S2S IPSec VPN between 9.402-7 (after update from 9.355) UTM and second 9.355 broken ipsec_starter no default route - cannot cope with %defaultroute!!!

I've managed to fix this by myself. I had to rekey both sides with their respective local RSA keys and check for the correct VPNID (hostname and IP Addr). Then the tunnel is back at work.

Btw. i only have a single S2S IPSec Tunnel on the 9.402 machine.

Same Problem after update, did not work for me or I m doing something wrong, I changed the keys to 2048 and did a rekey on both UTMs, same problem

I think its a problem with UTMs with multiple Uplinks, so multipathing problem. I found a german side wich shed some light.

Basically it say that the ipsec service is not able to detect the default route from the multipathing service.

http://wiki.securepoint.de/index.php/KB_log_ipsec

Meldung:

no default route - cannot cope with %defaultroute!!!

Ursache:

Die default-Route kann vom IPSec-Dienst nicht bestimmt werden.

Beachten Sie: Das Bestimmen der default-Route ist im Multipath-Betrieb nicht möglich.

Lösung:

Setzen Sie in der Phase1 alle IPSec-Verbindungen

Lokales Gateway - auf das externe Interface/externe IP

Route over - tragen Sie die IP Ihres Routers/wählen Sie das pppx-Interface aus

Local Gateway ID - setzen Sie auf das externe Interface/externe IP

Sounds plausible but what should i say. It worked for me, also after the 9.403 Update i did yesterday.

Maybe for some clarification. We have 2 Uplinks in the Office,  KabelDeutschland (Coax Cable) with DHCP set up (only a normal Modem in front of the UTM) and "Default IPv4 Gateway" set. The second is a Vodafone DSL link, so normal PPPoE there. We then use both as active Uplinks (both with a default ipv4 route) but the Cable line is preferred. We also use Multipath Rules for VoIP over DSL and everything else over Cable. The VPN is established via Cable everytime until cable is down.

On the other side we have a 2Gbit/s Internet Static Link from the Datacenter with Static IPs.

On the office side for the remote gateway we've set the Hostname of the RZ GW as the VPNID and on the DC side for the office GW we also use the hostname. The Hostname is always set in Management -> Hostname. Try that together with RSA keys. This worked fine for me. If you need other IPSec Details we use, just reply!

Sounds plausible but what should i say. It worked for me, also after the 9.403 Update i did yesterday.

Maybe for some clarification. We have 2 Uplinks in the Office,  KabelDeutschland (Coax Cable) with DHCP set up (only a normal Modem in front of the UTM) and "Default IPv4 Gateway" set. The second is a Vodafone DSL link, so normal PPPoE there. We then use both as active Uplinks (both with a default ipv4 route) but the Cable line is preferred. We also use Multipath Rules for VoIP over DSL and everything else over Cable. The VPN is established via Cable everytime until cable is down.

On the other side we have a 2Gbit/s Internet Static Link from the Datacenter with Static IPs.

On the office side for the remote gateway we've set the Hostname of the RZ GW as the VPNID and on the DC side for the office GW we also use the hostname. The Hostname is always set in Management -> Hostname. Try that together with RSA keys. This worked fine for me. If you need other IPSec Details we use, just reply!

In this other thread they say:

In reply to zaphod:

From Sophos I get this Number for the problem NUTM-4173