Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 5891 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec VPN Tunnel UTM9 und FRITZBOX 3370

ArndtWoithe

Hallo,

ich habe ein Problem mit einem VPN-Tunnel zwischen einer SG125 und einer Fritzbox3370. Der Tunnel wird aufgebaut

2016:07:11-13:37:07 195 pluto[18353]: "S_AST-HSK" #2: sent QI2, IPsec SA established {ESP=>0x028c0888 <0x43ddfa7b DPD}
2016:07:11-13:37:07 195 pluto[18353]: | next event EVENT_SA_REPLACE in 2607 seconds for #1
und ich kann die Gegenseite anpingen. Es findet aber kein Datenverkehr statt.
nach kurzer Zeit erscheint die Meldung:
2016:07:11-13:40:03 195 pluto[18353]: | *received whack message
2016:07:11-13:40:03 195 pluto[18353]: | next event EVENT_SA_REPLACE in 2431 seconds for #1
2016:07:11-13:40:04 195 pluto[18353]: |
2016:07:11-13:40:04 195 pluto[18353]: | *received whack message
2016:07:11-13:40:04 195 pluto[18353]: | next event EVENT_SA_REPLACE in 2430 seconds for #1
Ich bitte um Hilfe.


This thread was automatically locked due to age.
Parents
  • 0

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Hi, Arndt, and welcome to the UTM Community!

    Run the following one line at a time as root to find the REF_ of your IPsec Connection

    cc
    ipsec
    connections@
    exit

    Disable the IPsec Connection in WebAdmin.  It's rare that having debug enabled is needed to diagnose IPsec problems.  Please un-select all IKE Debug options, and then Start the IPsec Live Log.  After a few lines have appeared in the Live Log, enable the IPsec Connection.

    Back at the command line, to watch the traffic, if any, in the tunnel, substitute your REF_ for REF_IpsSitFritzbox in the below:

    espdump -n --conn REF_IpsSitFritzbox -vv

    Show us about 20 lines for the Live Log after the IPsec SA is established, and just tell us about any traffic you saw in the tunnel.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hallo Bob,

    Danke für die Anwort

    Hier der LiveLog (alle Haken aus):

