Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 8257 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN Log

RenéGagneur

Hi,

 

i have multiple site-to-site ipsec vpns between an ASG220 and Bintec-Routers.

All connections work fine but the log is filled with messages like these:

2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558946: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558946: starting keying attempt 973 of an unlimited number
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: initiating Main Mode to replace #3558946
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: ignoring Vendor ID payload [some id]
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: ignoring Vendor ID payload [more id]
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: ignoring Vendor ID payload [jet another id]
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: received Vendor ID payload [XAUTH]
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: received Vendor ID payload [Dead Peer Detection]
2018:10:21-15:16:48 firewall_name pluto[6401]: "S_VPN_Name"[1] 126.74.24.27:48964 #3558965: enabling possible NAT-traversal with method RFC 3947

If i reset the connection the log is silent for several hours.

 

Settings on the Sophos:

Answer only.

Remote-Network:       10.10.2.0/24

Local-Network:           10.10.0.0/16

PMTU on, automatic firewall-rules on

 

Settings on Bintec:

IKEv1

VPN-ID 10.10.2.1

Phase2:

 

Also:

Nat-t on

Availability-check: auto

PMTU on

 

Hope you can give me some insight to what the logs are trying to tell me.

 

Greetings



This thread was automatically locked due to age.
  • 0

    Hallo René,

    Does "Availability-check: auto" mean that DPD is selected in the Bintec?  Do you have it enabled in your UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hallo Balfson,

    thanks for your Reply.

    DPD is enabled in the UTM.

    In the Bintec its not necessarily DPD which is selected:

    I have tried it with DPD selected though. No difference.

    havent mentioned jet: the Bintec is behind a NAT-Router.

  • 0 in reply to RenéGagneur

    I would definitely select DPD on the Bintec, René.

    Behind a NAT?  On the Site-to-Site Tunnel Status page, what's the VPN ID?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ok, I changed the availability check accordingly.

    VPN-ID for the Bintec-VPNs is the public-ip of the bintec wan. (which is not static)

    I haven't paid much attention to the local id-type and value in the bintec, since Sophos as a vpn-responder has the remote vpn-id set to "any".

    But since you asked, is this setting in the bintec still of importance?

     

  • 0

    "no acceptable response to our first encrypted message" often means that the other side has not "signed" the message with the IP we expect.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    ok, got it. I will configure dyndns for our Homeoffices and check the life log over the weekend.

    Thanks for your help! I will report back the results.

Unfiltered HTML