Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 3793 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S-2-S VPN to Checkpoint

maru
Hi,

I'm trying to create a vpn between a Sophos UMT 9 AWS Instance and a Checkpoint R77.20 Firewall Cluster.

This is what I got on Sophos side:

2014:11:10-16:00:46 utm9 pluto[6450]: "S_xyz" #8: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd5004ab8 (perhaps this is a duplicated packet)
2014:11:10-16:00:46 utm9 pluto[6450]: "S_xyz" #8: sending encrypted notification INVALID_MESSAGE_ID to :500  


How can I understand this error ?


This thread was automatically locked due to age.
  • 0
    Hi, maru, and welcome to the User BB!

    We would need to see the lines before those to understand what might be the problem.  With no Debug enabled, please disable the IPsec Connection, start the IPsec Live Log and enable the IPsec Connection.  Please show us the lines from one connection attempt - probably about 60 lines or fewer.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi BAlfson,

    here it is. At 08:34:21 I send a Ping from 192.168.43.30 to the other side.

    2014:11:11-08:34:12 utm9 ipsec_starter[18077]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2014:11:11-08:34:12 utm9 pluto[18090]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2014:11:11-08:34:12 utm9 ipsec_starter[18084]: pluto (18090) started after 20 ms
    2014:11:11-08:34:12 utm9 pluto[18090]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2014:11:11-08:34:12 utm9 pluto[18090]: including NAT-Traversal patch (Version 0.6c) [disabled]
    2014:11:11-08:34:12 utm9 pluto[18090]: Using Linux 2.6 IPsec interface code
    2014:11:11-08:34:13 utm9 pluto[18090]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2014:11:11-08:34:13 utm9 pluto[18090]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2014:11:11-08:34:13 utm9 pluto[18090]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2014:11:11-08:34:13 utm9 pluto[18090]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2014:11:11-08:34:13 utm9 pluto[18090]: Changing to directory '/etc/ipsec.d/crls'
    2014:11:11-08:34:13 utm9 pluto[18090]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2014:11:11-08:34:13 utm9 pluto[18090]: listening for IKE messages
    2014:11:11-08:34:13 utm9 pluto[18090]: adding interface eth0/eth0 172.31.43.123:500
    2014:11:11-08:34:13 utm9 pluto[18090]: adding interface lo/lo 127.0.0.1:500
    2014:11:11-08:34:13 utm9 pluto[18090]: adding interface lo/lo ::1:500
    2014:11:11-08:34:13 utm9 pluto[18090]: loading secrets from "/etc/ipsec.secrets"
    2014:11:11-08:34:13 utm9 pluto[18090]: loaded PSK secret for 172.31.43.123 
    2014:11:11-08:34:13 utm9 pluto[18090]: added connection description "S_xyz"
    2014:11:11-08:34:13 utm9 pluto[18090]: "S_xyz" #1: initiating Main Mode
    2014:11:11-08:34:13 utm9 pluto[18090]: "S_xyz" #1: ignoring Vendor ID payload [FRAGMENTATION]
    2014:11:11-08:34:13 utm9 pluto[18090]: "S_xyz" #1: Peer ID is ID_IPV4_ADDR: ''
    2014:11:11-08:34:13 utm9 pluto[18090]: "S_xyz" #1: ISAKMP SA established
    2014:11:11-08:34:13 utm9 pluto[18090]: "S_xyz" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
    2014:11:11-08:34:13 utm9 pluto[18090]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="xyz" address="172.31.43.123" local_net="172.31.0.0/16" remote_net="192.168.43.0/24"
    2014:11:11-08:34:13 utm9 pluto[18090]: "S_xyz" #2: sent QI2, IPsec SA established {ESP=>0x7cff9f6c []===192.168.43.30/32
    2014:11:11-08:34:21 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_ID_INFORMATION to :500
    2014:11:11-08:34:23 utm9 pluto[18090]: "S_xyz" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6d81e511 (perhaps this is a duplicated packet)
    2014:11:11-08:34:23 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_MESSAGE_ID to :500
    2014:11:11-08:34:25 utm9 pluto[18090]: "S_xyz" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6d81e511 (perhaps this is a duplicated packet)
    2014:11:11-08:34:25 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_MESSAGE_ID to :500
    2014:11:11-08:34:27 utm9 pluto[18090]: "S_xyz" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6d81e511 (perhaps this is a duplicated packet)
    2014:11:11-08:34:27 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_MESSAGE_ID to :500
    2014:11:11-08:34:29 utm9 pluto[18090]: "S_xyz" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6d81e511 (perhaps this is a duplicated packet)
    2014:11:11-08:34:29 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_MESSAGE_ID to :500
    2014:11:11-08:34:31 utm9 pluto[18090]: "S_xyz" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6d81e511 (perhaps this is a duplicated packet)
    2014:11:11-08:34:31 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_MESSAGE_ID to :500
    2014:11:11-08:34:33 utm9 pluto[18090]: "S_xyz" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6d81e511 (perhaps this is a duplicated packet)
    2014:11:11-08:34:33 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_MESSAGE_ID to :500
    2014:11:11-08:34:37 utm9 pluto[18090]: "S_xyz" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6d81e511 (perhaps this is a duplicated packet)
    2014:11:11-08:34:37 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_MESSAGE_ID to :500
    2014:11:11-08:34:41 utm9 pluto[18090]: "S_xyz" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6d81e511 (perhaps this is a duplicated packet)
    2014:11:11-08:34:41 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_MESSAGE_ID to :500
    2014:11:11-08:34:45 utm9 pluto[18090]: "S_xyz" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6d81e511 (perhaps this is a duplicated packet)
    2014:11:11-08:34:45 utm9 pluto[18090]: "S_xyz" #1: sending encrypted notification INVALID_MESSAGE_ID to :500 
  • 0 in reply to maru
    Ok now I'm at the point that I can ping the internal interface of the utm.
    But only if I set my host IP as the remote network...
    I can see that the checkpoint sends the whole net to the utm.
    If I set both, host ip and host net and try to ping from a different host in the subnet I got the INVALID_MESSAGE_ID error.

    Any clue?
Unfiltered HTML