    2016:07:13-17:05:31 195 ipsec_starter[22304]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2016:07:13-17:05:31 195 pluto[22319]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2016:07:13-17:05:31 195 pluto[22319]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2016:07:13-17:05:31 195 pluto[22319]: including NAT-Traversal patch (Version 0.6c) [disabled]
    2016:07:13-17:05:31 195 pluto[22319]: Using Linux 2.6 IPsec interface code
    2016:07:13-17:05:31 195 ipsec_starter[22310]: pluto (22319) started after 20 ms
    2016:07:13-17:05:31 195 pluto[22319]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2016:07:13-17:05:31 195 pluto[22319]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2016:07:13-17:05:31 195 pluto[22319]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2016:07:13-17:05:31 195 pluto[22319]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2016:07:13-17:05:31 195 pluto[22319]: Changing to directory '/etc/ipsec.d/crls'
    2016:07:13-17:05:31 195 pluto[22319]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2016:07:13-17:05:31 195 pluto[22319]: adding interface tun0/tun0 10.242.2.1:500
    2016:07:13-17:05:31 195 pluto[22319]: adding interface eth1/eth1 195.226.160.162:500
    2016:07:13-17:05:31 195 pluto[22319]: adding interface eth0/eth0 192.168.200.8:500
    2016:07:13-17:05:31 195 pluto[22319]: adding interface lo/lo 127.0.0.1:500
    2016:07:13-17:05:31 195 pluto[22319]: adding interface lo/lo ::1:500
    2016:07:13-17:05:31 195 pluto[22319]: loading secrets from "/etc/ipsec.secrets"
    2016:07:13-17:05:31 195 pluto[22319]: loaded PSK secret for 195.226.160.162 80.153.225.77
    2016:07:13-17:05:31 195 pluto[22319]: listening for IKE messages
    2016:07:13-17:05:31 195 pluto[22319]: added connection description "S_AST-HSK"
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: initiating Main Mode
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: received Vendor ID payload [XAUTH]
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: received Vendor ID payload [Dead Peer Detection]
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: ignoring Vendor ID payload [RFC 3947]
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: ignoring Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: Peer ID is ID_IPV4_ADDR: '80.153.225.77'
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #1: ISAKMP SA established
    2016:07:13-17:05:31 195 pluto[22319]: "S_AST-HSK" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
    2016:07:13-17:05:32 195 pluto[22319]: "S_AST-HSK" #3: responding to Quick Mode
    2016:07:13-17:05:32 195 pluto[22319]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="AST-HSK" address="195.226.160.162" local_net="192.168.200.0/24" remote_net="192.168.0.0/24"
    2016:07:13-17:05:32 195 pluto[22319]: "S_AST-HSK" #2: sent QI2, IPsec SA established {ESP=>0xa41195a3 <0xae356a22 DPD}
    2016:07:13-17:05:32 195 pluto[22319]: "S_AST-HSK" #3: IPsec SA established {ESP=>0x4cc4c6d8 <0x3831253a DPD}
    hier ist in der Zeit keine Zeile dazugekommen.
    und hier der Traffic vom Tunnel:
    195:/home/login # espdump -n --conn REF_IpsSitAsthsk -vv
    Running: tcpdump -ieth1 -Efile /tmp/espdump.22694/sas -s0 -n -vv (esp) and ((host 195.226.160.162 and host 80.153.225.77))
    tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
    17:08:53.233493 IP (tos 0x0, ttl 54, id 16879, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x1), length 92: IP (tos 0x0, ttl 127, id 16496, offset 0, flags [none],                                                proto UDP (17), length 55)
        192.168.0.10.59292 > 192.168.200.22.53: [udp sum ok] 50153 SOA? ast.local. (27)
    17:10:53.234634 IP (tos 0x0, ttl 54, id 16878, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x2), length 100: IP (tos 0x0, ttl 127, id 18995, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.61081 > 192.168.200.22.53: [udp sum ok] 60655 SOA? 200.168.192.in-addr.arpa. (42)
    17:10:53.237417 IP (tos 0x0, ttl 54, id 16877, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x3), length 100: IP (tos 0x0, ttl 127, id 18996, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.61081 > 192.168.200.15.53: [udp sum ok] 60655 SOA? 200.168.192.in-addr.arpa. (42)
    17:10:53.239975 IP (tos 0x0, ttl 54, id 16876, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x4), length 92: IP (tos 0x0, ttl 127, id 18997, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.52674 > 192.168.200.15.53: [udp sum ok] 63498 SOA? ast.local. (27)
