Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 2 subscribers
  • Views 30160 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Droped outbound IPSec packets; :500 failed in main_outI1. Errno 1 Operation not permitted

Gery

Hello,

 

I'm having a hard time trying to establish a new VPN tunnel from my UTM 220 (Firmware version: 9.508-10) to an ASA 5525.

We have many IPSec tunnels, which are working on this device... but not the latter.

I get the following ERROR: "S_UT**" #41: sendto on eth2 to 196.****:500 failed in main_outI1. Errno 1: Operation not permitted

I triple checked all IKE parameters, PSK, etc and they're ok.

All the interfaces in question (remote network, remote gateway) are not bound to a specific interface. (left with "any')

On the UTM side we NAT to a public IP.

The thing is that we receive the remote peer's packets (as seen on debugging_log), but the outbound packets get dropped by the firewall.

ulogd[5464]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:1a::):f0:f3:41" srcip="9.XXXXX" dstip="196.XXXXXX" proto="17" length="288" tos="0x00" prec="0x00" ttl="64" srcport="500" dstport="500"

I attached firewall and IP-Sec logs

I don't understand where is the problem... what is blocking the packets.

 

Thank you!



This thread was automatically locked due to age.
  • 0 in reply to BAlfson

    Is your NAT rule 'SNAT : {our site's LAN} -> Any -> {other site's LAN} : from IP PUB'?

    Yes its correct.

    You aren't changing the IP that the IPsec messages leave your UTM with are you?

    I don't quite understand the question.

     

    The thing is i managed to bring this tunnel UP two weeks ago.. but now it wont work whatever i try. (same settings)

    This is from the log when it worked:

    193.x.y.3/32===91.x.y.13[91.x.y.13]:6/445...196.x.y.35[196.x.y.35]:6/0===10.x.Y.0/2x

    In the logs i don't see enough clues..that would point to the problem is on the UTM side or on the ASA side.

     

    Thanks.

    Gery

  • 0 in reply to Gery

    "You aren't changing the IP that the IPsec messages leave your UTM with are you?

    "I don't quite understand the question"

    One of the reasons an IPsec conversation dies where this one does is a NAT between the two endpoints.  IPsec "signs" that first Main Mode message with the IP of the primary address of the interface.  If the other end sees that the packet arrives from an IP other than the one it was "signed" by, it assumes that the security was broken.  The NAT could be on your end or the other.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML