This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access with IPsec VPN wont work without split tunnel or two networks in split tunnel

Hey there,

i have the following problem. We have most of our servers in network 172.17.0.0/16 but one server which has to be reachable over VPN tunnel is in 172.18.0.0/16 network. So i looked at the configuration of the VPN client and i can see that there is 172.17.0.0/16 configured as split tunnel. So as far as i understand it only the traffic for this network will be routed over the VPN tunnel.

So i first tried to add the 172.18.0.0 network. The tunnel is established but when i try to connect to the 172.18.XX.XX server i get this errors:

18.08.2017 14:04:36 - IpsDial: creating_more_networks: srcadr=5.145.145.112,srcmsk=255.255.255.255,dstnet=172.18.0.0,dstmsk=255.255.0.0
18.08.2017 14:04:37 - IkeQuick: XMIT_MSG1_QUICK - REF_XXXX
18.08.2017 14:04:37 - Ike: NOTIFY : REF_XXXXe : RECEIVED : INVALID_ID_INFORMATION : 18
18.08.2017 14:04:39 - IpsDial: creating_more_networks already in progress
18.08.2017 14:04:42 - Ike: NOTIFY : REF_XXXXWe : RECEIVED : INVALID_MESSAGE_ID : 9
18.08.2017 14:04:45 - IpsDial: creating_more_networks already in progress
18.08.2017 14:04:48 - Ike: NOTIFY : REF_XXXXWe : RECEIVED : INVALID_MESSAGE_ID : 9
18.08.2017 14:04:54 - Ike: NOTIFY : REF_XXXXe : RECEIVED : INVALID_MESSAGE_ID : 9
18.08.2017 14:05:00 - IkeQuick: phase2:name(REF_XXXXWe) - error - retry timeout - max retries
18.08.2017 14:05:00 - IpsDial: From Ikemgr - Remote is denied request for an IPSec SA, AdapterIndex=204
18.08.2017 14:05:00 - IpsDial: resetting connect pending for idx=29

 

On the UTM logfile i see:

2017:08:18-14:04:36 XXX[11656]: "D_REF_XXX_TvlpYAZDet-2"[12] 172.17.60.88:10952 #10301: cannot respond to IPsec SA request because no connection is known for 172.18.0.0/16===XXX.XXX.XXX.XXX[XXX]...172.17.60.88:10952[XXX@XXX.XX]==={5.145.145.112/32}

 

When i try to not configure a split tunnel network it wont connect at all:

18.08.2017 14:12:55 - IkeQuick: phase2:name(REF_XXXXe) - error - cleared by phase1
18.08.2017 14:12:55 - ERROR - 4037: IKE(phase2):Waiting for message2, cleared by phase1 - REF_XXXXe.
18.08.2017 14:12:55 - IpsDial: From Ikemgr - Remote is denied request for an IPSec SA, AdapterIndex=204
18.08.2017 14:12:55 - IPSec: Disconnected from REF_XXXXe on channel 1.
18.08.2017 14:12:55 - FW: Deleting pathfinder rules
18.08.2017 14:12:55 - FW: Deleting pathfinder rules
18.08.2017 14:12:55 - FW: Deleting pathfinder rules
18.08.2017 14:12:55 - FW: Deleting pathfinder rules

 

On the UTM log it says:


2017:08:18-14:12:35 XXX-1 XXX[11656]: "D_REF_fjDXXXXet-2"[13] 172.17.60.88:10952 #10366: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===XXX.XXX.XXX.XXX[XXX]...172.17.60.88:10952[XXX@XXX.de]==={5.145.145.112/32}

 

Any idea what could be wrong?

Greetings

Bernd



This thread was automatically locked due to age.
  • Seems you did not change both sides for the two networks.. change the utm config first then the config from the ipsec client..

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • Indeed the remote network was defined as 172.18.0.0/22 and not 172.18.0.0/16 in the UTM so when i use the same network in the client as the split tunnel the server can be reached over the tunnel.

    THX !