    17:10:53.242742 IP (tos 0x0, ttl 54, id 16875, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x5), length 92: IP (tos 0x0, ttl 127, id 18998, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.52674 > 192.168.200.22.53: [udp sum ok] 63498 SOA? ast.local. (27)
    17:12:53.236149 IP (tos 0x0, ttl 54, id 16874, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x6), length 92: IP (tos 0x0, ttl 127, id 21082, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.64580 > 192.168.200.22.53: [udp sum ok] 26146 SOA? ast.local. (27)
    17:14:53.237675 IP (tos 0x0, ttl 54, id 16873, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x7), length 100: IP (tos 0x0, ttl 127, id 23345, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.50120 > 192.168.200.22.53: [udp sum ok] 245 SOA? 200.168.192.in-addr.arpa. (42)
    17:14:53.240445 IP (tos 0x0, ttl 54, id 16872, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x8), length 100: IP (tos 0x0, ttl 127, id 23346, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.50120 > 192.168.200.15.53: [udp sum ok] 245 SOA? 200.168.192.in-addr.arpa. (42)
    17:14:53.243000 IP (tos 0x0, ttl 54, id 16871, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x9), length 92: IP (tos 0x0, ttl 127, id 23347, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.64696 > 192.168.200.15.53: [udp sum ok] 42447 SOA? ast.local. (27)
    17:14:53.245587 IP (tos 0x0, ttl 54, id 16870, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0xa), length 92: IP (tos 0x0, ttl 127, id 23348, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.64696 > 192.168.200.22.53: [udp sum ok] 42447 SOA? ast.local. (27)
    17:16:53.239921 IP (tos 0x0, ttl 54, id 16869, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0xb), length 92: IP (tos 0x0, ttl 127, id 25770, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.53979 > 192.168.200.22.53: [udp sum ok] 54715 SOA? ast.local. (27)
    17:18:53.240752 IP (tos 0x0, ttl 54, id 16868, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0xc), length 92: IP (tos 0x0, ttl 127, id 27895, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.54803 > 192.168.200.22.53: [udp sum ok] 51632 SOA? ast.local. (27)
    17:20:53.242119 IP (tos 0x0, ttl 54, id 16867, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0xd), length 100: IP (tos 0x0, ttl 127, id 30508, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.55520 > 192.168.200.22.53: [udp sum ok] 176 SOA? 200.168.192.in-addr.arpa. (42)
    17:20:53.244670 IP (tos 0x0, ttl 54, id 16866, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0xe), length 100: IP (tos 0x0, ttl 127, id 30509, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.55520 > 192.168.200.15.53: [udp sum ok] 176 SOA? 200.168.192.in-addr.arpa. (42)
    17:20:53.247388 IP (tos 0x0, ttl 54, id 16865, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0xf), length 92: IP (tos 0x0, ttl 127, id 30510, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.63604 > 192.168.200.15.53: [udp sum ok] 35985 SOA? ast.local. (27)
    17:20:53.250234 IP (tos 0x0, ttl 54, id 16864, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x10), length 92: IP (tos 0x0, ttl 127, id 30511, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.63604 > 192.168.200.22.53: [udp sum ok] 35985 SOA? ast.local. (27)
    17:31:53.251868 IP (tos 0x0, ttl 54, id 16895, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x11), length 92: IP (tos 0x0, ttl 127, id 10356, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.63042 > 192.168.200.22.53: [udp sum ok] 37571 SOA? ast.local. (27)
    17:33:53.253619 IP (tos 0x0, ttl 54, id 16894, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x12), length 92: IP (tos 0x0, ttl 127, id 12440, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.50176 > 192.168.200.22.53: [udp sum ok] 6389 SOA? ast.local. (27)
    17:35:57.215931 IP (tos 0x0, ttl 54, id 16893, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x13), length 100: IP (tos 0x0, ttl 63, id 16738, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.0.31.39466 > 192.168.200.15.53: [udp sum ok] 13465+ A? interface.ta-cockpit.de. (41)
    17:36:01.175900 IP (tos 0x0, ttl 54, id 16892, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x14), length 100: IP (tos 0x0, ttl 63, id 16739, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.0.31.35621 > 192.168.200.15.53: [udp sum ok] 22131+ A? interface.ta-cockpit.de. (41)
    17:36:28.038333 IP (tos 0x0, ttl 54, id 16891, offset 0, flags [none], proto ESP (50), length 128)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x15), length 108: IP (tos 0x0, ttl 127, id 45, offset 0, flags [none], proto UDP (17), length 77)
        192.168.0.10.57518 > 192.168.200.15.53: [udp sum ok] 13728+ SRV? _ldap._tcp.pdc._msdcs.hsk.local. (49)
