Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 6969 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN wont establish

Topcat
Hi,

We have a sonicwall we are replacing with a Sophos UTM 9 everything is working except the VPN to a vendor.

2015:03:11-18:51:43 utm01-1 pluto[25691]: "S_VPN" #6: ERROR: asynchronous network error report on eth1 for message to 1.1.1.1 port 500, complainant 2.2.2.2 : No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Can anyone help? Is there anymore info I can get from the UTM to help find the problem

Tks
T


This thread was automatically locked due to age.
  • 0
    I assume 1.1.1.1 and 2.2.2.2 are fake addresses?

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels
    Yes..

    1.1.1.1 is the remote peer
    2.2.2.2 is my external address

    thanks
  • 0
    Are you using main mode? agressive mode is not supported by UTM.
    Also is one of the hosts behind a NAT router? If so did you also configure NAT-T?

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels
    Are you using main mode? the other end is using Main Mode, where in the UTM can I see this setting?

    Also is one of the hosts behind a NAT router? NAT-T is selected but I dont think they are NAtting because its talking to public addresses, I'm natting on my side

    tks
  • 0
    You can't find main mode because that's the only thing UTM does, if other side had main mode, than that is fine.
    I assume you also have the same parameters for phase 1 and phase 2 as the other side uses?

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Yes I have the same P1 and P2

    They are not natting on their end should I disable NAT-T
  • 0
    No, since you are NATTING on your end, NAT-T should be used on both sides.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0
    Hi Topcat,

    I've the same issue with replacing a Fortigate with a SG 210. I'm on 9.308.

    If I disable and reenable the vpn connection, the utm shows me first the following error:
    ERROR: _S_kln-ber_ #1: sendto on eth1 to 217.92.***.***:500 failed in main_outI1. Errno 1: Operation not permitted

    later I see the same error as you have described.

    Last week, I've opened a premium call at sophos in germany. But until today, no responce from support :/

    Please disable and reenable the vpn connection. Shows your utm the same error first?

    my case id is   4986677

    regards
    mod
  • 0
    Hi mod2402.. did support get back to you?
  • 0
    Both NAT-T and DPD should be enabled on both ends.  What happens if you reduce NAT Traversal keepalive in the UTM to 30 seconds?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML