Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 1 subscriber
  • Views 1881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with IPSec Site2Site with Respond Only

bjoernwolter
We have an new SG310 Appliance in our main office. We have 2 external office connect via IPSec Site2Site tunnel to our utm. The external devices are an Cisco ASA 5505.
The offices are using a dsl connection with dynamic ip's. This is the reason while we have configured the utm at the main office in Respond-Only mode
The connect will be disconnected every night by the provider and with every disconnect the router of the offce becomes a new ip.
And that is the problem: The utm doesn't reconize the ip change.  When the external office will reconnect the utm seems to think that the tunnel is already connected to the old ip and will not (re)assign the route to the external office network. The logs show the the message "route already in use for ".
The only solution is to disable and enable manually the ipsec connection in the web-console . But that is very annyoing.

Here are the loggings Parts: 

2014:11:21-07:46:00 UTM-2 pluto[17388]: packet from 77.176.203.99:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2014:11:21-07:46:00 UTM-2 pluto[17388]: packet from 77.176.203.99:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

2014:11:21-07:46:00 UTM-2 pluto[17388]: packet from 77.176.203.99:500: received Vendor ID payload [RFC 3947]

2014:11:21-07:46:00 UTM-2 pluto[17388]: packet from 77.176.203.99:500: ignoring Vendor ID payload [FRAGMENTATION c0000000]

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[195] 77.176.203.99 #1310: responding to Main Mode from unknown peer 77.176.203.99

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[195] 77.176.203.99 #1310: ignoring Vendor ID payload [Cisco-Unity]

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[195] 77.176.203.99 #1310: received Vendor ID payload [XAUTH]

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[195] 77.176.203.99 #1310: ignoring Vendor ID payload [741552ed0ebe9a6aae9754ad8d1b74a4]

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[195] 77.176.203.99 #1310: ignoring Vendor ID payload [Cisco VPN 3000 Series]

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[195] 77.176.203.99 #1310: NAT-Traversal: Result using RFC 3947: peer is NATed

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[195] 77.176.203.99 #1310: received Vendor ID payload [Dead Peer Detection]

2014:11:21-07:46:00 UTM-2 pluto[17388]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[195] 77.176.203.99 #1310: Peer ID is ID_IPV4_ADDR: '192.168.178.10'

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[196] 77.176.203.99 #1310: deleting connection "S_REF_IpsSitVpnKjbw_0"[195] instance with peer 77.176.203.99 {isakmp=#0/ipsec=#0}

2014:11:21-07:46:00 UTM-2 pluto[17388]: | NAT-T: new mapping 77.176.203.99:500/4500)

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[196] 77.176.203.99:4500 #1310: sent MR3, ISAKMP SA established

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[196] 77.176.203.99:4500 #1310: ignoring informational payload, type IPSEC_INITIAL_CONTACT

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[196] 77.176.203.99:4500 #1311: responding to Quick Mode

2014:11:21-07:46:00 UTM-2 pluto[17388]: "S_REF_IpsSitVpnKjbw_0"[196] 77.176.203.99:4500 #1311: cannot route -- route already in use for "S_REF_IpsSitVpnKjbw_0"


Does anyone has an solution for this problem?


This thread was automatically locked due to age.