Site2Site VPN with IPSEC, both Sites are NATed

Hi guys,

in our HQ there's a SG behind a FritzBox Router. In the FritzBox theres an Expose Host configured. At customer Site there's an SG behind a FritzBox. There's also an Expose Host configured.

HQ SG (Respond only):
LAN: 172.17.10.0
WAN: 10.10.0.2

HQ FritzBox:
LAN: 10.10.0.1
WAN: 217.70.195.127

INTERNET

Customer FritzBox:
LAN: 192.168.2.1
WAN: 87.140.61.79

Customer SG (Initiate):
LAN: 192.168.10.0
WAN: 192.168.2.2

At another customer without FritzBox it's possible to get a tunnel. But with two FritzBoxes it won't work.

Do you have any ideas, how I will get this work?

Greets
Christoph



Mention which SG Initiate and respond
[edited by: Christoph Klahn at 4:42 PM (GMT -7) on 8 Apr 2021]
Parents
  • Hi ,

    Thank you for reaching out to Sophos Community.

    You just need forwarding rules for UDP port 500 and 4500 on FritzBox router at each end. And then set up IPsec on UTM.

    Refer to the article below to configure a Site to Site IPsec tunnel.

    support.sophos.com/.../KB-000036832

    Thanks,
    Yash Kothari
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hi Yash,
    thanks for your reply. Above I mentioned, that I've forwarded all ports (Exposed Host) in the FritzBox. But this won't work.

    I will try NAT-T and give a feedback.

    Greets
    Christoph

  • So, NAT-T was't it. Any further ideas's?

  • Hallo Christoph,

    Let's take a look at the logs:

       1. Confirm that Debug is not enabled.
       2. Disable the IPsec Connection.
       3. Start the IPsec Live Log and wait for it to begin to populate.
       4. Enable the IPsec Connection.
       5. Copy here about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Try to configure one location as "Listen" rather than "Connect".
    On some installations I've seen :
    With both locations on "Initiate" the connection looks for port 500 as SRC and DST. However, the Nat router changes the source port.
    Also found in the IPSec protocol.


    Dirk

    Sophos Solution Partner since 2003
    If a post solves your question click the 'Verify Answer' link.

  • Hi Bob,
    here's the Log from the Site which Initiate the connection:

    2021:04:08-18:26:57 utm pluto[13117]: added connection description "S_Site2Site klahn.net"
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: initiating Main Mode
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: received Vendor ID payload [strongSwan]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: ignoring Vendor ID payload [Cisco-Unity]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: received Vendor ID payload [XAUTH]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: received Vendor ID payload [Dead Peer Detection]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: received Vendor ID payload [RFC 3947]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: enabling possible NAT-traversal with method 3
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: NAT-Traversal: Result using RFC 3947: both are NATed
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: Peer ID is ID_IPV4_ADDR: '10.10.0.2'
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: Dead Peer Detection (RFC 3706) enabled
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: ISAKMP SA established
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#7}
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: ignoring informational payload, type INVALID_ID_INFORMATION
    2021:04:08-18:27:07 utm pluto[13117]: "S_Site2Site klahn.net" #7: ignoring informational payload, type INVALID_MESSAGE_ID
    2021:04:08-18:28:07 utm pluto[13117]: "S_Site2Site klahn.net" #8: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    2021:04:08-18:28:07 utm pluto[13117]: "S_Site2Site klahn.net" #8: starting keying attempt 2 of an unlimited number
    2021:04:08-18:28:07 utm pluto[13117]: "S_Site2Site klahn.net" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #8 {using isakmp#7}
    2021:04:08-18:29:17 utm pluto[13117]: "S_Site2Site klahn.net" #9: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    2021:04:08-18:29:17 utm pluto[13117]: "S_Site2Site klahn.net" #9: starting keying attempt 3 of an unlimited number
    2021:04:08-18:29:17 utm pluto[13117]: "S_Site2Site klahn.net" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #9 {using isakmp#7}
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #7: DPD: No response from peer - declaring peer dead
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #7: DPD: Restarting all connections of peer
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #7: DPD: Terminating all SAs using this connection
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #10: deleting state (STATE_QUICK_I1)
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #7: deleting state (STATE_MAIN_I4)
    2021:04:08-18:29:35 utm pluto[13117]: DPD: Restarting connection "S_Site2Site klahn.net"
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: initiating Main Mode
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: received Vendor ID payload [strongSwan]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: ignoring Vendor ID payload [Cisco-Unity]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: received Vendor ID payload [XAUTH]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: received Vendor ID payload [Dead Peer Detection]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: received Vendor ID payload [RFC 3947]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: enabling possible NAT-traversal with method 3
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: NAT-Traversal: Result using RFC 3947: both are NATed
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: Peer ID is ID_IPV4_ADDR: '10.10.0.2'
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: Dead Peer Detection (RFC 3706) enabled
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: ISAKMP SA established
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#11}
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: ignoring informational payload, type INVALID_ID_INFORMATION
    2021:04:08-18:29:45 utm pluto[13117]: "S_Site2Site klahn.net" #11: ignoring informational payload, type INVALID_MESSAGE_ID
    2021:04:08-18:30:05 utm pluto[13117]: "S_Site2Site klahn.net" #11: ignoring informational payload, type INVALID_MESSAGE_ID
    and here's from the responder-site:

    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:53 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:53 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:53 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:53 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:54 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:54 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:54 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:54 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:55 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:55 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:56 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:56 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:56 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:56 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:57 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:57 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:57 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:57 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:59 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:59 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:59 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:59 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
  • What MTU do you have on each Interface involved in the VPN, Christoph?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children