec (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
2014:08:17-10:34:33 firewall pluto[16031]: | add eroute 192.168.0.0/24:0 -> 192.168.2.0/24:0 => int.100@192.168.2.1:0
2014:08:17-10:34:33 firewall pluto[16031]: | eroute_connection add eroute 192.168.2.0/24:0 -> 192.168.0.0/24:0 => %pass:0
2014:08:17-10:34:33 firewall pluto[16031]: | route_and_eroute: firewall_notified: true
2014:08:17-10:34:33 firewall pluto[16031]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16669' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.2.0/24' PLUTO_MY_CLIENT_NET='192.168.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.0.0/24' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='X_Saturn VPN L2TP/IPSec' PLUTO_NEXT_HOP='255.255.255.255' PLUTO_INTERFACE='eth2' PLUTO_REQID='16669' PLUTO_ME='192.168.2.1' PLUTO_MY_ID='192.168.2.1' PLUTO_MY_CLIENT='192.168.2.0/24' PLUTO_MY_CLIENT_NET='192.168.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='255.255.255.255' PLUTO_PEER_ID='255.255.255.255' PLUTO_PEER_CLIENT='192.168.0.0/24' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' /bin/sh -c true
2014:08:17-10:34:33 firewall pluto[16031]: | next event EVENT_RETRANSMIT in 10 seconds for #7

0 linuxadmin_01 over 10 years ago

From Sophos:


2014:08:17-10:49:03 firewall pluto[19708]: listening for IKE messages
2014:08:17-10:49:03 firewall pluto[19708]: forgetting secrets
2014:08:17-10:49:03 firewall pluto[19708]: loading secrets from "/etc/ipsec.secrets"
2014:08:17-10:49:03 firewall pluto[19708]: loaded XAUTH secret for USERNAME 199.168.100.253
2014:08:17-10:49:03 firewall pluto[19708]: loaded PSK secret for 192.168.2.1 199.168.100.253
2014:08:17-10:49:03 firewall pluto[19708]: loaded PSK secret for 192.168.2.1 %any
2014:08:17-10:49:03 firewall pluto[19708]: forgetting secrets
2014:08:17-10:49:03 firewall pluto[19708]: loading secrets from "/etc/ipsec.secrets"
2014:08:17-10:49:03 firewall pluto[19708]: loaded XAUTH secret for 12m623944 199.168.100.253
2014:08:17-10:49:03 firewall pluto[19708]: loaded PSK secret for 192.168.2.1 199.168.100.253
2014:08:17-10:49:03 firewall pluto[19708]: loaded PSK secret for 192.168.2.1 %any
2014:08:17-10:49:03 firewall pluto[19708]: loading ca certificates from '/etc/ipsec.d/cacerts'
2014:08:17-10:49:03 firewall pluto[19708]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2014:08:17-10:49:03 firewall pluto[19708]: loading aa certificates from '/etc/ipsec.d/aacerts'
2014:08:17-10:49:03 firewall pluto[19708]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2014:08:17-10:49:03 firewall pluto[19708]: loading attribute certificates from '/etc/ipsec.d/acerts'
2014:08:17-10:49:03 firewall pluto[19708]: Changing to directory '/etc/ipsec.d/crls'
2014:08:17-10:49:03 firewall pluto[19708]: added connection description "S_Saturn VPN L2TP/IPSec"
2014:08:17-10:49:03 firewall pluto[19708]: "S_Saturn VPN L2TP/IPSec" #2: initiating Main Mode
2014:08:17-10:49:03 firewall pluto[19708]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:49:03 firewall pluto[19708]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:49:03 firewall pluto[19708]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:49:03 firewall pluto[19708]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:49:03 firewall pluto[19708]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:49:03 firewall pluto[19708]: added connection description "X_Saturn VPN L2TP/IPSec"
2014:08:17-10:49:03 firewall pluto[19708]: packet from 199.168.100.253:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2014:08:17-10:49:03 firewall pluto[19708]: added connection description "X_Saturn VPN L2TP/IPSec"

0 linuxadmin_01 over 10 years ago

Hello,

so I tried several hours to get a IPsec VPN running on the Sophos without success. I still would prefer the Openvpn, so I continued with that.
One problem are the automatic routes that are created with connection to the IPsec VPN Server. I deleted them manually. Is there a GUI way or do I have to write a script for that?

Now I have the internet interfaces:
eth2      Link encap:Ethernet  HWaddr 00:0C:29:98:2A:CF
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          GW: 192.168.2.4
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
         GW: 10.8.0.1

By adding routes I could choose if eth2 / tun0 is used. But I guess that is not the best solution.
So I tried to add the NAT:
Traffic selector: 192.168.2.0/24 → Any → heise online - IT-News, Nachrichten und Hintergründe
Source translation: 10.8.0.0/24

But it's still routet through eth2, not tun0. In the Firewall Logfile I can see that my NAT rule is logged for each time I access heise online - IT-News, Nachrichten und Hintergründe

So I still don't understand how I can manipulate / define which route is taken if there are two standard routes and not a separate route for each dns host/host.
All the routing stuff you find in the internet and I learned during my apprenticeship only covers the basic routes, nat but not this kind of things...

So what am I doing wrong?

thanks so much for your help,
linuxadmin
Cancel
Vote Up 0 Vote Down

Cancel
0 linuxadmin_01 over 10 years ago
so I tried a little bit more and now I think I'm a little bit closer...
played around with "ip route, ip rule..."

"the best" I could get is:
setting up an ip route table net_vpn1:
ip route add default dev tun0 table net_vpn1

jump to the table, if data-package is marked
ip rule add fwmark 0x1 table net_vpn1

mark data-packages with iptable:

iptables -A OUTPUT -t mangle -d www.heise.de -j MARK --set-mark 1
iptables -t nat -A PREROUTING -t mangle -d www.heise.de -j MARK --set-mark 1

but I cannot do this from the GUI and there is still the problem with Openvpn cutting all network traffic other than through the tunnel that I have to manually correct.

Any other ideas?

thanks,
linuxadmin
Cancel
Vote Up 0 Vote Down

Cancel