    17:36:45.119250 IP (tos 0x0, ttl 54, id 16890, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x16), length 92: IP (tos 0x0, ttl 127, id 85, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.53534 > 192.168.200.15.53: [udp sum ok] 5848+ A? hsk.local. (27)
    17:36:58.659102 IP (tos 0x0, ttl 54, id 16889, offset 0, flags [none], proto ESP (50), length 96)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x17), length 76: IP (tos 0x0, ttl 31, id 739, offset 0, flags [none], proto UDP (17), length 44)
        192.168.0.10.1064 > 192.168.200.25.38293: [udp sum ok] UDP, length 16
    17:36:58.661159 IP (tos 0x0, ttl 54, id 16888, offset 0, flags [none], proto ESP (50), length 96)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x18), length 76: IP (tos 0x0, ttl 31, id 740, offset 0, flags [none], proto UDP (17), length 44)
        192.168.0.10.1064 > 192.168.200.25.38293: [udp sum ok] UDP, length 16
    17:36:58.662990 IP (tos 0x0, ttl 54, id 16887, offset 0, flags [none], proto ESP (50), length 96)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x19), length 76: IP (tos 0x0, ttl 31, id 741, offset 0, flags [none], proto UDP (17), length 44)
        192.168.0.10.1064 > 192.168.200.20.38293: [udp sum ok] UDP, length 16
    17:36:58.665074 IP (tos 0x0, ttl 54, id 16886, offset 0, flags [none], proto ESP (50), length 96)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x1a), length 76: IP (tos 0x0, ttl 31, id 742, offset 0, flags [none], proto UDP (17), length 44)
        192.168.0.10.1064 > 192.168.200.20.38293: [udp sum ok] UDP, length 16
    17:36:58.666941 IP (tos 0x0, ttl 54, id 16885, offset 0, flags [none], proto ESP (50), length 96)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x1b), length 76: IP (tos 0x0, ttl 31, id 745, offset 0, flags [none], proto UDP (17), length 44)
        192.168.0.10.1064 > 192.168.200.21.38293: [udp sum ok] UDP, length 16
    17:36:58.669000 IP (tos 0x0, ttl 54, id 16884, offset 0, flags [none], proto ESP (50), length 96)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x1c), length 76: IP (tos 0x0, ttl 31, id 746, offset 0, flags [none], proto UDP (17), length 44)
        192.168.0.10.1064 > 192.168.200.21.38293: [udp sum ok] UDP, length 16
    17:37:03.772203 IP (tos 0x0, ttl 54, id 16883, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x1d), length 100: IP (tos 0x0, ttl 127, id 825, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.65171 > 192.168.200.22.53: [udp sum ok] 11855 SOA? 200.168.192.in-addr.arpa. (42)
    17:37:03.775175 IP (tos 0x0, ttl 54, id 16882, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x1e), length 100: IP (tos 0x0, ttl 127, id 826, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.65171 > 192.168.200.15.53: [udp sum ok] 11855 SOA? 200.168.192.in-addr.arpa. (42)
    17:37:03.777614 IP (tos 0x0, ttl 54, id 16881, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x1f), length 92: IP (tos 0x0, ttl 127, id 827, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.58557 > 192.168.200.15.53: [udp sum ok] 9276 SOA? ast.local. (27)
    17:37:03.780296 IP (tos 0x0, ttl 54, id 16880, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x20), length 92: IP (tos 0x0, ttl 127, id 828, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.58557 > 192.168.200.22.53: [udp sum ok] 9276 SOA? ast.local. (27)
    17:39:03.773083 IP (tos 0x0, ttl 54, id 16847, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x21), length 100: IP (tos 0x0, ttl 127, id 3835, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.60456 > 192.168.200.22.53: [udp sum ok] 14596 SOA? 200.168.192.in-addr.arpa. (42)
    17:39:03.775909 IP (tos 0x0, ttl 54, id 16846, offset 0, flags [none], proto ESP (50), length 120)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x22), length 100: IP (tos 0x0, ttl 127, id 3836, offset 0, flags [none], proto UDP (17), length 70)
        192.168.0.10.60456 > 192.168.200.15.53: [udp sum ok] 14596 SOA? 200.168.192.in-addr.arpa. (42)
    17:39:03.778369 IP (tos 0x0, ttl 54, id 16845, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x23), length 92: IP (tos 0x0, ttl 127, id 3837, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.49836 > 192.168.200.15.53: [udp sum ok] 25743 SOA? ast.local. (27)
    17:39:03.781178 IP (tos 0x0, ttl 54, id 16844, offset 0, flags [none], proto ESP (50), length 112)
        80.153.225.77 > 195.226.160.162: ESP(spi=0xae356a22,seq=0x24), length 92: IP (tos 0x0, ttl 127, id 3838, offset 0, flags [none], proto UDP (17), length 55)
        192.168.0.10.49836 > 192.168.200.22.53: [udp sum ok] 25743 SOA? ast.local. (27)

