Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 15280 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN verbindung mit IPsec ist gestört.

alex p

Hallo,

 

Es besteht folgendes Problem. Der Kunde hatte eine gut laufende IPsec VPN Verbindung über Sophos UTM 9 in unser Netz.

Nunn war ein Mitarbeiter der Telekom beim Kunden vor Ort und hat eine Umstellung durchgeführt. Nun ist die VPN Verbindung gestört.

Kann mir jemand veraten was an den Einsattlungen verändert werden muss, damit die VPN Verbindung wieder hergestellt werden kann.

 

Mit freundlichen Grüßen

Alex



This thread was automatically locked due to age.
  • 0

    zusatz info: neuer Router ist der Lancom 883

  • 0

    Hallo Alex,

    Erstmal herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment.  )

    First, let's look at your IPsec log:

    1. Disable debug logging if enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live log and wait for it to populate a few lines.
    4. Enable the IPsec Connection.
    5. Show us sixty lines from after you did step 4.

    When obfuscating IPs, do it like 82.x.y.91.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    muss die Protokolierung auf der Seite des Kunden vorgenommen werden ?

  • 0 in reply to alex p



    Live-Protokoll: IPsec-VPN
    Filter:  
      Autoscroll
    Reload



    2017:07:14-13:20:06 Kunde xxxxx[15310]: shutting down interface eth0/eth0 192.x.y.254

    2017:07:14-13:20:06 Kunde xxxxx[15310]: shutting down interface eth0/eth0 192.x.y.254

    2017:07:14-13:20:06 Kunde xxxxx[15310]: shutting down interface eth1/eth1 192.x.y.254

    2017:07:14-13:20:06 Kunde xxxxx[15310]: shutting down interface eth1/eth1 192.x.y.254

    2017:07:14-13:20:06 Kunde xxxxx[15310]: shutting down interface wlan0/wlan0 172.x.y.1

    2017:07:14-13:20:06 Kunde xxxxx[15310]: shutting down interface wlan0/wlan0 172.x.y.1

    2017:07:14-13:20:06 Kunde xxxxx[15310]: shutting down interface tun0/tun0 10.x.y.1

    2017:07:14-13:20:06 Kunde xxxxx[15310]: shutting down interface tun0/tun0 10.x.y.1

    2017:07:14-13:20:06 Kunde ipsec_starter[15304]: xxxxx stopped after 20 ms

    2017:07:14-13:20:06 Kunde ipsec_starter[15304]: ipsec starter stopped

    2017:07:14-13:20:56 Kunde ipsec_starter[19478]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...

    2017:07:14-13:20:56 Kunde xxxxx[19492]: Starting IKEv1 xxxxx daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS

    2017:07:14-13:20:56 Kunde xxxxx[19492]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve

    2017:07:14-13:20:56 Kunde xxxxx[19492]: including NAT-Traversal patch (Version 0.6c)

    2017:07:14-13:20:56 Kunde xxxxx[19492]: Using Linux 2.6 IPsec interface code

    2017:07:14-13:20:56 Kunde ipsec_starter[19485]: xxxxx (19492) started after 20 ms

    2017:07:14-13:20:56 Kunde xxxxx[19492]: loading ca certificates from '/etc/ipsec.d/cacerts'

    2017:07:14-13:20:56 Kunde xxxxx[19492]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'

    2017:07:14-13:20:56 Kunde xxxxx[19492]: loading aa certificates from '/etc/ipsec.d/aacerts'

    2017:07:14-13:20:56 Kunde xxxxx[19492]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'

    2017:07:14-13:20:56 Kunde xxxxx[19492]: Changing to directory '/etc/ipsec.d/crls'

    2017:07:14-13:20:56 Kunde xxxxx[19492]: loading attribute certificates from '/etc/ipsec.d/acerts'

    2017:07:14-13:20:56 Kunde xxxxx[19492]: listening for IKE messages

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface tun0/tun0 10.x.y.1:500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface tun0/tun0 10.x.y.1:4500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface wlan0/wlan0 172.x.y.1:500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface wlan0/wlan0 172.x.y.1:4500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface eth1/eth1 192.x.y.254:500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface eth1/eth1 192.x.y.254:4500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface eth0/eth0 192.x.y.254:500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface eth0/eth0 192.x.y.254:4500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface lo/lo 127.x.y.1:500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface lo/lo 127.x.y.1:4500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: adding interface lo/lo ::y:500

