This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN Tunnel zwischen Sophos UTM9 und Lancom 1781EW funktioniert nicht

Hallo,

ich versuche vergeblich einen VPN-Tunnel zwischen einer Sophos UTM9 und einem Lancom 1781EW aufzubauen. Ich habe es mit dieser Anleitung versucht http://www.utmfaq.de/sophos-utm-astaro/site-to-site-vpn/site-to-site-vpn.html jedoch ohne Erfolg.

Hier ein Auszug des Logs:

2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | *received 40 bytes from x.x.x.x:500 on eth7.101
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | **parse ISAKMP Message:
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | initiator cookie:
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | a2 d5 6c 61 7b 1e dc 99
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | responder cookie:
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | ff 9e 20 af b4 3e 2f fe
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | next payload type: ISAKMP_NEXT_N
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | ISAKMP version: ISAKMP Version 1.0
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | exchange type: ISAKMP_XCHG_INFO
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | flags: none
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | message ID: 00 00 00 00
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | length: 40
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | ICOOKIE: a2 d5 6c 61 7b 1e dc 99
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | RCOOKIE: ff 9e 20 af b4 3e 2f fe
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | peer: 50 93 49 44
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | state hash entry 19
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | state object not found
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | ***parse ISAKMP Notification Payload:
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | next payload type: ISAKMP_NEXT_NONE
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | length: 12
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | DOI: ISAKMP_DOI_IPSEC
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | protocol ID: 1
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | SPI size: 0
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | Notify Message Type: NO_PROPOSAL_CHOSEN
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | info:
2017:10:06-08:14:12 sanomed_bs-2 pluto[20894]: | next event EVENT_SA_SYNC_UPDATE in 6 seconds
2017:10:06-08:14:18 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:14:18 sanomed_bs-2 pluto[20894]: | *time to handle event
2017:10:06-08:14:18 sanomed_bs-2 pluto[20894]: | event after this is EVENT_RETRANSMIT in 34 seconds
2017:10:06-08:14:18 sanomed_bs-2 pluto[20894]: | inserting event EVENT_SA_SYNC_UPDATE, timeout in 15 seconds
2017:10:06-08:14:18 sanomed_bs-2 pluto[20894]: | next event EVENT_SA_SYNC_UPDATE in 15 seconds
2017:10:06-08:14:33 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:14:33 sanomed_bs-2 pluto[20894]: | *time to handle event
2017:10:06-08:14:33 sanomed_bs-2 pluto[20894]: | event after this is EVENT_RETRANSMIT in 19 seconds
2017:10:06-08:14:33 sanomed_bs-2 pluto[20894]: | inserting event EVENT_SA_SYNC_UPDATE, timeout in 15 seconds
2017:10:06-08:14:33 sanomed_bs-2 pluto[20894]: | next event EVENT_SA_SYNC_UPDATE in 15 seconds
2017:10:06-08:14:48 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:14:48 sanomed_bs-2 pluto[20894]: | *time to handle event
2017:10:06-08:14:48 sanomed_bs-2 pluto[20894]: | event after this is EVENT_RETRANSMIT in 4 seconds
2017:10:06-08:14:48 sanomed_bs-2 pluto[20894]: | inserting event EVENT_SA_SYNC_UPDATE, timeout in 15 seconds
2017:10:06-08:14:48 sanomed_bs-2 pluto[20894]: | next event EVENT_RETRANSMIT in 4 seconds for #2
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | *time to handle event
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | event after this is EVENT_SA_SYNC_UPDATE in 11 seconds
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | handling event EVENT_RETRANSMIT for x.x.x.x "xxxxx" #2
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #2
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | next event EVENT_SA_SYNC_UPDATE in 11 seconds
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | *received 40 bytes from x.x.x.x:500 on eth7.101
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | **parse ISAKMP Message:
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | initiator cookie:
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | a2 d5 6c 61 7b 1e dc 99
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | responder cookie:
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | d2 2c 0a 6f 55 31 9d c3
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | next payload type: ISAKMP_NEXT_N
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | ISAKMP version: ISAKMP Version 1.0
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | exchange type: ISAKMP_XCHG_INFO
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | flags: none
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | message ID: 00 00 00 00
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | length: 40
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | ICOOKIE: a2 d5 6c 61 7b 1e dc 99
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | RCOOKIE: d2 2c 0a 6f 55 31 9d c3
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | peer: 50 93 49 44
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | state hash entry 29
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | state object not found
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | ***parse ISAKMP Notification Payload:
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | next payload type: ISAKMP_NEXT_NONE
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | length: 12
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | DOI: ISAKMP_DOI_IPSEC
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | protocol ID: 1
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | SPI size: 0
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | Notify Message Type: NO_PROPOSAL_CHOSEN
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | info:
2017:10:06-08:14:52 sanomed_bs-2 pluto[20894]: | next event EVENT_SA_SYNC_UPDATE in 11 seconds
2017:10:06-08:15:03 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:15:03 sanomed_bs-2 pluto[20894]: | *time to handle event
2017:10:06-08:15:03 sanomed_bs-2 pluto[20894]: | event after this is EVENT_RETRANSMIT in 29 seconds
2017:10:06-08:15:03 sanomed_bs-2 pluto[20894]: | inserting event EVENT_SA_SYNC_UPDATE, timeout in 15 seconds
2017:10:06-08:15:03 sanomed_bs-2 pluto[20894]: | next event EVENT_SA_SYNC_UPDATE in 15 seconds
2017:10:06-08:15:18 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:15:18 sanomed_bs-2 pluto[20894]: | *time to handle event
2017:10:06-08:15:18 sanomed_bs-2 pluto[20894]: | event after this is EVENT_RETRANSMIT in 14 seconds
2017:10:06-08:15:18 sanomed_bs-2 pluto[20894]: | inserting event EVENT_SA_SYNC_UPDATE, timeout in 15 seconds
2017:10:06-08:15:18 sanomed_bs-2 pluto[20894]: | next event EVENT_RETRANSMIT in 14 seconds for #2
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | *time to handle event
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | event after this is EVENT_SA_SYNC_UPDATE in 1 seconds
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | handling event EVENT_RETRANSMIT for x.x.x.x "xxxxxx" #2
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #2
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | next event EVENT_SA_SYNC_UPDATE in 1 seconds
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | *received 40 bytes from x.x.x.x:500 on eth7.101
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | **parse ISAKMP Message:
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | initiator cookie:
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | a2 d5 6c 61 7b 1e dc 99
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | responder cookie:
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | 2f ff 11 1e b9 dc ff db
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | next payload type: ISAKMP_NEXT_N
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | ISAKMP version: ISAKMP Version 1.0
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | exchange type: ISAKMP_XCHG_INFO
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | flags: none
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | message ID: 00 00 00 00
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | length: 40
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | ICOOKIE: a2 d5 6c 61 7b 1e dc 99
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | RCOOKIE: 2f ff 11 1e b9 dc ff db
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | peer: 50 93 49 44
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | state hash entry 8
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | state object not found
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | ***parse ISAKMP Notification Payload:
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | next payload type: ISAKMP_NEXT_NONE
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | length: 12
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | DOI: ISAKMP_DOI_IPSEC
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | protocol ID: 1
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | SPI size: 0
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | Notify Message Type: NO_PROPOSAL_CHOSEN
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | info:
2017:10:06-08:15:32 sanomed_bs-2 pluto[20894]: | next event EVENT_SA_SYNC_UPDATE in 1 seconds
2017:10:06-08:15:33 sanomed_bs-2 pluto[20894]: |
2017:10:06-08:15:33 sanomed_bs-2 pluto[20894]: | *time to handle event
2017:10:06-08:15:33 sanomed_bs-2 pluto[20894]: | event after this is EVENT_RETRANSMIT in 39 seconds
2017:10:06-08:15:33 sanomed_bs-2 pluto[20894]: | inserting event EVENT_SA_SYNC_UPDATE, timeout in 15 seconds
2017:10:06-08:15:33 sanomed_bs-2 pluto[20894]: | next event EVENT_SA_SYNC_UPDATE in 15 seconds
 
Danke im voraus.


This thread was automatically locked due to age.
Parents
  • Hallo Michael,

    Erstmal herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    I think Lukas gave you the answer to the issue, but there might be another problem.  If you still need help,

    1. Disable Debug.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Show us about 60 lines from enabling through the error.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Danke für die Antwort. Ich bin die Anleitung mehrmals durchgegangen.

     

    Hier ein Auszug der Log Datei:

     
     
    2017:10:09-16:16:24 sanomed_bs-2 ipsec_starter[5721]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2017:10:09-16:16:24 sanomed_bs-2 ipsec_starter[5728]: pluto (5734) started after 20 ms
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: including NAT-Traversal patch (Version 0.6c)
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: Using Linux 2.6 IPsec interface code
    2017:10:09-16:16:24 sanomed_bs-1 ipsec_starter[24935]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: HA system enabled and listening on interface eth6
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: Initial HA switch to master mode
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: Changing to directory '/etc/ipsec.d/crls'
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface eth7.101/eth7.101 192.168.201.176:500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface eth7.101/eth7.101 192.168.201.176:4500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface eth6/eth6 198.19.250.2:500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface eth6/eth6 198.19.250.2:4500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface eth3/eth3 192.168.254.25:500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface eth3/eth3 192.168.254.25:4500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface eth0/eth0 192.168.0.1:500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface eth0/eth0 192.168.0.1:4500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface lo/lo 127.0.0.1:500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface lo/lo 127.0.0.1:4500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: adding interface lo/lo ::1:500
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: loading secrets from "/etc/ipsec.secrets"
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: loaded PSK secret for 192.168.201.176 x.x.x.x
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: listening for IKE messages
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: added connection description "S_Neugasse"
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: "S_Neugasse" #1: initiating Main Mode
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: HA System: pluto already is in master mode
    2017:10:09-16:16:24 sanomed_bs-1 ipsec_starter[24941]: pluto (24948) started after 20 ms
    2017:10:09-16:16:24 sanomed_bs-2 pluto[5734]: packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: including NAT-Traversal patch (Version 0.6c)
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: Using Linux 2.6 IPsec interface code
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: HA system enabled and listening on interface eth6
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: Changing to directory '/etc/ipsec.d/crls'
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface eth7/eth7 192.168.201.176:500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface eth7/eth7 192.168.201.176:4500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface eth6/eth6 198.19.250.1:500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface eth6/eth6 198.19.250.1:4500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface eth3/eth3 192.168.254.25:500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface eth3/eth3 192.168.254.25:4500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface eth0/eth0 192.168.0.1:500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface eth0/eth0 192.168.0.1:4500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface lo/lo 127.0.0.1:500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface lo/lo 127.0.0.1:4500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: adding interface lo/lo ::1:500
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: loading secrets from "/etc/ipsec.secrets"
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: loaded PSK secret for 192.168.201.176 x.x.x.x
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: HA System: not master, won't listen for IKE messages
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: added connection description "S_Neugasse"
    2017:10:09-16:16:24 sanomed_bs-1 pluto[24948]: Pluto is now in slave mode
    2017:10:09-16:16:34 sanomed_bs-2 pluto[5734]: ERROR: asynchronous network error report on eth7.101 for message to x.x.x.x port 500, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
    2017:10:09-16:16:55 sanomed_bs-2 pluto[5734]: packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2017:10:09-16:17:34 sanomed_bs-2 pluto[5734]: packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
  • Hallo,

    Wir haben mehrere Verbingungen zwischen LANCOM und Sophos Gateways... geht eigentlich echt gut. ... wichtig sind nur die korrekten Richtlinien, da Sophos und Lancom hier sehr weit auseinander gehen.

    kannst du bitte Screenshots von der Konfig machen ?

    Am liebsten von Lancom das Konfigscript und Sophos die Bilder von Verbindungen, Entfernte Gateways, Richtlinien. 

    Bilder bitte entsprechend an den wichtigen Stellen verpixeln oder unkenntlich machen.

    Jedoch bitte darauf achten, dass die Grundinformationen vorhanden bleiben.

     

    Cheers,

     

    Chris

  • Hallo,

    danke für die Antworten.

     

    Zuerst die Screenshots vom Lancom Router:

    Sophos:

  • Michael, with Debug selected, the logs are too long to read.  Normally, debug only helps developers of IPsec software.  We may not need to look at them though as the following changes might fix you up. [:)]

    Wie Chris und Lukas vermutet haben, diese Richlinien can't work together to negotiate IKE: AES 128-bit in the Lancom does not match to AES-256 in the UTM.

    You should also select 'Dead Peer Detection' in the UTM - this setting must be the same on both sides.

    In the IPsec-Verbindung, I would not select 'Striktes Routing' unless not selecting it causes a problem - it shouldn't.

    Renegotiating IKE every 8 hours isn't much of an exposure, but having 'IPsec-SA-Lebensdauer' greater than two hours seems unusual to me.  I normally select one hour (3600).

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hallo,

    ich habe jetzt beide Seiten auf AES 128-bit eingestellt siehe Bilder:

     

    Lancom:

    Sophos:

    Es funktioniert leider immer noch nicht.

    Im Log steht der gleiche Text: 

    asynchronous network error report on eth7.101 for message to x.x.x.x port 500, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

    packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

     

    'Dead Peer Detection' habe ich aktiviert. 

  • What happens if instead of an "Initiate Connection" Entferntes Gateway for Neugasse, you use one in "Respond only" mode?

    Please show us log lines with Debug not selected.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    ich würde zusätzlich zu dem was  schon gesagt hat, noch von MD5 auf SHA gehen.

    Außerdem sind die identifier falsch:

     

    ich kann probieren, dir mal nen screenshot von nem Kunden zu machen, dauert aber etwas...

    Cheers,
    Chris

  • Hi, erster teil: Sophos

     

Reply Children