This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site VPN w/ Cisco RV325 - Tunnel Up, Can't Ping

Hello all,

I've successfully setup and connected a site to site vpn with a UTM 9 living in AWS and an RV325 in a remote office. This connection was working completely fine and randomly stopped working without any configuration changes, and I'm a bit stumped. Before this stoppage, I was able to ping to both LANs from their opposing site without any issue and also remotely access servers on both ends. Configuration is as follows, with PSK:

 

AES-256 PFS  

Compression off, not using strict policy.IKE Settings: AES 256 / MD5 / Group 5: MODP 1536   Lifetime: 7800 seconds

IPsec Settings: AES 256 / MD5 / Group 5: MODP 1536   Lifetime: 3600 seconds

NAT-T: Enabled 

DPD: Enabled

Dump of the IPsec VPN Live Log upon enabling the connection:

2018:09:06-12:45:39 sophosutm pluto[17456]: "S_Tunnel" #1: deleting state (STATE_MAIN_I4)
2018:09:06-12:45:39 sophosutm pluto[17456]: shutting down interface lo/lo ::1
2018:09:06-12:45:39 sophosutm pluto[17456]: shutting down interface lo/lo 127.0.0.1
2018:09:06-12:45:39 sophosutm pluto[17456]: shutting down interface lo/lo 127.0.0.1
2018:09:06-12:45:39 sophosutm pluto[17456]: shutting down interface eth0/eth0 10.0.0.10
2018:09:06-12:45:39 sophosutm pluto[17456]: shutting down interface eth0/eth0 10.0.0.10
2018:09:06-12:45:39 sophosutm pluto[17456]: shutting down interface tun0/tun0 10.242.2.1
2018:09:06-12:45:39 sophosutm pluto[17456]: shutting down interface tun0/tun0 10.242.2.1
2018:09:06-12:45:39 sophosutm ipsec_starter[17446]: pluto stopped after 60 ms
2018:09:06-12:45:39 sophosutm ipsec_starter[17446]: ipsec starter stopped
2018:09:06-12:47:07 sophosutm ipsec_starter[18068]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2018:09:06-12:47:07 sophosutm pluto[18084]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2018:09:06-12:47:07 sophosutm ipsec_starter[18074]: pluto (18084) started after 20 ms
2018:09:06-12:47:07 sophosutm pluto[18084]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2018:09:06-12:47:07 sophosutm pluto[18084]: including NAT-Traversal patch (Version 0.6c)
2018:09:06-12:47:07 sophosutm pluto[18084]: Using Linux 2.6 IPsec interface code
2018:09:06-12:47:07 sophosutm pluto[18084]: loading ca certificates from '/etc/ipsec.d/cacerts'
2018:09:06-12:47:07 sophosutm pluto[18084]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2018:09:06-12:47:07 sophosutm pluto[18084]: loading aa certificates from '/etc/ipsec.d/aacerts'
2018:09:06-12:47:07 sophosutm pluto[18084]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2018:09:06-12:47:07 sophosutm pluto[18084]: Changing to directory '/etc/ipsec.d/crls'
2018:09:06-12:47:07 sophosutm pluto[18084]: loading attribute certificates from '/etc/ipsec.d/acerts'
2018:09:06-12:47:07 sophosutm pluto[18084]: adding interface tun0/tun0 10.242.2.1:500
2018:09:06-12:47:07 sophosutm pluto[18084]: adding interface tun0/tun0 10.242.2.1:4500
2018:09:06-12:47:07 sophosutm pluto[18084]: adding interface eth0/eth0 10.0.0.10:500
2018:09:06-12:47:07 sophosutm pluto[18084]: adding interface eth0/eth0 10.0.0.10:4500
2018:09:06-12:47:07 sophosutm pluto[18084]: adding interface lo/lo 127.0.0.1:500
2018:09:06-12:47:07 sophosutm pluto[18084]: adding interface lo/lo 127.0.0.1:4500
2018:09:06-12:47:07 sophosutm pluto[18084]: adding interface lo/lo ::1:500
2018:09:06-12:47:07 sophosutm pluto[18084]: loading secrets from "/etc/ipsec.secrets"
2018:09:06-12:47:07 sophosutm pluto[18084]: loaded PSK secret for 10.0.0.10 XX.XX.XX.XX
2018:09:06-12:47:07 sophosutm pluto[18084]: listening for IKE messages
2018:09:06-12:47:07 sophosutm pluto[18084]: added connection description "S_Tunnel"
2018:09:06-12:47:07 sophosutm pluto[18084]: "S_Tunnel" #1: initiating Main Mode
2018:09:06-12:47:07 sophosutm pluto[18084]: "S_Tunnel" #1: received Vendor ID payload [Dead Peer Detection]
2018:09:06-12:47:07 sophosutm pluto[18084]: "S_Tunnel" #1: received Vendor ID payload [RFC 3947]
2018:09:06-12:47:07 sophosutm pluto[18084]: "S_Tunnel" #1: enabling possible NAT-traversal with method 3
2018:09:06-12:47:07 sophosutm pluto[18084]: "S_Tunnel" #1: NAT-Traversal: Result using RFC 3947: i am NATed
2018:09:06-12:47:07 sophosutm pluto[18084]: "S_Tunnel" #1: Peer ID is ID_IPV4_ADDR: 'XX.XX.XX.XX'
2018:09:06-12:47:07 sophosutm pluto[18084]: "S_Tunnel" #1: Dead Peer Detection (RFC 3706) enabled
2018:09:06-12:47:07 sophosutm pluto[18084]: "S_Tunnel" #1: ISAKMP SA established
2018:09:06-12:47:07 sophosutm pluto[18084]: "S_Tunnel" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2018:09:06-12:47:08 sophosutm pluto[18084]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Tunnel" address="10.0.0.10" local_net="10.0.0.0/23" remote_net="172.16.0.0/24"
2018:09:06-12:47:08 sophosutm pluto[18084]: "S_Tunnel" #2: sent QI2, IPsec SA established {ESP=>0xc3627950 <0x10a2c277 NATOA=0.0.0.0 DPD}

 



This thread was automatically locked due to age.
Parents
  • Hi Jim,

    have you checked that the policy is correct on both devices?

    I had the same problem and one side had anonther AES algorithm e.g. AES 128 and AES 192 does not work but the tunnel get up in the second phase.

    The other thing you can do is an espdump.

    espdump -n --conn REF_abcxyz123

    To get the REF_abcxyz123 for you connection you have to do the following via ssh:

    cc
    ipsec
    connections@

    Best Regards
    DKKDG

  • Hey Jim - welcome to the UTM Community!

    Is ping the only test you tried?  Check out #2.3 in Rulz.

    A purely command line way to get that info, DKKDG, for a connection named VPN_MASINA is:

    cc get_object_by_name ipsec_connection site_to_site 'VPN_MASINA'|grep \'ref\'

    That should give you a result like  'ref' => 'REF_IpsSitVpn_Masina'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hey Jim - welcome to the UTM Community!

    Is ping the only test you tried?  Check out #2.3 in Rulz.

    A purely command line way to get that info, DKKDG, for a connection named VPN_MASINA is:

    cc get_object_by_name ipsec_connection site_to_site 'VPN_MASINA'|grep \'ref\'

    That should give you a result like  'ref' => 'REF_IpsSitVpn_Masina'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data