    2017:07:14-13:20:56 Kunde xxxxx[19492]: loading secrets from "/etc/ipsec.secrets"

    2017:07:14-13:20:56 Kunde xxxxx[19492]: loaded PSK secret for 192.x.y.254 212.x.y.242

    2017:07:14-13:20:56 Kunde xxxxx[19492]: added connection description "y"

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: initiating Main Mode

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: received Vendor ID payload [strongSwan]

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: ignoring Vendor ID payload [Cisco-Unity]

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: received Vendor ID payload [XAUTH]

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: received Vendor ID payload [Dead Peer Detection]

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: received Vendor ID payload [RFC 3947]

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: enabling possible NAT-traversal with method 3

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: NAT-Traversal: Result using RFC 3947: i am NATed

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: next payload type of ISAKMP Hash Payload has an unknown value: 63

    2017:07:14-13:20:56 Kunde xxxxx[19492]: "y" #1: malformed payload in packet

    2017:07:14-13:21:06 Kunde xxxxx[19492]: "y" #1: discarding duplicate packet; already STATE_MAIN_I3

    2017:07:14-13:21:06 Kunde xxxxx[19492]: "y" #1: byte 2 of ISAKMP Hash Payload must be zero, but is not

    2017:07:14-13:21:06 Kunde xxxxx[19492]: "y" #1: malformed payload in packet

    2017:07:14-13:21:26 Kunde xxxxx[19492]: "y" #1: next payload type of ISAKMP Hash Payload has an unknown value: 158

    2017:07:14-13:21:26 Kunde xxxxx[19492]: "y" #1: malformed payload in packet

    2017:07:14-13:21:26 Kunde xxxxx[19492]: "y" #1: discarding duplicate packet; already STATE_MAIN_I3

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #1: starting keying attempt 2 of an unlimited number

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: initiating Main Mode to replace #1

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: received Vendor ID payload [strongSwan]

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: ignoring Vendor ID payload [Cisco-Unity]

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: received Vendor ID payload [XAUTH]

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: received Vendor ID payload [Dead Peer Detection]

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: received Vendor ID payload [RFC 3947]

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: enabling possible NAT-traversal with method 3

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: NAT-Traversal: Result using RFC 3947: i am NATed

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: next payload type of ISAKMP Hash Payload has an unknown value: 203

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #2: malformed payload in packet

    2017:07:14-13:22:16 Kunde xxxxx[19492]: "y" #2: discarding duplicate packet; already STATE_MAIN_I3

    2017:07:14-13:22:16 Kunde xxxxx[19492]: "y" #2: next payload type of ISAKMP Hash Payload has an unknown value: 108

    2017:07:14-13:22:16 Kunde xxxxx[19492]: "y" #2: malformed payload in packet

    2017:07:14-13:22:36 Kunde xxxxx[19492]: "y" #2: next payload type of ISAKMP Hash Payload has an unknown value: 71

    2017:07:14-13:22:36 Kunde xxxxx[19492]: "y" #2: malformed payload in packet

    2017:07:14-13:22:36 Kunde xxxxx[19492]: "y" #2: discarding duplicate packet; already STATE_MAIN_I3

  • 0 in reply to alex p

    die Ports 500 und 4500 wurden nach der Anleitung weitergeleitet.

    https://www2.lancom.de/kb.nsf/1275/90B361580EDFA0FDC125801200378A66?OpenDocument

     

    leider ohne Erfolg.

  • 0 in reply to alex p

    I think the following tells us where the problem is (my bold):

    2017:07:14-13:22:06 Kunde xxxxx[19492]: "y" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

    Usually, this means a mismatch of PSKs or that the other end is behind a NATting router.  As the only thing that has changed is the Lancom, the problem must be there.  If your prior ISP was delivering a public IP to your UTM's External interface and the Lancom gives you a private IP, then the Lancom needs to be bridged.

    If that's not the problem, then I wonder if the Lancom isn't forwarding IP Protocol 50 and IP Protocol 51 in addition to UDP 500 and UDP 4500.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hallo Alex,

    es wäre schön, wenn du deine Lösung hier gepostet hättest.
    Vielleicht bekommst du ja eine Benachrichtigungs-Email und holst das noch nach, obwohl wir schon im 2. Halbjahr von 2018 angekommen sind.

    [:)]

Unfiltered HTML