Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 2330 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site2Site VPN with IPSEC, both Sites are NATed

Christoph Klahn

Hi guys,

in our HQ there's a SG behind a FritzBox Router. In the FritzBox theres an Expose Host configured. At customer Site there's an SG behind a FritzBox. There's also an Expose Host configured.

HQ SG (Respond only):
LAN: 172.17.10.0
WAN: 10.10.0.2

HQ FritzBox:
LAN: 10.10.0.1
WAN: 217.70.195.127

INTERNET

Customer FritzBox:
LAN: 192.168.2.1
WAN: 87.140.61.79

Customer SG (Initiate):
LAN: 192.168.10.0
WAN: 192.168.2.2

At another customer without FritzBox it's possible to get a tunnel. But with two FritzBoxes it won't work.

Do you have any ideas, how I will get this work?

Greets
Christoph



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    You just need forwarding rules for UDP port 500 and 4500 on FritzBox router at each end. And then set up IPsec on UTM.

    Refer to the article below to configure a Site to Site IPsec tunnel.

    support.sophos.com/.../KB-000036832

  • 0 in reply to FormerMember

    Hi Yash,
    thanks for your reply. Above I mentioned, that I've forwarded all ports (Exposed Host) in the FritzBox. But this won't work.

    I will try NAT-T and give a feedback.

    Greets
    Christoph

  • 0 in reply to Christoph Klahn

    So, NAT-T was't it. Any further ideas's?

  • 0 in reply to Christoph Klahn

    Hallo Christoph,

    Let's take a look at the logs:

       1. Confirm that Debug is not enabled.
       2. Disable the IPsec Connection.
       3. Start the IPsec Live Log and wait for it to begin to populate.
       4. Enable the IPsec Connection.
       5. Copy here about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Christoph Klahn

    Try to configure one location as "Listen" rather than "Connect".
    On some installations I've seen :
    With both locations on "Initiate" the connection looks for port 500 as SRC and DST. However, the Nat router changes the source port.
    Also found in the IPSec protocol.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to BAlfson

    Hi Bob,
    here's the Log from the Site which Initiate the connection:

    2021:04:08-18:26:57 utm pluto[13117]: added connection description "S_Site2Site klahn.net"
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: initiating Main Mode
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: received Vendor ID payload [strongSwan]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: ignoring Vendor ID payload [Cisco-Unity]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: received Vendor ID payload [XAUTH]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: received Vendor ID payload [Dead Peer Detection]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: received Vendor ID payload [RFC 3947]
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: enabling possible NAT-traversal with method 3
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: NAT-Traversal: Result using RFC 3947: both are NATed
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: Peer ID is ID_IPV4_ADDR: '10.10.0.2'
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: Dead Peer Detection (RFC 3706) enabled
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: ISAKMP SA established
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#7}
    2021:04:08-18:26:57 utm pluto[13117]: "S_Site2Site klahn.net" #7: ignoring informational payload, type INVALID_ID_INFORMATION
    2021:04:08-18:27:07 utm pluto[13117]: "S_Site2Site klahn.net" #7: ignoring informational payload, type INVALID_MESSAGE_ID
    2021:04:08-18:28:07 utm pluto[13117]: "S_Site2Site klahn.net" #8: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    2021:04:08-18:28:07 utm pluto[13117]: "S_Site2Site klahn.net" #8: starting keying attempt 2 of an unlimited number
    2021:04:08-18:28:07 utm pluto[13117]: "S_Site2Site klahn.net" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #8 {using isakmp#7}
    2021:04:08-18:29:17 utm pluto[13117]: "S_Site2Site klahn.net" #9: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    2021:04:08-18:29:17 utm pluto[13117]: "S_Site2Site klahn.net" #9: starting keying attempt 3 of an unlimited number
    2021:04:08-18:29:17 utm pluto[13117]: "S_Site2Site klahn.net" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #9 {using isakmp#7}
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #7: DPD: No response from peer - declaring peer dead
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #7: DPD: Restarting all connections of peer
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #7: DPD: Terminating all SAs using this connection
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #10: deleting state (STATE_QUICK_I1)
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #7: deleting state (STATE_MAIN_I4)
    2021:04:08-18:29:35 utm pluto[13117]: DPD: Restarting connection "S_Site2Site klahn.net"
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: initiating Main Mode
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: received Vendor ID payload [strongSwan]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: ignoring Vendor ID payload [Cisco-Unity]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: received Vendor ID payload [XAUTH]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: received Vendor ID payload [Dead Peer Detection]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: received Vendor ID payload [RFC 3947]
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: enabling possible NAT-traversal with method 3
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: NAT-Traversal: Result using RFC 3947: both are NATed
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: Peer ID is ID_IPV4_ADDR: '10.10.0.2'
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: Dead Peer Detection (RFC 3706) enabled
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: ISAKMP SA established
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#11}
    2021:04:08-18:29:35 utm pluto[13117]: "S_Site2Site klahn.net" #11: ignoring informational payload, type INVALID_ID_INFORMATION
    2021:04:08-18:29:45 utm pluto[13117]: "S_Site2Site klahn.net" #11: ignoring informational payload, type INVALID_MESSAGE_ID
    2021:04:08-18:30:05 utm pluto[13117]: "S_Site2Site klahn.net" #11: ignoring informational payload, type INVALID_MESSAGE_ID
    and here's from the responder-site:

