Network Guys

Share your knowledge!

IPsec VPN problems with Bintec and Sophos UTM

Some days ago I migrated a customer from two Bintec firewalls to a Sophos UTM HA cluster. The branch offices kept their Bintec routers so I configured site2site VPN tunnels to the Sophos UTM. I had many problems with this VPN tunnels, I got always log entries like these:

2015:11:04-20:01:42 utm-company-2 pluto[3488]: “S_REF_IpsSitHsBranchVpn_0″[22] #389: next payload type of ISAKMP Identification Payload has an unknown value: 182
2015:11:04-20:01:42 utm-company-2 pluto[3488]: “S_REF_IpsSitHsBranchVpn_0″[22] #389: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
2015:11:04-20:01:42 utm-company-2 pluto[3488]: “S_REF_IpsSitHsBranchVpn_0″[22] #389: sending encrypted notification PAYLOAD_MALFORMED to

My colleague found a knowledgebase article at Sophos. There need to be NAT rules for UDP 500 and 4500 to establish a correct running IPsec VPN tunnel to other firewalls than Bintec devices.

Check the following settings on the Bintec device:

x4000:> ipnatouttable

inx IfIndex(*rw) Protocol(-rw) RemoteAddr(rw)
RemoteMask(rw) ExtAddr(*rw) RemotePort(rw)
RemotePortRange(rw) IntAddr(*rw) IntMask(rw)

ExtPort(rw) ExtMask(rw)
Timeout(rw) 0 0 udp -1
4500 4500

1 0 udp -1
500 500

2 0 esp -1
-1 -1

if the entries are missing, configure them with these commands:

x4000:ipNatOutTable> IfIndex=0 Protocol=udp ExtAddr= IntAddr= IntPort=500 ExtPort=500
x4000:ipNatOutTable> IfIndex=0 Protocol=udp ExtAddr= IntAddr= IntPort=4500 ExtPort=4500

and enable “Sync SAs With Local Ifc” in the IPsec advanced settings. After this changes, we’ve got no problems anymore.

One Response

Leave a Reply

Click on the button to load the content from

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.


ekahau Certified Survey Engineer
Post Categories
Post Archives