IPSec Site to Site tunnel Broken with Advanced Outbound Nat



  • Hi,

    We have a site to site Ipsec tunnel which has been running for the last 2 years without and issues, however we now need to turn of Automatic NAT, as a result the VPN tunnel is now extremely unstable (last night ran for 7 hours, this morning lasted about 5 mins)

    Jan 25 09:21:30 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Jan 25 09:21:30 racoon: WARNING: port 500 expected, but 0
    Jan 25 09:21:30 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jan 25 09:21:30 racoon: INFO: received Vendor ID: DPD
    Jan 25 09:21:30 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jan 25 09:21:30 racoon: INFO: begin Aggressive mode.

    However only the AON has been changed, and as soon as switched back over to Automatic back to stable again, anyone any ideas, at present we are running 1.2.2 due to driver issues on 1.2.3

    J



  • Hi,

    This is becoming very frutrating, it works perfectly without Manual NAT, so not sure why AON breaks this, also have the following error (Connection stayed up 10mins):

    Jan 25 13:18:52 racoon: ERROR: not acceptable Identity Protection mode

    Which points towards the security identifer, however as this is now hardcoded as our external IP and only goes out through WAN1 (multi wan setup) I can't see why this would alter.

    J



  • Update, got this fixed, had created a specific NONAT rule for one of the interfaces, removed this, also cleaned up the VPN settings to match the remote system exactly (Key lifetime) and all seems stable now, not really sure which fixed it, but as this was stable beforehand I think it may just be a combination.

    J


Locked