Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 9940 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec VPN Tunnel down cannot route route already in use

Guido Neumann

Hi,

 

I have a SG105 with several VPN connections to severav Targets, most Target site have a RED only 1(Oristalstrasse) has a "normal"  Draytek Vigor router.

To this site i have a IPsec VPN Connection.

The connection was fine until 6 weeks ago when we made changes to the network internaly which (should) not effect that VPN.

 

Currently the connection is lost and the VPN Log says the following:

2017:07:05-16:58:17 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #3: responding to Main Mode
2017:07:05-16:58:17 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #3: Oakley Transform [DES_CBC (64), HMAC_MD5, MODP_768] refused due to insecure key_len and enc. alg. not listed in "ike" string
2017:07:05-16:58:17 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #3: Oakley Transform [DES_CBC (64), HMAC_SHA1, MODP_768] refused due to insecure key_len and enc. alg. not listed in "ike" string
2017:07:05-16:58:17 62 pluto[25761]: | NAT-T: new mapping 62.202.51.213:4500/500)
2017:07:05-16:58:17 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #3: NAT-Traversal: Result using RFC 3947: i am NATed
2017:07:05-16:58:17 62 pluto[25761]: | NAT-T: new mapping 62.202.51.213:500/4500)
2017:07:05-16:58:17 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #3: Peer ID is ID_IPV4_ADDR: '62.202.51.213'
2017:07:05-16:58:17 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #3: Dead Peer Detection (RFC 3706) enabled
2017:07:05-16:58:17 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #3: sent MR3, ISAKMP SA established
2017:07:05-16:58:17 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #4: responding to Quick Mode
2017:07:05-16:58:17 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #4: cannot route -- route already in use for "X_Oristalstrasse-IPSEC"
2017:07:05-16:58:27 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #4: cannot route -- route already in use for "X_Oristalstrasse-IPSEC"
2017:07:05-16:58:48 62 pluto[25761]: "S_Oristalstrasse-IPSEC" #4: cannot route -- route already in use for "X_Oristalstrasse-IPSEC"
 

Where can i find the S_ and X_ Route settings?

62.202.51.213 is The WAN Gatewway here:

 

Any Ideas waht the problem is?



This thread was automatically locked due to age.
  • +1

    Hi, Guido, and welcome to the UTM Community!

    Please show pictures of the Edits of the IPsec Gateway, Remote Gateway and IPsec Policy.

    Making sure that 'Debug' is not selected, disable the IPsec Connection, start the IPsec Live Log, wait until it populates a few lines, enable the IPsec Connection and show us the lines until "the route already in use" error.

    Also, confirm that you only have one IPsec connection with the Draytek.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thx for your answer. I found the problem yesterday.

     

    We have the LAN to LAN VPN with the Sophos AND a RED sitting their for testing....

    And someone (ok ok it was me) aktivated the RED Profil under Interfaces&Routing.

     

    So of course the same network was routed twice, one IPSEC Lan to Lan and a RED VPN Tunnel setup for the same network segment.

     

    Turned the RED of an now it works.

     

    Guido

Unfiltered HTML