    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:46 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:48 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:49 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:51 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:53 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:53 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:53 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:53 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:54 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:54 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:54 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:54 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:55 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:55 utm pluto[6190]: packet from 185.93.28.129:4343: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 185.93.28.129:4343: sending notification PAYLOAD_MALFORMED to 185.93.28.129:4343
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.184.69:3043: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.184.69:3043: sending notification PAYLOAD_MALFORMED to 94.199.184.69:3043
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:55 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:56 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:56 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:56 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:56 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:57 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:57 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:57 utm pluto[6190]: packet from 76.97.241.42:3074: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:57 utm pluto[6190]: packet from 76.97.241.42:3074: sending notification PAYLOAD_MALFORMED to 76.97.241.42:3074
    2021:04:08-18:35:59 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:59 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
    2021:04:08-18:35:59 utm pluto[6190]: packet from 94.199.187.77:3432: not enough room in input packet for ISAKMP Message
    2021:04:08-18:35:59 utm pluto[6190]: packet from 94.199.187.77:3432: sending notification PAYLOAD_MALFORMED to 94.199.187.77:3432
  • 0 in reply to Christoph Klahn

    What MTU do you have on each Interface involved in the VPN, Christoph?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,
    on both External-Interfaces (Ethernet) of the SGs I have a MTU of 1500.

    Cheers
    Christoph

  • 0 in reply to Christoph Klahn

    What happens if you set the Interfaces' MTUs to 1450, Christoph? (This is just a guess on my part.)

    I just noticed that the initiator failed just after initiating Quick Mode, so I think the issue is with the VPN ID.  Please show us pictures of the Edit of the IPsec Connection and the 'Preshared Key Settings' on the 'Advanced' tab for both UTMs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    here're the screenshots from the HQ-Site:

    and here from the Branch-Site:

    Greets
    Christoph

  • 0 in reply to Christoph Klahn

    I'm not personally familiar with "exposed host" in the FritzBox, Christoph, so my guess here may be off.

    In the branch site, erase the VPN ID in the Remote Gateway put that IP in VPN ID for  'Preshared Key Settings'.  Glück gehabt?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Christoph Klahn

    I'm not personally familiar with "exposed host" in the FritzBox, Christoph, so my guess here may be off.

    In the branch site, erase the VPN ID in the Remote Gateway put that IP in VPN ID for  'Preshared Key Settings'.  Glück gehabt?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML