Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 37601 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPSec VPN, keeps going down

MRoyland
Hi,

Having an issue where our Site-to-site IPSec connection to a subcontractors Zyxel keeps going down and we are unable on our end to restore the connection and rely on the subcontractor to restart the connection before it pops back up.

Log of the disconnect: 

       Line 2192: 2015:02:24-02:00:54 gw pluto[6164]: ""[12]  #18886: DPD: Could not find newest phase 1 state

       Line 2193: 2015:02:24-02:00:54 gw pluto[6164]: ""[12]  #18886: DPD: No response from peer - declaring peer dead

       Line 2194: 2015:02:24-02:00:54 gw pluto[6164]: ""[12]  #18886: DPD: Terminating all SAs using this connection

       Line 2195: 2015:02:24-02:00:54 gw pluto[6164]: ""[12]  #18886: deleting connection ""[12] instance with peer  {isakmp=#0/ipsec=#18886}



The other end tries endlessly to reconnect is unable to, log: 

       Line 2219: 2015:02:24-02:01:47 gw pluto[6164]: packet from :500: ignoring Vendor ID payload [f758f22668750f03b08df6ebe1d00403]

       Line 2220: 2015:02:24-02:01:47 gw pluto[6164]: packet from :500: ignoring Vendor ID payload [afcad71368a1f1c96b8696fc7757]

       Line 2221: 2015:02:24-02:01:47 gw pluto[6164]: packet from :500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

       Line 2222: 2015:02:24-02:01:47 gw pluto[6164]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

       Line 2223: 2015:02:24-02:01:47 gw pluto[6164]: packet from :500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

       Line 2224: 2015:02:24-02:01:47 gw pluto[6164]: packet from :500: received Vendor ID payload [RFC 3947]

       Line 2225: 2015:02:24-02:01:47 gw pluto[6164]: packet from :500: received Vendor ID payload [Dead Peer Detection]

       Line 2226: 2015:02:24-02:01:47 gw pluto[6164]: packet from :500: ignoring Vendor ID payload [afcad71368a1f1c96b8696fc7757]

       Line 2227: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22048]  #19358: responding to Main Mode from unknown peer 

       Line 2228: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22048]  #19358: NAT-Traversal: Result using RFC 3947: no NAT detected

       Line 2229: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22048]  #19358: next payload type of ISAKMP Identification Payload has an unknown value: 176

       Line 2230: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22048]  #19358: Preshared secret failed to decrypt message. Trying next one.

       Line 2231: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22048]  #19358: Peer ID is ID_FQDN: ''

       Line 2232: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22049]  #19358: deleting connection "L_REF_jUrNOUiCON_1"[22048] instance with peer  {isakmp=#0/ipsec=#0}

       Line 2233: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22049]  #19358: Dead Peer Detection (RFC 3706) enabled

       Line 2234: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22049]  #19358: sent MR3, ISAKMP SA established

       Line 2235: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22049]  #19358: ISAKMP SA expired (--dontrekey)

       Line 2236: 2015:02:24-02:01:47 gw pluto[6164]: "L_REF_jUrNOUiCON_1"[22049] : deleting connection "L_REF_jUrNOUiCON_1"[22049] instance with peer  {isakmp=#0/ipsec=#0}

       Line 2237: 2015:02:24-02:01:47 gw pluto[6164]: packet from :500: Informational Exchange is for an unknown (expired?) SA


Any ideas?


This thread was automatically locked due to age.
Parents
  • 0

    Hi everybody,

     

    I would like to know if those logs comes from vyatta firewall logs?

     

    These logs are only about vpn?

     

    Otherwise where does those log come from?

     

    In case those logs come from vyattta firewall Is there a way to configure the firewall so that to obtain (in the logs) information about ip src, ip dst, mac, packet denied , packet permitted?

     

    Thank you very much!

     

    Xavier 

Reply
  • 0

    Hi everybody,

     

    I would like to know if those logs comes from vyatta firewall logs?

     

    These logs are only about vpn?

     

    Otherwise where does those log come from?

     

    In case those logs come from vyattta firewall Is there a way to configure the firewall so that to obtain (in the logs) information about ip src, ip dst, mac, packet denied , packet permitted?

     

    Thank you very much!

     

    Xavier 

Children
  • 0 in reply to Xdumas DUMAS

    Salut Xavier and welcome to the UTM Community!

    The log lines above are all from the UTM's IPsec log.

    In the UTM firewall, all packets will be dropped by default if they are not explicitly permitted by some setting or Firewall rule.  The information you asked for will be in the Firewall log for these packets.

    If you have explicit firewall rules that allow certain traffic, you can select to have these permitted packets logged and you will see the information you want.

    For traffic handled by proxies (HTTP/S, FTP, SMTP, etc.) the information will be in the corresponding log.

    Did that answer your questions?

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thank you for this very helpful answer.

    Yes you answered perfectly to my questions.

     

    Thx again.

    Xavier.

Unfiltered HTML