This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to use IPSec User VPN behind NAT

We're having issues being able to connect to our new location's UTM behind our ISP's NAT'd public IP. I was able to get a site-to-site VPN connection working between our New Location and our other location's UTM by setting our other location's UTM to "Respond Only" as it has a static no nat'd public IP. This works great! Also, users are able to use IPsec VPN to connect to our other location without issue.

 

Here's some details reagarding our new and other location:

New:
static public ip that is nat'd via private ip

Other"
static public IP lives right on the UTM. 

 

Here's the error I'm seeing when a VPN L2TP IPsec user trys to connect the our new location's UTM: 

 

2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: received Vendor ID payload [RFC 3947]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2018:03:20-09:32:57 utm pluto[35222]: packet from USER-IP:500: received Vendor ID payload [Dead Peer Detection]
2018:03:20-09:32:57 utm pluto[35222]: "L_for admin"[3] USER-IP #13: responding to Main Mode from unknown peer USER-IP
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: received Vendor ID payload [RFC 3947]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2018:03:20-09:33:00 utm pluto[35222]: packet from USER-IP:500: received Vendor ID payload [Dead Peer Detection]
2018:03:20-09:33:00 utm pluto[35222]: "L_for admin"[3] USER-IP #14: responding to Main Mode from unknown peer USER-IP
2018:03:20-09:33:00 utm pluto[35222]: "L_for admin"[3] USER-IP #14: NAT-Traversal: Result using RFC 3947: both are NATed
2018:03:20-09:33:00 utm pluto[35222]: | NAT-T: new mapping USER-IP:500/4500)
2018:03:20-09:33:00 utm pluto[35222]: "L_for admin"[3] USER-IP:4500 #14: Peer ID is ID_IPV4_ADDR: '172.16.1.32'
2018:03:20-09:33:00 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: Dead Peer Detection (RFC 3706) enabled
2018:03:20-09:33:00 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: sent MR3, ISAKMP SA established
2018:03:20-09:33:01 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: cannot respond to IPsec SA request because no connection is known for NEWUTMPUBLICNATIP/32===NEWUTMPRIVATENATIP:4500[NEWUTMPUBLICNATIP]:17/1701...USER-IP:4500[172.16.1.32]:17/%any==={172.16.1.32/32}
2018:03:20-09:33:01 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: sending encrypted notification INVALID_ID_INFORMATION to USER-IP:4500
2018:03:20-09:33:05 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x500f8525 (perhaps this is a duplicated packet)
2018:03:20-09:33:05 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: sending encrypted notification INVALID_MESSAGE_ID to USER-IP:4500
2018:03:20-09:33:08 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x500f8525 (perhaps this is a duplicated packet)
2018:03:20-09:33:08 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: sending encrypted notification INVALID_MESSAGE_ID to USER-IP:4500
2018:03:20-09:33:11 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x500f8525 (perhaps this is a duplicated packet)
2018:03:20-09:33:11 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: sending encrypted notification INVALID_MESSAGE_ID to USER-IP:4500
2018:03:20-09:33:14 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x500f8525 (perhaps this is a duplicated packet)
2018:03:20-09:33:14 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: sending encrypted notification INVALID_MESSAGE_ID to USER-IP:4500
2018:03:20-09:33:17 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x500f8525 (perhaps this is a duplicated packet)
2018:03:20-09:33:17 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: sending encrypted notification INVALID_MESSAGE_ID to USER-IP:4500
2018:03:20-09:33:20 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x500f8525 (perhaps this is a duplicated packet)
2018:03:20-09:33:20 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: sending encrypted notification INVALID_MESSAGE_ID to USER-IP:4500
2018:03:20-09:33:23 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x500f8525 (perhaps this is a duplicated packet)
2018:03:20-09:33:23 utm pluto[35222]: "L_for admin"[4] USER-IP:4500 #14: sending encrypted notification INVALID_MESSAGE_ID to USER-IP:4500


This thread was automatically locked due to age.
  • First I've seen you post here, Brandon - welcome to the UTM Community!

    Depending on the IPsec Client, you might be able to make this work.  If not, you'll want to change to the SSL VPN or to add the fixed-IP site's "VPN Pool (IPsec)" to the site-to-site tunnel and have people call the fixed IP.  If this latter solution is your choice, check out my Sophos KnowledgeBase article: How to allow remote access users to reach another site via a Site-to-Site Tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA