Client can't access the server via ipsec vpn even though ipsec is connected.

Hello,
I have an issue related to ipsec.
Definitely IPSec was not disconnected, but client which was located in BO can't access the server which was located in HO via IPSEC tunnel.

PING reached a destination server correctly when client was not able to access a server.
I thinks based on this ping test, i think that IPSec VPN was not disconnected when client was not able to access a server.

HO device has 5 BO devices via ipsec vpn.
3 of them are sophos and 2 of thme are fortigate.


BO which was connected with IPSec using Forgitate had no issue.
but this issue occured only the IPsec that is connected with Sophos devices.

I have a doubt "key life time" but i can't be sure "key life time" is a root cause of this issue.

Below is a logs of HO device for IPsec.

==== IPSEC Log of HO Device ====
2017:09:06-10:02:16 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #272: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2017:09:06-10:02:16 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #272: starting keying attempt 131 of an unlimited number
2017:09:06-10:02:16 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #273: initiating Main Mode to replace #272
2017:09:06-10:15:26 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #273: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2017:09:06-10:15:26 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #273: starting keying attempt 132 of an unlimited number
2017:09:06-10:15:26 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #274: initiating Main Mode to replace #273
2017:09:06-10:28:36 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #274: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2017:09:06-10:28:36 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #274: starting keying attempt 133 of an unlimited number
2017:09:06-10:28:36 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #275: initiating Main Mode to replace #274
2017:09:06-10:41:46 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #275: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2017:09:06-10:41:46 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #275: starting keying attempt 134 of an unlimited number
2017:09:06-10:41:46 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #276: initiating Main Mode to replace #275
2017:09:06-10:46:12 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #240: DPD: Received old or duplicate R_U_THERE
2017:09:06-10:54:56 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #276: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2017:09:06-10:54:56 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #276: starting keying attempt 135 of an unlimited number
2017:09:06-10:54:56 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #277: initiating Main Mode to replace #276
2017:09:06-11:04:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #240: DPD: Received old or duplicate R_U_THERE
2017:09:06-11:08:06 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #277: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2017:09:06-11:08:06 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #277: starting keying attempt 136 of an unlimited number
2017:09:06-11:08:06 daedong_incheon pluto[6059]: "S_REF_IpsSitPunteckvpn_0" #278: initiating Main Mode to replace #277
2017:09:06-11:08:49 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #240: DPD: Received old or duplicate R_U_THERE
2017:09:06-11:08:54 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #240: DPD: Received old or duplicate R_U_THERE
2017:09:06-11:08:59 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #240: received Delete SA payload: replace IPSEC State #241 in 10 seconds
2017:09:06-11:08:59 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #240: received Delete SA payload: deleting ISAKMP State #240
2017:09:06-11:08:59 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [RFC 3947]
2017:09:06-11:08:59 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2017:09:06-11:08:59 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2017:09:06-11:08:59 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:09:06-11:08:59 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2017:09:06-11:08:59 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2017:09:06-11:08:59 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [Dead Peer Detection]
2017:09:06-11:08:59 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [FRAGMENTATION]
2017:09:06-11:08:59 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [8299031757a36082c6a621de000500b3]
2017:09:06-11:08:59 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #279: responding to Main Mode
2017:09:06-11:08:59 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #279: You should NOT use insecure IKE algorithms (DES_CBC)!
2017:09:06-11:09:00 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #279: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:09:06-11:09:00 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #279: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2017:09:06-11:09:00 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #279: Peer ID is ID_IPV4_ADDR: '218.92.194.218'
2017:09:06-11:09:00 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #279: Dead Peer Detection (RFC 3706) enabled
2017:09:06-11:09:00 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #279: sent MR3, ISAKMP SA established
2017:09:06-11:09:00 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #280: You should NOT use insecure ESP algorithms [DES_CBC (64)]!
2017:09:06-11:09:00 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #280: responding to Quick Mode
2017:09:06-11:09:00 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #280: IPsec SA established {ESP=>0xc535883d <0x2bba139e DPD}
2017:09:06-11:16:52 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [RFC 3947]
2017:09:06-11:16:52 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2017:09:06-11:16:52 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2017:09:06-11:16:52 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:09:06-11:16:52 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2017:09:06-11:16:52 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2017:09:06-11:16:52 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [Dead Peer Detection]
2017:09:06-11:16:52 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [FRAGMENTATION]
2017:09:06-11:16:52 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [8299031757a36082c6a621de000500b3]
2017:09:06-11:16:52 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #281: responding to Main Mode
2017:09:06-11:16:52 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #281: You should NOT use insecure IKE algorithms (DES_CBC)!
2017:09:06-11:16:52 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #281: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:09:06-11:16:58 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #281: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2017:09:06-11:16:58 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #281: Peer ID is ID_IPV4_ADDR: '218.92.194.218'
2017:09:06-11:16:58 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #281: Dead Peer Detection (RFC 3706) enabled
2017:09:06-11:16:58 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #281: sent MR3, ISAKMP SA established
2017:09:06-11:16:59 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #282: You should NOT use insecure ESP algorithms [DES_CBC (64)]!
2017:09:06-11:16:59 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #282: responding to Quick Mode
2017:09:06-11:16:59 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #282: IPsec SA established {ESP=>0xc535883e <0x40d4856a DPD}
2017:09:06-11:17:54 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [RFC 3947]
2017:09:06-11:17:54 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2017:09:06-11:17:54 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2017:09:06-11:17:54 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:09:06-11:17:54 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2017:09:06-11:17:54 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2017:09:06-11:17:54 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [Dead Peer Detection]
2017:09:06-11:17:54 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [FRAGMENTATION]
2017:09:06-11:17:54 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [8299031757a36082c6a621de000500b3]
2017:09:06-11:17:54 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #283: responding to Main Mode
2017:09:06-11:17:54 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #283: You should NOT use insecure IKE algorithms (DES_CBC)!
2017:09:06-11:18:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #283: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:09:06-11:18:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #283: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2017:09:06-11:18:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #283: Peer ID is ID_IPV4_ADDR: '218.92.194.218'
2017:09:06-11:18:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #283: Dead Peer Detection (RFC 3706) enabled
2017:09:06-11:18:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #283: sent MR3, ISAKMP SA established
2017:09:06-11:18:10 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #284: You should NOT use insecure ESP algorithms [DES_CBC (64)]!
2017:09:06-11:18:10 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #284: responding to Quick Mode
2017:09:06-11:18:14 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #279: DPD: Phase1 state #279 has been superseded by #283 - timeout ignored
2017:09:06-11:18:34 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [RFC 3947]
2017:09:06-11:18:34 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2017:09:06-11:18:34 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2017:09:06-11:18:34 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:09:06-11:18:34 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2017:09:06-11:18:34 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2017:09:06-11:18:34 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [Dead Peer Detection]
2017:09:06-11:18:34 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [FRAGMENTATION]
2017:09:06-11:18:34 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [8299031757a36082c6a621de000500b3]
2017:09:06-11:18:34 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: responding to Main Mode
2017:09:06-11:18:34 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: You should NOT use insecure IKE algorithms (DES_CBC)!
2017:09:06-11:19:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: NAT-Traversal: Result using RFC 3947: no NAT detected
2017:09:06-11:19:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2017:09:06-11:19:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: Peer ID is ID_IPV4_ADDR: '218.92.194.218'
2017:09:06-11:19:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: Dead Peer Detection (RFC 3706) enabled
2017:09:06-11:19:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: sent MR3, ISAKMP SA established
2017:09:06-11:19:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #286: You should NOT use insecure ESP algorithms [DES_CBC (64)]!
2017:09:06-11:19:04 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #286: responding to Quick Mode
2017:09:06-11:19:05 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #286: IPsec SA established {ESP=>0xc5358840 <0x3e1488ce DPD}
2017:09:06-11:19:20 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #284: max number of retransmissions (2) reached STATE_QUICK_R1
2017:09:06-11:20:05 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #281: DPD: Phase1 state #281 has been superseded by #285 - timeout ignored
2017:09:06-11:20:52 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: DPD: Received old or duplicate R_U_THERE
2017:09:06-11:20:53 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #283: DPD: Phase1 state #283 has been superseded by #285 - timeout ignored
2017:09:06-11:20:57 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: DPD: Received old or duplicate R_U_THERE
2017:09:06-11:21:02 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: received Delete SA payload: replace IPSEC State #286 in 10 seconds
2017:09:06-11:21:02 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #285: received Delete SA payload: deleting ISAKMP State #285
2017:09:06-11:21:02 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [RFC 3947]
2017:09:06-11:21:02 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2017:09:06-11:21:02 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2017:09:06-11:21:02 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:09:06-11:21:02 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2017:09:06-11:21:02 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2017:09:06-11:21:02 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: received Vendor ID payload [Dead Peer Detection]
2017:09:06-11:21:02 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [FRAGMENTATION]
2017:09:06-11:21:02 daedong_incheon pluto[6059]: packet from 218.92.194.218:500: ignoring Vendor ID payload [8299031757a36082c6a621de000500b3]
2017:09:06-11:21:02 daedong_incheon pluto[6059]: "S_REF_IpsSitChinavpn_0" #287: responding to Main Mode

 

=== Kernel Log of HO device===
2017:09:06-10:00:32 daedong_incheon kernel: [102729.025641] IPv4: host 192.168.9.9/if10 ignores redirects for 192.168.1.220 to 192.168.1.220
2017:09:06-10:01:43 daedong_incheon kernel: [102799.311237] IPv4: host 192.168.9.57/if10 ignores redirects for 192.168.1.220 to 192.168.1.220
2017:09:06-10:02:32 daedong_incheon kernel: [102849.140622] IPv4: host 192.168.9.9/if10 ignores redirects for 192.168.1.220 to 192.168.1.220
2017:09:06-10:04:50 daedong_incheon kernel: [102986.906117] IPv4: host 192.168.12.1/if10 ignores redirects for 192.168.1.218 to 192.168.1.218
2017:09:06-10:04:50 daedong_incheon kernel: [102986.907506] IPv4: host 192.168.1.218/if10 ignores redirects for 192.168.12.1 to 192.168.12.1
2017:09:06-10:05:12 daedong_incheon kernel: [103009.281442] IPv4: host 192.168.9.9/if10 ignores redirects for 192.168.1.220 to 192.168.1.220
2017:09:06-10:06:13 daedong_incheon kernel: [103069.786177] IPv4: host 192.168.9.57/if10 ignores redirects for 192.168.1.220 to 192.168.1.220
2017:09:06-10:06:59 daedong_incheon kernel: [103116.240866] IPv4: host 192.168.1.233/if10 ignores redirects for 192.168.9.20 to 192.168.9.20
2017:09:06-10:07:55 daedong_incheon kernel: [103172.218503] IPv4: host 192.168.9.8/if10 ignores redirects for 192.168.1.220 to 192.168.1.220
2017:09:06-10:08:20 daedong_incheon kernel: [103196.955129] IPv4: host 192.168.1.233/if10 ignores redirects for 192.168.12.35 to 192.168.12.35
2017:09:06-10:09:45 daedong_incheon kernel: [103281.548952] IPv4: host 192.168.12.1/if10 ignores redirects for 192.168.1.218 to 192.168.1.218
2017:09:06-10:09:45 daedong_incheon kernel: [103281.549717] IPv4: host 192.168.1.218/if10 ignores redirects for 192.168.12.1 to 192.168.12.1
2017:09:06-10:10:32 daedong_incheon kernel: [103329.518864] IPv4: host 192.168.9.9/if10 ignores redirects for 192.168.1.220 to 192.168.1.220
2017:09:06-10:13:14 daedong_incheon kernel: [103491.484779] IPv4: host 192.168.12.1/if10 ignores redirects for 192.168.1.218 to 192.168.1.218
2017:09:06-10:13:14 daedong_incheon kernel: [103491.485992] IPv4: host 192.168.1.218/if10 ignores redirects for 192.168.12.1 to 192.168.12.1
2017:09:06-10:16:04 daedong_incheon kernel: [103660.808236] IPv4: host 192.168.9.57/if10 ignores redirects for 192.168.1.220 to 192.168.1.220
2017:09:06-10:16:22 daedong_incheon kernel: [103679.677603] IPv4: host 192.168.1.233/if10 ignores redirects for 192.168.9.30 to 192.168.9.30
2017:09:06-10:17:21 daedong_incheon kernel: [103738.320984] IPv4: host 192.168.1.233/if10 ignores redirects for 192.168.9.23 to 192.168.9.23
2017:09:06-10:18:02 daedong_incheon kernel: [103779.117430] IPv4: host 192.168.9.17/if10 ignores redirects for 192.168.1.220 to 192.168.1.220
2017:09:06-10:18:08 daedong_incheon kernel: [103785.657113] IPv4: host 192.168.12.1/if10 ignores redirects for 192.168.1.218 to 192.168.1.218
2017:09:06-10:18:08 daedong_incheon kernel: [103785.658276] IPv4: host 192.168.1.218/if10 ignores redirects for 192.168.12.1 to 192.168.12.1
2017:09:06-10:18:32 daedong_incheon kernel: [103808.926316] IPv4: host 192.168.1.81/if10 ignores redirects for 10.10.86.85 to 192.168.1.251
2017:09:06-10:20:26 daedong_incheon kernel: [103923.833158] IPv4: host 192.168.9.50/if10 ignores redirects for 192.168.1.81 to 192.168.1.81
2017:09:06-10:20:28 daedong_incheon kernel: [103925.841796] IPv4: host 192.168.9.56/if10 ignores redirects for 192.168.1.81 to 192.168.1.81
2017:09:06-10:20:33 daedong_incheon kernel: [103930.051249] IPv4: host 192.168.9.55/if10 ignores redirects for 192.168.1.81 to 192.168.1.81


For note, IPSec log of BO device is very similar with the log of HQ device but log of BO device is very few.

It would be much appreciated, if anyone advice me.

Thanks,

  • Please show us pictures of the Edits of the IPsec Connection, Remote Gateway and IPsec Policy in both the BO and HO devices.

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob, 

    Thanks for the reply.

    This is a current configuration for IPSec Connection, Remote Gateway and IPSec Policy in both HO and BO device. 

    HO
    IPsec Connection                           Remote Gateway                         IPsec Policy
                                

     

    BO
    IPsec Connection                           Remote Gateway                                  IPsec Policy
                                    

    Below log is generated repeatedly.
    and below log was generated from HO device when client couldn't access the server via sselvpn.

    For note, S_REF_IpsSitChinavpn_0  from the log is a Fortigate device.

    === IPsec log, HO Device ==

    2017:09:11-18:37:31 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #60: DPD: Received old or duplicate R_U_THERE
    2017:09:11-18:37:36 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #60: DPD: Received old or duplicate R_U_THERE
    2017:09:11-18:37:38 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #60: DPD: Received old or duplicate R_U_THERE
    2017:09:11-18:38:53 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #60: DPD: Received old or duplicate R_U_THERE
    2017:09:11-18:38:58 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #60: DPD: Received old or duplicate R_U_THERE
    2017:09:11-18:39:03 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #60: received Delete SA payload: replace IPSEC State #61 in 10 seconds
    2017:09:11-18:39:03 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #60: received Delete SA payload: deleting ISAKMP State #60
    2017:09:11-18:39:03 daedong_incheon pluto[304]: packet from 218.92.194.218:500: received Vendor ID payload [RFC 3947]
    2017:09:11-18:39:03 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2017:09:11-18:39:03 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2017:09:11-18:39:03 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:09:11-18:39:03 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
    2017:09:11-18:39:03 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2017:09:11-18:39:03 daedong_incheon pluto[304]: packet from 218.92.194.218:500: received Vendor ID payload [Dead Peer Detection]
    2017:09:11-18:39:03 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [FRAGMENTATION]
    2017:09:11-18:39:03 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [8299031757a36082c6a621de000500b3]
    2017:09:11-18:39:03 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: responding to Main Mode
    2017:09:11-18:39:03 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: You should NOT use insecure IKE algorithms (DES_CBC)!
    2017:09:11-18:39:04 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:09:11-18:39:04 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2017:09:11-18:39:04 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: Peer ID is ID_IPV4_ADDR: '218.92.194.218'
    2017:09:11-18:39:04 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: Dead Peer Detection (RFC 3706) enabled
    2017:09:11-18:39:04 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: sent MR3, ISAKMP SA established
    2017:09:11-18:39:04 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #63: You should NOT use insecure ESP algorithms [DES_CBC (64)]!
    2017:09:11-18:39:04 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #63: responding to Quick Mode
    2017:09:11-18:39:04 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #63: IPsec SA established {ESP=>0xc5358c56 <0xb364c2ac DPD}
    2017:09:11-18:53:15 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: DPD: Received old or duplicate R_U_THERE
    2017:09:11-18:53:20 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: DPD: Received old or duplicate R_U_THERE
    2017:09:11-18:53:25 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: received Delete SA payload: replace IPSEC State #63 in 10 seconds
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #62: received Delete SA payload: deleting ISAKMP State #62
    2017:09:11-18:53:26 daedong_incheon pluto[304]: packet from 218.92.194.218:500: received Vendor ID payload [RFC 3947]
    2017:09:11-18:53:26 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2017:09:11-18:53:26 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2017:09:11-18:53:26 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:09:11-18:53:26 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
    2017:09:11-18:53:26 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2017:09:11-18:53:26 daedong_incheon pluto[304]: packet from 218.92.194.218:500: received Vendor ID payload [Dead Peer Detection]
    2017:09:11-18:53:26 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [FRAGMENTATION]
    2017:09:11-18:53:26 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [8299031757a36082c6a621de000500b3]
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: responding to Main Mode
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: You should NOT use insecure IKE algorithms (DES_CBC)!
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: Peer ID is ID_IPV4_ADDR: '218.92.194.218'
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: Dead Peer Detection (RFC 3706) enabled
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: sent MR3, ISAKMP SA established
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #65: You should NOT use insecure ESP algorithms [DES_CBC (64)]!
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #65: responding to Quick Mode
    2017:09:11-18:53:26 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #65: IPsec SA established {ESP=>0xc5358c57 <0xa092f8fb DPD}
    2017:09:11-18:55:13 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: DPD: Received old or duplicate R_U_THERE
    2017:09:11-18:55:18 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: DPD: Received old or duplicate R_U_THERE
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: received Delete SA payload: replace IPSEC State #65 in 10 seconds
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #64: received Delete SA payload: deleting ISAKMP State #64
    2017:09:11-18:55:23 daedong_incheon pluto[304]: packet from 218.92.194.218:500: received Vendor ID payload [RFC 3947]
    2017:09:11-18:55:23 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2017:09:11-18:55:23 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2017:09:11-18:55:23 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:09:11-18:55:23 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
    2017:09:11-18:55:23 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    2017:09:11-18:55:23 daedong_incheon pluto[304]: packet from 218.92.194.218:500: received Vendor ID payload [Dead Peer Detection]
    2017:09:11-18:55:23 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [FRAGMENTATION]
    2017:09:11-18:55:23 daedong_incheon pluto[304]: packet from 218.92.194.218:500: ignoring Vendor ID payload [8299031757a36082c6a621de000500b3]
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: responding to Main Mode
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: You should NOT use insecure IKE algorithms (DES_CBC)!
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: Peer ID is ID_IPV4_ADDR: '218.92.194.218'
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: Dead Peer Detection (RFC 3706) enabled
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: sent MR3, ISAKMP SA established
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #67: You should NOT use insecure ESP algorithms [DES_CBC (64)]!
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #67: responding to Quick Mode
    2017:09:11-18:55:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #67: IPsec SA established {ESP=>0xc5358c58 <0xa4314351 DPD}
    2017:09:11-19:03:18 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: DPD: Received old or duplicate R_U_THERE
    2017:09:11-19:03:23 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: DPD: Received old or duplicate R_U_THERE
    2017:09:11-19:03:28 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: received Delete SA payload: replace IPSEC State #67 in 10 seconds
    2017:09:11-19:03:28 daedong_incheon pluto[304]: "S_REF_IpsSitChinavpn_0" #66: received Delete SA payload: deleting ISAKMP State #66

  • In reply to YujinWon:

    Make sure that you have DPD selected on both sides and then make the change recommended in How to allow remote access users to reach another site via a Site-to-Site Tunnel.

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob
    Thanks for the reply.

    i found that the log is related to DPD.


    But the weird thing is that the log regarding DPD was generated from Fortigate device located in china.
    However, this network issue occurred from sophos devices located in korea.
    (For note, ipsec vpn has 5 BO. 3 of them are sophos, 2 of them are Fortigate. )
    This issue only occurred from sophos devices.

    Is it possible to lead to network issue for other BO devices, if one of BO devices has a DPD issue?