Hello everybody,
I am experiencing a really strange problem with one of our remote sites.
Let start at the beginning: At our headquarters, we had - until recently - two internet connections, one regular ADSL line for local internet access, and one 2MBit SDSL line for email and VPN (both remote access for our employees and site-to-site VPN for our remote sites).
Recently, we got ourselves a shiny new 5 MBit "Business Connect" line (which apparently is just a fancy name for "SDSL"). We migrated our remote access VPN over to the new line without major problems, we migrated our email to the new line (with some weird problems, but I was able to solve them), and we migrated the VPN connections to our remote sites to the new line, no problems (or so I thought in my youthful naive optimism).
Today, I tried to turn off the old SDSL line, to see if things had really worked as planned. Turns out they mostly had, except for one remote site. That site has an ancient Draytek Vigor 2900 router (must be about ten years old) which connects to our UTM via an IPsec tunnel.
What really confuses me is that we already have changed to configuration in the Draytek router to use our new IP address as the endpoint for the IPsec tunnel. But the very moment I turned off our old SDSL line, the IPsec tunnel stopped working.
I waited for a while, with no effect, of course, I rebooted the Draytek router, which did not help either, I repeatedly told the Draytek router to re-try to set up the IPsec tunnel, without success. Then I brought up the old SDSL line again, and within seconds, the IPsec tunnel came back up.
I thought that maybe I had made a mistake configuring the Draytek to use our new public IP address for the IPsec tunnel. But as far as I could find out, I had not.
The Draytek was indeed talking to our new public IP, that part had apparently worked.
But as soon as I took the old SDSL line offline, the IPsec tunnel broke down.
When the old SDSL line is down, the Draytek does indeed continue talking to our UTM, on the public IP of our new SDSL line, but something goes wrong.
The ipsec log shows repeated error messages, like this:
[FONT="Courier New"]2014:12:10-11:39:24 vpn pluto[5485]: "S_REF_wrcceecySD_0"[4] a.b.c.d #99: next payload type of ISAKMP Identification Payload has an unknown value: 229
2014:12:10-11:39:24 vpn pluto[5485]: "S_REF_wrcceecySD_0"[4] a.b.c.d #99: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
2014:12:10-11:39:24 vpn pluto[5485]: "S_REF_wrcceecySD_0"[4] a.b.c.d #99: sending encrypted notification PAYLOAD_MALFORMED to a.b.c.d:500[/FONT]
(a.b.c.d is the Draytek router's public IP address.)
I am confused by the log remark about the "mismatch of preshared keys". We did not change the PSK, the tunnel has literally worked for years, and it continues to work the moment I bring the old SDSL line back up.
Has anybody experienced this kind of problem before? Have I missed something when configuring the Draytek to use the new IP address? What is going on here? [:S]
Thank you very much for any insights you might be able to share with me!
This thread was automatically locked due to age.
