Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 6 subscribers
  • Views 24052 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Zwei IPSec-VPN-Tunnel zwischen zwei Sophos UTM9

Moritz Steinkamp

Hallo Community,

ich habe ein Problem beim Erstellen von 2 separaten VPN-Tunneln zwischen zwei Sophos UTM 9. Tunnel A besteht bereits und funktioniert ohne Probleme.

Beim Verbinden von Tunnel B gibt es zuerst keine Probleme und der Tunnel funktioniert. Aber nach einer gewissen Zeit bricht einer der beiden Tunnel zusammen.

 

Hier die zwei Tunnel:

Tunnel A (besteht bereits)

Site A:

GW: XXX.XXX.XXX.74

Internes Netz: 192.168.10.0/24

Site B:

GW:  XXX.XXX.XXX.85

Internes Netz: 192.168.20.0/24

 

Tunnel B (soll hinzukommen)

Site A:

GW:  XXX.XXX.XXX.74

Internes Netz: 10.10.1.0/24

Site B:

GW:  XXX.XXX.XXX.85

Internes Netz: 192.168.20.0/24

 

 

Beim Durchschauen der Logfiles sind mir folgende Meldungen aufgefallen:

 

"Tunnel A" #96465: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xf62d710c (perhaps this is a duplicated packet)

"Tunnel A" #96465: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.85:500

 

Könnt ihr mir weiterhelfen, wieso es zu diesem Problem kommt?

Was genau sagt die Fehlermeldung aus(habe dazu leider nichts richtiges gefunden)?

Gibt es eventuell Limitierungen (nur eine IPsec-verbindung zwischen 2 GW)?

 

Gruß und Danke

Moritz



This thread was automatically locked due to age.
Parents
  • 0

    Hallo Moritz,

    Erstmal herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    Ster's prescription seems correct to me.

    If you want to figure out what was causing the problem, we'll need more information.

    • Pictures of the Edits of the IPsec Connection, Remote Gateway and IPsec Policy on both sides.
    • Disable the IPsec Connection on one side, disable Debug if it is enabled, start the IPsec Live Log, enable the IPsec Connection after the Live Log shows a few lines and then show us about 60 lines ending with the one about INVALID_MESSAGE_ID.

    INVALID_MESSAGE_ID can mean that site A is behind a NAT, but that's not the topology you described above.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hallo Bob,

     

    hier sind die Log-Auszüge wenn ich den neuen Tunnel (Tunnel B) aktiviere:

     

    2017:05:29-10:20:49 office pluto[9626]: added connection description "Tunnel B"
    2017:05:29-10:20:49 office pluto[9626]: "Tunnel B" #63: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#62}
    2017:05:29-10:20:49 office pluto[9626]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Tunnel B" address="XXX.XXX.XXX.74" local_net="10.10.1.0/24" remote_net="192.168.20.0/24"
    2017:05:29-10:20:50 office pluto[9626]: "Tunnel B" #63: sent QI2, IPsec SA established {ESP=>0x247c78e1 <0xf2b7912b DPD}
    2017:05:29-10:20:58 office pluto[9626]: "Tunnel A" #62: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x82c0a404 (perhaps this is a duplicated packet)
    2017:05:29-10:20:58 office pluto[9626]: "Tunnel A" #62: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.85:500

    2017:05:29-10:21:38 office pluto[9626]: "Tunnel B" #64: responding to Quick Mode
    2017:05:29-10:21:38 office pluto[9626]: "Tunnel B" #64: IPsec SA established {ESP=>0x9967759b <0x92bccb3b DPD}

     

    Nach einer unbestimmten Zeit, bekomme ich dann diverse Meldungen, bis die Verbindung dann zusammenbricht:

    2017:05:29-11:06:53 office pluto[9626]: "Tunnel A" #87: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #56 {using isakmp#62}
    2017:05:29-11:06:53 office pluto[9626]: "Tunnel A" #87: sent QI2, IPsec SA established {ESP=>0xcb900fa9 <0x859220cf DPD}

    2017:05:29-11:08:02 office pluto[9626]: "Tunnel B" #88: responding to Quick Mode
    2017:05:29-11:08:02 office pluto[9626]: "Tunnel B" #88: IPsec SA established {ESP=>0x33894f65 <0xfd07f048 DPD}

    2017:05:29-12:17:44 office pluto[9626]: "Tunnel B" #124: responding to Main Mode
    2017:05:29-12:17:44 office pluto[9626]: "Tunnel B" #124: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:44 office pluto[9626]: "Tunnel B" #124: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: next payload type of ISAKMP Identification Payload has an unknown value: 251
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: sending encrypted notification PAYLOAD_MALFORMED to XXX.XXX.XXX.85:500

    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #123: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #123: starting keying attempt 5 of an unlimited number
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: initiating Main Mode to replace #123
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [strongSwan]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: ignoring Vendor ID payload [Cisco-Unity]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [XAUTH]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [Dead Peer Detection]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [RFC 3947]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: enabling possible NAT-traversal with method 3
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: next payload type of ISAKMP Hash Payload has an unknown value: 40
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: malformed payload in packet

    2017:05:29-12:17:55 office pluto[9626]: "Tunnel B" #124: next payload type of ISAKMP Identification Payload has an unknown value: 251
    2017:05:29-12:17:55 office pluto[9626]: "Tunnel B" #124: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2017:05:29-12:17:55 office pluto[9626]: "Tunnel B" #124: sending encrypted notification PAYLOAD_MALFORMED to XXX.XXX.XXX.85:500

    2017:05:29-12:18:01 office pluto[9626]: "Tunnel A" #125: next payload type of ISAKMP Hash Payload has an unknown value: 102
    2017:05:29-12:18:01 office pluto[9626]: "Tunnel A" #125: malformed payload in packet
    2017:05:29-12:18:01 office pluto[9626]: "Tunnel A" #125: discarding duplicate packet; already STATE_MAIN_I3

    2017:05:29-12:18:55 office pluto[9626]: "Tunnel B" #124: max number of retransmissions (2) reached STATE_MAIN_R2

    2017:05:29-12:28:08 office pluto[9626]: "Tunnel B" #153: deleting state (STATE_MAIN_R2)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel B" #151: deleting state (STATE_MAIN_R2)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel B" #112: deleting state (STATE_QUICK_R2)
    2017:05:29-12:28:08 office pluto[9626]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="Tunnel B" address="XXX.XXX.XXX.74" local_net="10.10.1.0/24" remote_net="192.168.20.0/24"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Restarting connection "Tunnel B"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Terminating all SAs using this connection
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #152: deleting state (STATE_MAIN_I3)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #110: deleting state (STATE_QUICK_I2)
    2017:05:29-12:28:08 office pluto[9626]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="Tunnel A" address="XXX.XXX.XXX.74" local_net="192.168.10.0/24" remote_net="192.168.20.0/24"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Restarting connection "Tunnel A"
    2017:05:29-12:28:08 office pluto[9626]: updown: /sbin/ip -4 route del 192.168.20.0/24 dev eth1 src 192.168.10.1 proto ipsec metric 0 failed with status 2:
    2017:05:29-12:28:08 office pluto[9626]: updown: RTNETLINK answers: No such process
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Terminating all SAs using this connection
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #150: deleting state (STATE_MAIN_I3)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #109: deleting state (STATE_QUICK_I2)
    2017:05:29-12:28:08 office pluto[9626]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="Tunnel A" address="XXX.XXX.XXX.74" local_net="192.168.10.0/24" remote_net="192.168.20.31/32"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Restarting connection "Tunnel A"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Terminating all SAs using this connection
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: deleting state (STATE_QUICK_I2)

     Was mich wundert, ist, dass der Tunnel eine Zeitlang ohne Probleme funktioniert und dann nach unbestimmter Zeit abbricht.

    Hier noch 5 Bilder der IPsec Connection, der Remote Gateways und der IPsec Policy.


    Benötigst du noch weitere Infos?

     

    @Ster: Wenn es keine Lösung gibt, werde ich es wohl so machen müssen.


    Danke und Gruß 

    Moritz

Reply
  • 0 in reply to BAlfson

    Hallo Bob,

     

    hier sind die Log-Auszüge wenn ich den neuen Tunnel (Tunnel B) aktiviere:

     

    2017:05:29-10:20:49 office pluto[9626]: added connection description "Tunnel B"
    2017:05:29-10:20:49 office pluto[9626]: "Tunnel B" #63: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#62}
    2017:05:29-10:20:49 office pluto[9626]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Tunnel B" address="XXX.XXX.XXX.74" local_net="10.10.1.0/24" remote_net="192.168.20.0/24"
    2017:05:29-10:20:50 office pluto[9626]: "Tunnel B" #63: sent QI2, IPsec SA established {ESP=>0x247c78e1 <0xf2b7912b DPD}
    2017:05:29-10:20:58 office pluto[9626]: "Tunnel A" #62: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x82c0a404 (perhaps this is a duplicated packet)
    2017:05:29-10:20:58 office pluto[9626]: "Tunnel A" #62: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.85:500

    2017:05:29-10:21:38 office pluto[9626]: "Tunnel B" #64: responding to Quick Mode
    2017:05:29-10:21:38 office pluto[9626]: "Tunnel B" #64: IPsec SA established {ESP=>0x9967759b <0x92bccb3b DPD}

     

    Nach einer unbestimmten Zeit, bekomme ich dann diverse Meldungen, bis die Verbindung dann zusammenbricht:

    2017:05:29-11:06:53 office pluto[9626]: "Tunnel A" #87: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #56 {using isakmp#62}
    2017:05:29-11:06:53 office pluto[9626]: "Tunnel A" #87: sent QI2, IPsec SA established {ESP=>0xcb900fa9 <0x859220cf DPD}

    2017:05:29-11:08:02 office pluto[9626]: "Tunnel B" #88: responding to Quick Mode
    2017:05:29-11:08:02 office pluto[9626]: "Tunnel B" #88: IPsec SA established {ESP=>0x33894f65 <0xfd07f048 DPD}

    2017:05:29-12:17:44 office pluto[9626]: "Tunnel B" #124: responding to Main Mode
    2017:05:29-12:17:44 office pluto[9626]: "Tunnel B" #124: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:44 office pluto[9626]: "Tunnel B" #124: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: next payload type of ISAKMP Identification Payload has an unknown value: 251
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2017:05:29-12:17:45 office pluto[9626]: "Tunnel B" #124: sending encrypted notification PAYLOAD_MALFORMED to XXX.XXX.XXX.85:500

    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #123: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #123: starting keying attempt 5 of an unlimited number
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: initiating Main Mode to replace #123
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [strongSwan]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: ignoring Vendor ID payload [Cisco-Unity]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [XAUTH]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [Dead Peer Detection]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: received Vendor ID payload [RFC 3947]
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: enabling possible NAT-traversal with method 3
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: next payload type of ISAKMP Hash Payload has an unknown value: 40
    2017:05:29-12:17:51 office pluto[9626]: "Tunnel A" #125: malformed payload in packet

    2017:05:29-12:17:55 office pluto[9626]: "Tunnel B" #124: next payload type of ISAKMP Identification Payload has an unknown value: 251
    2017:05:29-12:17:55 office pluto[9626]: "Tunnel B" #124: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
    2017:05:29-12:17:55 office pluto[9626]: "Tunnel B" #124: sending encrypted notification PAYLOAD_MALFORMED to XXX.XXX.XXX.85:500

    2017:05:29-12:18:01 office pluto[9626]: "Tunnel A" #125: next payload type of ISAKMP Hash Payload has an unknown value: 102
    2017:05:29-12:18:01 office pluto[9626]: "Tunnel A" #125: malformed payload in packet
    2017:05:29-12:18:01 office pluto[9626]: "Tunnel A" #125: discarding duplicate packet; already STATE_MAIN_I3

    2017:05:29-12:18:55 office pluto[9626]: "Tunnel B" #124: max number of retransmissions (2) reached STATE_MAIN_R2

    2017:05:29-12:28:08 office pluto[9626]: "Tunnel B" #153: deleting state (STATE_MAIN_R2)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel B" #151: deleting state (STATE_MAIN_R2)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel B" #112: deleting state (STATE_QUICK_R2)
    2017:05:29-12:28:08 office pluto[9626]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="Tunnel B" address="XXX.XXX.XXX.74" local_net="10.10.1.0/24" remote_net="192.168.20.0/24"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Restarting connection "Tunnel B"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Terminating all SAs using this connection
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #152: deleting state (STATE_MAIN_I3)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #110: deleting state (STATE_QUICK_I2)
    2017:05:29-12:28:08 office pluto[9626]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="Tunnel A" address="XXX.XXX.XXX.74" local_net="192.168.10.0/24" remote_net="192.168.20.0/24"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Restarting connection "Tunnel A"
    2017:05:29-12:28:08 office pluto[9626]: updown: /sbin/ip -4 route del 192.168.20.0/24 dev eth1 src 192.168.10.1 proto ipsec metric 0 failed with status 2:
    2017:05:29-12:28:08 office pluto[9626]: updown: RTNETLINK answers: No such process
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Terminating all SAs using this connection
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #150: deleting state (STATE_MAIN_I3)
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #109: deleting state (STATE_QUICK_I2)
    2017:05:29-12:28:08 office pluto[9626]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="Tunnel A" address="XXX.XXX.XXX.74" local_net="192.168.10.0/24" remote_net="192.168.20.31/32"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Restarting connection "Tunnel A"
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: DPD: Terminating all SAs using this connection
    2017:05:29-12:28:08 office pluto[9626]: "Tunnel A" #106: deleting state (STATE_QUICK_I2)

     Was mich wundert, ist, dass der Tunnel eine Zeitlang ohne Probleme funktioniert und dann nach unbestimmter Zeit abbricht.

    Hier noch 5 Bilder der IPsec Connection, der Remote Gateways und der IPsec Policy.


    Benötigst du noch weitere Infos?

     

    @Ster: Wenn es keine Lösung gibt, werde ich es wohl so machen müssen.


    Danke und Gruß 

    Moritz

Children
  • 0 in reply to Moritz Steinkamp

    The one thing I see, Moritz, is the other reason (besides being behind a NAT as mentioned above) that establishing an IPsec SA fails at that point - "(mismatch of preshared secrets?)."  I'm not sure why it works initially.

    Do you have 'Enable probing of preshared keys' selected on the 'Advanced' tab of 'IPsec'?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Moritz Steinkamp

    Hi,

    ich hatte das gleiche Problem, allerdings bei einer UTM in Verbindung mit einer Fritz!Box 7390. Sobald ich den zweiten Tunnel eingeschaltet hatte, brach der andere zusammen. Ich konnte es lösen, indem ich in der Fritz!Box VPN Konfiguration unterschiedliche VPN IDs pro Tunnel angegeben habe.

    Ich vermute da es sich um zwei Tunnel mit ansonsten identischen Einstellungen handelt, benötigt er einen Identifier um unterscheiden zu können, welche Netze und ausgehandelte Einstellungen zu welchem Tunnel gehören.

    In der UTM kann ich m. E. nur eine VPN ID angeben. Daher vermute ich, dass man nur einen Tunnel zwischen zwei UTMs einrichten kann.

    Gruß

    Jas

  • 0 in reply to BAlfson

    Hi Bob,

     

    es ist auf beiden Seiten nicht aktiviert.

     

      Danke für deine Antwort, dass werde ich sofort mal testen. Man kann die VPN-ID manuell vergeben. Wäre natürlich schön, wenn das die Lösung des Problems ist.

     

    Gruß und Danke

    Moritz

Unfiltered HTML