    Mfg Arndt.
  • 0 in reply to ArndtWoithe

    That all looks good. Please show us the next 20 lines after 2016:07:13-17:05:32 195 pluto[22319]: "S_AST-HSK" #3: IPsec SA established {ESP=>0x4cc4c6d8 <0x3831253a DPD}.

    REDIGIERT einige Stunden später : I just now saw that you noted in the above that there was no more information in the IPsec log.  This indicates to me that the tunnel works, but there's something disrupting the traffic flow.  Does following #1 in Rulz give any insight?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hallo Bob,

    hier ist nochmal ein Auszug aus dem LiveProtokoll:

    2016:07:18-07:44:51 195 pluto[6720]: "S_AST-HSK" #1: ignoring Vendor ID payload [RFC 3947]
    2016:07:18-07:44:51 195 pluto[6720]: "S_AST-HSK" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2016:07:18-07:44:51 195 pluto[6720]: "S_AST-HSK" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2016:07:18-07:44:51 195 pluto[6720]: "S_AST-HSK" #1: ignoring Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
    2016:07:18-07:44:51 195 pluto[6720]: "S_AST-HSK" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2016:07:18-07:44:51 195 pluto[6720]: "S_AST-HSK" #1: Peer ID is ID_IPV4_ADDR: '80.153.225.77'
    2016:07:18-07:44:51 195 pluto[6720]: "S_AST-HSK" #1: ISAKMP SA established
    2016:07:18-07:44:51 195 pluto[6720]: "S_AST-HSK" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
    2016:07:18-07:44:52 195 pluto[6720]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="AST-HSK" address="195.226.160.162" local_net="192.168.200.0/24" remote_net="192.168.0.0/24"
    2016:07:18-07:44:52 195 pluto[6720]: "S_AST-HSK" #2: sent QI2, IPsec SA established {ESP=>0x493cc3ff <0xc21f8d27 DPD}
    2016:07:18-08:28:18 195 pluto[6720]: "S_AST-HSK" #3: initiating Main Mode to replace #1
    2016:07:18-08:28:18 195 pluto[6720]: "S_AST-HSK" #3: received Vendor ID payload [XAUTH]
    2016:07:18-08:28:18 195 pluto[6720]: "S_AST-HSK" #3: received Vendor ID payload [Dead Peer Detection]
    2016:07:18-08:28:18 195 pluto[6720]: "S_AST-HSK" #3: ignoring Vendor ID payload [RFC 3947]
    2016:07:18-08:28:18 195 pluto[6720]: "S_AST-HSK" #3: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2016:07:18-08:28:18 195 pluto[6720]: "S_AST-HSK" #3: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2016:07:18-08:28:18 195 pluto[6720]: "S_AST-HSK" #3: ignoring Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
    2016:07:18-08:28:19 195 pluto[6720]: "S_AST-HSK" #3: Peer ID is ID_IPV4_ADDR: '80.153.225.77'
    2016:07:18-08:28:19 195 pluto[6720]: "S_AST-HSK" #3: ISAKMP SA established
    2016:07:18-08:32:20 195 pluto[6720]: "S_AST-HSK" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #2 {using isakmp#3}
    2016:07:18-08:32:20 195 pluto[6720]: "S_AST-HSK" #4: sent QI2, IPsec SA established {ESP=>0xef87f6a6 <0xa31f0de4 DPD}
    2016:07:18-09:12:17 195 pluto[6720]: "S_AST-HSK" #5: initiating Main Mode to replace #3
    2016:07:18-09:12:17 195 pluto[6720]: "S_AST-HSK" #5: received Vendor ID payload [XAUTH]
    2016:07:18-09:12:17 195 pluto[6720]: "S_AST-HSK" #5: received Vendor ID payload [Dead Peer Detection]
    2016:07:18-09:12:17 195 pluto[6720]: "S_AST-HSK" #5: ignoring Vendor ID payload [RFC 3947]
    2016:07:18-09:12:17 195 pluto[6720]: "S_AST-HSK" #5: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2016:07:18-09:12:17 195 pluto[6720]: "S_AST-HSK" #5: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2016:07:18-09:12:17 195 pluto[6720]: "S_AST-HSK" #5: ignoring Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
    2016:07:18-09:12:17 195 pluto[6720]: "S_AST-HSK" #5: Peer ID is ID_IPV4_ADDR: '80.153.225.77'
    2016:07:18-09:12:17 195 pluto[6720]: "S_AST-HSK" #5: ISAKMP SA established
    2016:07:18-09:16:09 195 pluto[6720]: "S_AST-HSK" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #4 {using isakmp#5}
    2016:07:18-09:16:10 195 pluto[6720]: "S_AST-HSK" #6: sent QI2, IPsec SA established {ESP=>0x80d820cb <0xee73df40 DPD}
  • 0 in reply to ArndtWoithe

    Arndt, I was thinking more about the Firewall and Intrusion Prevention logs.  My guess from the espdump is that we will see a block of DNS queries in the Firewall log or Anti-UDP Flooding activity in the Intrusion Prevention log.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to ArndtWoithe

    Arndt, I was thinking more about the Firewall and Intrusion Prevention logs.  My guess from the espdump is that we will see a block of DNS queries in the Firewall log or Anti-UDP Flooding activity in the Intrusion Prevention log.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML