Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Junior Member
Join Date: Jul 2009
Posts: 10
#1 (permalink)  
Old 11-09-2010, 01:14 PM
Default Site2Site IPSec VPN ASG110 - MS TMG 2010

Hi All,

we have our Microsoft ISA 2004 ugraded to TMG 2010 (on a new machine). The Astaro FW is 7.507.

Now our Site2Site IPSec VPN (ASG110<--> TMG) have trouble in IPSEC Phase 2. We play around with the settings; but no success. Does anybody have an idea or the same problem?

Here are the log:

################################################## ############
:
: | NAT-T: new mapping 172.172.172.172:4500/500)
: "S_Unknown Object" #6027: pfkey_msg_build of Add SA esp.8eb8e95@172.20.109.20 failed, code -22
: "S_Unknown Object" #6026: pfkey_msg_build of Add SA esp.8eb8e94@172.20.109.20 failed, code -22
: "S_Unknown Object" #6030: NAT-Traversal: Result using RFC 3947: i am NATed
: "S_Unknown Object" #6030: Peer ID is ID_IPV4_ADDR: '172.172.172.172'
: | NAT-T: new mapping 172.172.172.172:500/4500)
: "S_Unknown Object" #6027: pfkey_msg_build of Add SA esp.8eb8e95@172.20.109.20 failed, code -22
: "S_Unknown Object" #6030: sent MR3, ISAKMP SA established
: "S_Unknown Object" #6030: cannot respond to IPsec SA request because no connection is known for 192.168.2.0/24===172.20.109.20:4500...172.172.172.172:4500
: "S_Unknown Object" #6030: sending encrypted notification INVALID_ID_INFORMATION to 172.172.172.172:4500
: "S_Unknown Object" #6031: responding to Quick Mode
: "S_Unknown Object" #6031: IPsec SA established {ESP=>0x162cef84 <0x08eb8e98 NATOA=0.0.0.0}
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6032: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6026 {using isakmp#6030}
: "S_Unknown Object" #6033: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6027 {using isakmp#6030}
: "S_Unknown Object" #6032: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6032: sent QI2, IPsec SA established {ESP=>0x14176a70 <0x08eb8e99 NATOA=0.0.0.0}
: "S_Unknown Object" #6033: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6033: sent QI2, IPsec SA established {ESP=>0xdeb7f205 <0x08eb8e9a NATOA=0.0.0.0}
: "S_Unknown Object" #6032: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6032: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
: "S_Unknown Object" #6032: sending encrypted notification INVALID_PAYLOAD_TYPE to 172.172.172.172:4500
: "S_Unknown Object" #6033: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6033: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
: "S_Unknown Object" #6033: sending encrypted notification INVALID_PAYLOAD_TYPE to 172.172.172.172:4500
: "S_Unknown Object" #6034: responding to Quick Mode
: "S_Unknown Object" #6034: IPsec SA established {ESP=>0x404a9d59 <0x08eb8e9b NATOA=0.0.0.0}
: "S_Unknown Object" #6030: received Delete SA(0x162cef84) payload: deleting IPSEC State #6031
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6030: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6030: received Delete SA payload: replace IPSEC State #6034 in 10 seconds
: "S_Unknown Object" #6030: received Delete SA payload: replace IPSEC State #6033 in 10 seconds
: "S_Unknown Object" #6030: received Delete SA payload: replace IPSEC State #6032 in 10 seconds
: "S_Unknown Object" #6030: received Delete SA payload: deleting ISAKMP State #6030
: packet from 172.172.172.172:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
: packet from 172.172.172.172:500: received Vendor ID payload [RFC 3947]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [FRAGMENTATION]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [Vid-Initial-Contact]
: packet from 172.172.172.172:500: ignoring Vendor ID payload [IKE CGA version 1]
: "S_Unknown Object" #6035: responding to Main Mode
: | NAT-T: new mapping 172.172.172.172:4500/500)
: "S_Unknown Object" #6032: pfkey_msg_build of Add SA esp.8eb8e99@172.20.109.20 failed, code -22
: "S_Unknown Object" #6035: NAT-Traversal: Result using RFC 3947: i am NATed
: "S_Unknown Object" #6035: Peer ID is ID_IPV4_ADDR: '172.172.172.172'
: | NAT-T: new mapping 172.172.172.172:500/4500)
: "S_Unknown Object" #6035: sent MR3, ISAKMP SA established
: "S_Unknown Object" #6035: cannot respond to IPsec SA request because no connection is known for 192.168.2.0/24===172.20.109.20:4500...172.172.172.172:4500
: "S_Unknown Object" #6035: sending encrypted notification INVALID_ID_INFORMATION to 172.172.172.172:4500
: "S_Unknown Object" #6035: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6035: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6035: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6035: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6035: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
: "S_Unknown Object" #6035: sending encrypted notification INVALID_MESSAGE_ID to 172.172.172.172:4500
: "S_Unknown Object" #6036: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6032 {using isakmp#6035}
: "S_Unknown Object" #6037: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6033 {using isakmp#6035}
: "S_Unknown Object" #6038: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #6034 {using isakmp#6035}
: "S_Unknown Object" #6036: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6036: sent QI2, IPsec SA established {ESP=>0xc7387f9a <0x08eb8e9c NATOA=0.0.0.0}
: "S_Unknown Object" #6037: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6037: sent QI2, IPsec SA established {ESP=>0x8a60ad5b <0x08eb8e9d NATOA=0.0.0.0}
: "S_Unknown Object" #6038: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag
: "S_Unknown Object" #6038: sent QI2, IPsec SA established {ESP=>0x1d2e88eb <0x08eb8e9e NATOA=0.0.0.0} ################################################## #########

Any Tip is welcome.

Frank
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 21,116
#2 (permalink)  
Old 11-09-2010, 02:12 PM
Default

Hi, Frank, and welcome to the User BB!

Please show pics of the 'IPsec Connection' and the 'Remote Gateway' for this VPN. It looks like the problem occurs before the lines above. Can you show the log (no debugging selected yet) from the time you enable the IPsec connection? Also, be sure to change each IP consistently so that it's easy to tell one from another.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Jul 2009
Posts: 10
#3 (permalink)  
Old 11-10-2010, 07:33 AM
Default ISA is still in place

Hi Bob,

the ISA server is still in place. Only for this VPN. We do not change anything on the ASG. The ASG shows under Site-To-Site all green and down under IPSec is also all green when the TMG is connected.

Right now I cannot delivere any log with the TMG. TMG is not connected.

We have a case by Microsoft open and they agreed that there is a problem. So....
Are there someone out there that bring this two up and working together?

Frank
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 21,116
#4 (permalink)  
Old 11-10-2010, 12:29 PM
Default

If this is currently working with ISA, then the issue likely is in the TMG, as it seems you suspect. However, I wasn't looking for the log from the TMG, rather from the Astaro. Also the pictures from the Astaro.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Jan 2011
Posts: 9
#5 (permalink)  
Old 01-04-2011, 03:09 PM
Default Problem with ASG110/120 IKE phase2

I try to establish an IPSEC Tunnel between two astaro 110/120.
I've defined the 2 remote gateways with their protected Lan.
the 2 policies are identical. There is no NAT, no route.

No packet filter even defined yet.

The main mode runs but the quick mode not.
Logs are the same than the previous post:
INVALID Message_ID
INVALID_ID_INFORMATION
cannot respond to IPSEC SA request because no connection is known for @ASG_WAN1... @ASG_WAN2 === @LAN1


Any idea ?
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 21,116
#6 (permalink)  
Old 01-04-2011, 09:26 PM
Default

Hi, and welcome to the User BB!

Please show pics from both devices of the 'IPsec Connection' and the 'Remote Gateway' for this VPN.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Junior Member
Join Date: Jan 2011
Posts: 9
#7 (permalink)  
Old 01-05-2011, 08:07 AM
Default

I found my mistake.

In the ipsec connection of one of my devices, the local network was the remote network...

ESP runs now.

Sorry for these posts
Reply With Quote
Junior Member
Join Date: Aug 2009
Posts: 6
#8 (permalink)  
Old 01-25-2011, 02:21 PM
Default

Hi Frank,
did you get a solution to this Problem from Microsoft?
We are having the same problem here in Munich... TMG2010 <-> ASG => opened a thread in the German Forum: http://www.astaro.org/local-language...rreichbar.html

Christian

Last edited by cptkirc; 01-25-2011 at 02:25 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 12:31 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.