This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site IPsec connection claims to work but doesn't

I've had a working site-to-site IPsec VPN working for years but a few days ago a blackout took out one of the Sophos UTMs and so I find myself configuring it from scratch and I have been at it for a day with no progress.

Two Sophos UTMs -- connecting a 192.168.2.0 network with a 10.1.1.0 network

The connection has a green dot and when I look at the details it has 

192.168.2.0/24=the ip addess for the internet connection at the location of the 192.168.2.0 network <an icon> ip for the 10.1.1.0 network = 10.1.1.0/24

I have disabled everything else in an effort to debug and the only rule in the firewall is local network -- any - any on both machines.

The machine that did not need recreating had a masquerading rule of the remote network to the local network I've tried adding the opposite to the reconstructed UTM and I have tried without any masquerading rules since none of the online guides mention a need and the same results for both ways.

The connection seems to be good but I can't access shares or sites on the other network.

Any suggestions?



This thread was automatically locked due to age.
Parents
  • Hi Carlos,

    Try the following:

         1. Confirm that Debug is not enabled.
         2. Disable the IPsec Connection.
         3. Start the IPsec Live Log and wait for it to begin to populate.
         4. Enable the IPsec Connection.
         5. Copy here about 60+ lines from enabling through the establishment of the SA.

    Also, please insert a picture of the tunnel status with the details shown, but your public IPs obscured.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  Thank you for the assistance

    2022:08:16-13:10:47 tabit pluto[31017]: shutting down interface eth0/eth0 192.168.2.100
    2022:08:16-13:10:47 tabit pluto[31017]: shutting down interface eth0/eth0 192.168.2.100
    2022:08:16-13:10:47 tabit pluto[31017]: shutting down interface eth2/eth2 192.168.1.100
    2022:08:16-13:10:47 tabit pluto[31017]: shutting down interface eth2/eth2 192.168.1.100
    2022:08:16-13:10:47 tabit pluto[31017]: shutting down interface tun0/tun0 10.242.2.1
    2022:08:16-13:10:47 tabit pluto[31017]: shutting down interface tun0/tun0 10.242.2.1
    2022:08:16-13:10:47 tabit pluto[31017]: shutting down interface ppp0/ppp0 xxx.xxx.xxx.xxx
    2022:08:16-13:10:47 tabit pluto[31017]: shutting down interface ppp0/ppp0 xxx.xxx.xxx.xxx
    2022:08:16-13:10:47 tabit ipsec_starter[31010]: pluto stopped after 120 ms
    2022:08:16-13:10:47 tabit ipsec_starter[31010]: ipsec starter stopped
    2022:08:16-13:11:00 tabit ipsec_starter[11546]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2022:08:16-13:11:00 tabit pluto[11558]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2022:08:16-13:11:00 tabit ipsec_starter[11552]: pluto (11558) started after 20 ms
    2022:08:16-13:11:00 tabit pluto[11558]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2022:08:16-13:11:00 tabit pluto[11558]: including NAT-Traversal patch (Version 0.6c)
    2022:08:16-13:11:00 tabit pluto[11558]: Using Linux 2.6 IPsec interface code
    2022:08:16-13:11:01 tabit pluto[11558]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2022:08:16-13:11:01 tabit pluto[11558]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2022:08:16-13:11:01 tabit pluto[11558]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2022:08:16-13:11:01 tabit pluto[11558]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2022:08:16-13:11:01 tabit pluto[11558]: Changing to directory '/etc/ipsec.d/crls'
    2022:08:16-13:11:01 tabit pluto[11558]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface ppp0/ppp0 xxx.xxx.xxx.xxx:500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface ppp0/ppp0 xxx.xxx.xxx.xxx:4500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface tun0/tun0 10.242.2.1:500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface tun0/tun0 10.242.2.1:4500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface eth2/eth2 192.168.1.100:500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface eth2/eth2 192.168.1.100:4500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface eth0/eth0 192.168.2.100:500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface eth0/eth0 192.168.2.100:4500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface lo/lo 127.0.0.1:500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface lo/lo 127.0.0.1:4500
    2022:08:16-13:11:01 tabit pluto[11558]: adding interface lo/lo ::1:500
    2022:08:16-13:11:01 tabit pluto[11558]: loading secrets from "/etc/ipsec.secrets"
    2022:08:16-13:11:01 tabit pluto[11558]: loaded PSK secret for xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    2022:08:16-13:11:01 tabit pluto[11558]: listening for IKE messages
    2022:08:16-13:11:01 tabit pluto[11558]: added connection description "S_Home Connection"
    2022:08:16-13:11:01 tabit pluto[11558]: "S_Home Connection" #1: initiating Main Mode
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: received Vendor ID payload [strongSwan]
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: ignoring Vendor ID payload [Cisco-Unity]
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: received Vendor ID payload [XAUTH]
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: received Vendor ID payload [Dead Peer Detection]
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: received Vendor ID payload [RFC 3947]
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: enabling possible NAT-traversal with method 3
    2022:08:16-13:11:11 tabit pluto[11558]: packet from 69.165.169.134:500: Main Mode message is part of an unknown exchange
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: Dead Peer Detection (RFC 3706) enabled
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #1: ISAKMP SA established
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
    2022:08:16-13:11:11 tabit pluto[11558]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Home Connection" address="xxx.xxx.xxx.xxx" local_net="192.168.2.0/24" remote_net="10.1.1.0/24"
    2022:08:16-13:11:11 tabit pluto[11558]: "S_Home Connection" #2: sent QI2, IPsec SA established {ESP=>0x4d10ebe7 <0x769b5217 DPD}
    2022:08:16-13:11:21 tabit pluto[11558]: packet from xxx.xxx.xxx.xxx:500: Main Mode message is part of an unknown exchange
    2022:08:16-13:11:41 tabit pluto[11558]: packet from xxx.xxx.xxx.xxx:500: Main Mode message is part of an unknown exchange

  • Do you have 'NAT Traversal (NAT-T)' enabled on both sides?  Likewise, 'Dead Peer Detection (DPD)' should be enabled on both sides.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Both of those are checked under the advanced tab

  • What happens if you reboot the side that didn't get zapped by the blackout, Carlos?  If that doesn't do it, try #1 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • What happens if you reboot the side that didn't get zapped by the blackout, Carlos?  If that doesn't do it, try #1 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data