Hello together,
we had a problem today.
We have two SSL vpn tunnel running since some month. Everything was okay.
Yesterday i installed the 9.605-1 update and we had problems with 1 tunnel.
After some testing, i have a solution now..but i wanted to ask, which of the following two scenarios is the right/better one and if this new behaviour since this update is right or not.
First the old configuration of the vpn tunnel. If you look on the Site-to-Site VPN tab it shows following configuration:
SA: Our internal network=Our external IP address of the firewall which we want to use <-> their external ip address <- their internal network
Then the configuration of the VPN ID and the IKE-settings and ESP.
We still have one tunnel running with this configuration. But our second doesn't want to connect. It shows the following message in the log:
ERROR: asynchronous network error report on eth1 for message to x.x.x.x port 500, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
(the x.x.x.x is their external ip address)
Now i needed to change the local network for this vpn tunnel to the internal network address of our firewall.
So it looks now this way:
our internal network -> internal ip address of our firewall <-> their external ip address <- their internal network
Can you tell me, what the right way is and why the configuration worked with the old firmware but not now anymore?
If i change the seconds tunnel to the configuration of the first one, so the internal ip address of our firewall and not the external ip address, it won't connect anymore.
Thank you!
Pat
This thread was automatically locked due to age.
