This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP over IPSec VPN Fails to Connect

Running latest version of UTM and iOS.

2022:07:11-19:18:22 Hillary-1 pluto[38611]: "L_for scott"[2] 192.168.0.122 #4: responding to Quick Mode
2022:07:11-19:18:22 Hillary-1 pluto[38611]: "L_for scott"[2] 192.168.0.122 #4: IPsec SA established {ESP=>0x089d6f95 <0xc4961b9f DPD}
2022:07:11-19:18:42 Hillary-1 pluto[38611]: "L_for scott"[2] 192.168.0.122 #3: received Delete SA(0x089d6f95) payload: deleting IPSEC State #4
2022:07:11-19:18:42 Hillary-1 pluto[38611]: "L_for scott"[2] 192.168.0.122 #3: deleting connection "L_for scott"[2] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}
2022:07:11-19:18:42 Hillary-1 pluto[38611]: ERROR: asynchronous network error report on eth3 for message to 192.168.0.122 port 500, complainant 192.168.0.122: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
2022:07:11-19:18:42 Hillary-1 pluto[38611]: "L_for scott"[2] 192.168.0.122 #3: received Delete SA payload: deleting ISAKMP State #3
2022:07:11-19:18:42 Hillary-1 pluto[38611]: "L_for scott"[2] 192.168.0.122: deleting connection "L_for scott"[2] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}
2022:07:11-19:18:42 Hillary-2 pluto[58934]: "L_for scott"[2] 192.168.0.122: deleting connection "L_for scott"[2] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}
2022:07:11-19:18:42 Hillary-2 pluto[58934]: "L_for scott"[2] 192.168.0.122: deleting connection "L_for scott"[2] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}
2022:07:11-19:18:42 Hillary-1 pluto[38611]: ERROR: asynchronous network error report on eth3 for message to 192.168.0.122 port 500, complainant 192.168.0.122: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: received Vendor ID payload [RFC 3947]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: packet from 192.168.0.122:500: received Vendor ID payload [Dead Peer Detection]
2022:07:11-19:18:54 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #5: responding to Main Mode from unknown peer 192.168.0.122
2022:07:11-19:18:54 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #5: NAT-Traversal: Result using RFC 3947: no NAT detected
2022:07:11-19:18:54 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2022:07:11-19:18:54 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #5: Peer ID is ID_IPV4_ADDR: '192.168.0.122'
2022:07:11-19:18:54 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #5: Dead Peer Detection (RFC 3706) enabled
2022:07:11-19:18:54 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #5: sent MR3, ISAKMP SA established
2022:07:11-19:18:55 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #6: responding to Quick Mode
2022:07:11-19:18:55 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #6: IPsec SA established {ESP=>0x0b3d3d7c <0xefbbc301 DPD}
2022:07:11-19:19:15 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #5: received Delete SA(0x0b3d3d7c) payload: deleting IPSEC State #6
2022:07:11-19:19:15 Hillary-2 pluto[58934]: "L_for scott"[3] 192.168.0.122: deleting connection "L_for scott"[3] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}
2022:07:11-19:19:15 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #5: deleting connection "L_for scott"[3] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}
2022:07:11-19:19:15 Hillary-1 pluto[38611]: ERROR: asynchronous network error report on eth3 for message to 192.168.0.122 port 500, complainant 192.168.0.122: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
2022:07:11-19:19:15 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122 #5: received Delete SA payload: deleting ISAKMP State #5
2022:07:11-19:19:15 Hillary-1 pluto[38611]: "L_for scott"[3] 192.168.0.122: deleting connection "L_for scott"[3] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}
2022:07:11-19:19:15 Hillary-2 pluto[58934]: "L_for scott"[3] 192.168.0.122: deleting connection "L_for scott"[3] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}
2022:07:11-19:19:15 Hillary-1 pluto[38611]: ERROR: asynchronous network error report on eth3 for message to 192.168.0.122 port 500, complainant 192.168.0.122: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] 



This thread was automatically locked due to age.
Parents
  • Hello ,

    Thank you for reaching out to the community, Your External (Cable Internet) is it configured with the private IP ? And you have a upstream router on that interface ?
    Cause it looks like it is not able to establish connection because of the private IP. Hence there can be no IKE negotiation to establish IPsec.

    Based on the logs: "Connection refused [**errno 111, origin ICMP type 3 code 3 (not authenticated)]"
    You received an ICMP message from "ERROR: asynchronous network error report on eth3 for message to 192.168.0.122 port 500, complainant 192.168.0.122"

    **This error occurs when there is an intermediate ADSL Router between UTM and Client and IPSec Passthrough is not configured on the Router. To ensure an error-free IPSec connection, make sure that IPSec Passthrough is enabled in the intermediate ADSL Router and Port Forwarding rules for UDP port 500 and 4500 are configured.

    since it is not encrypted/authenticated, libreswan has no choice but to ignore it and keep trying.
    "received Delete SA(0x0b3d3d7c) payload: deleting IPSEC State #6"
    "deleting connection "L_for scott"[3] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}"

    Please refer the L2TP over IPsec Guide here - https://docs.sophos.com/nsg/sophos-utm/remote-access-guides/Remote_Access_Via_L2TP.pdf

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello ,

    Thank you for reaching out to the community, Your External (Cable Internet) is it configured with the private IP ? And you have a upstream router on that interface ?
    Cause it looks like it is not able to establish connection because of the private IP. Hence there can be no IKE negotiation to establish IPsec.

    Based on the logs: "Connection refused [**errno 111, origin ICMP type 3 code 3 (not authenticated)]"
    You received an ICMP message from "ERROR: asynchronous network error report on eth3 for message to 192.168.0.122 port 500, complainant 192.168.0.122"

    **This error occurs when there is an intermediate ADSL Router between UTM and Client and IPSec Passthrough is not configured on the Router. To ensure an error-free IPSec connection, make sure that IPSec Passthrough is enabled in the intermediate ADSL Router and Port Forwarding rules for UDP port 500 and 4500 are configured.

    since it is not encrypted/authenticated, libreswan has no choice but to ignore it and keep trying.
    "received Delete SA(0x0b3d3d7c) payload: deleting IPSEC State #6"
    "deleting connection "L_for scott"[3] instance with peer 192.168.0.122 {isakmp=#0/ipsec=#0}"

    Please refer the L2TP over IPsec Guide here - https://docs.sophos.com/nsg/sophos-utm/remote-access-guides/Remote_Access_Via_L2TP.pdf

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Children