Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 5 subscribers
  • Views 3338 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues with UTM 9 to cisco 887 VPN

PFras

Hi All,

 

I am setting up a VPN to a new site with a cisco 887 and UTM 9

I dont have full control over the other end but can get things changed if needed

UTM SETUP IS

Cisco Setup

Encryption:  aes 256

Hash : sha256

DH Group : group 14

isakmp pre share key :

 

from the log

2019:08:20-14:56:29 sophos pluto[25652]: "S_Seymour" #32: initiating Main Mode to replace #31
2019:08:20-14:56:29 sophos pluto[25652]: "S_Seymour" #32: received Vendor ID payload [RFC 3947]
2019:08:20-14:56:29 sophos pluto[25652]: "S_Seymour" #32: enabling possible NAT-traversal with method 3
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: ignoring Vendor ID payload [Cisco-Unity]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: received Vendor ID payload [Dead Peer Detection]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: ignoring Vendor ID payload [f610e1f7a1d15d340dec41bd18a5550b]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: received Vendor ID payload [XAUTH]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: NAT-Traversal: Result using RFC 3947: no NAT detected
2019:08:20-14:56:31 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:56:40 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:56:50 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:57:00 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:57:40 sophos pluto[25652]: "S_Seymour" #32: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
2019:08:20-14:57:40 sophos pluto[25652]: "S_Seymour" #32: starting keying attempt 33 of an unlimited number
 
 
 
 
Hope someone can help
 
Peter
 


This thread was automatically locked due to age.
  • 0

    Hi  

    Would you please change the IPSec encryption algorithm to AES 256 GCM (128 bit)? The rest of the configuration looks fine to me. 

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Thanks Jaydeep,

     

    Tried that but no luck

    New Config

    S_Seymour" #2: initiating Main Mode to replace #1
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: received Vendor ID payload [RFC 3947]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: enabling possible NAT-traversal with method 3
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: ignoring Vendor ID payload [Cisco-Unity]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: received Vendor ID payload [Dead Peer Detection]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: ignoring Vendor ID payload [f610e1f74042440add63af1b35b80bcf]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: received Vendor ID payload [XAUTH]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: NAT-Traversal: Result using RFC 3947: no NAT detected
    2019:08:21-08:32:28 sophos pluto[23129]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:21-08:32:37 sophos pluto[23129]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:21-08:32:47 sophos pluto[23129]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:21-08:32:57 sophos pluto[23129]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:21-08:33:37 sophos pluto[23129]: "S_Seymour" #2: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2019:08:21-08:33:37 sophos pluto[23129]: "S_Seymour" #2: starting keying attempt 3 of an unlimited number
  • 0 in reply to PFras

    Hi  

    I should've asked you about this at first. Do you have configuration details on the Cisco device? The important log line is

    Possible authentication failure: no acceptable response to our first encrypted message


    Would you be able to verify that configuration and PSK matches on both sides? Further, Would you ask your colleagues managing the Cisco device to stop the current IPsec connection and start it again after a timeout?

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi Jaydeep,

     

    I will get them to do that

    I got them to send me the error logs while I was waiting

    Aug 21 13:03:01.254: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 120.151.151.64 failed its sanity check or is malformed

     

    Crypto session current status

     

    Code: C - IKE Configuration mode, D - Dead Peer Detection

    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

    X - IKE Extended Authentication, F - IKE Fragmentation

    R - IKE Auto Reconnect, U - IKE Dynamic Route Update

    S - SIP VPN

     

    Interface: Ethernet0

    Session status: DOWN-NEGOTIATING

    Peer: 120.151.151.64 port 500 fvrf: (none) ivrf: (none)

          Desc: (none)

          Phase1_id: (none)

      Session ID: 0

      IKEv1 SA: local 203.45.157.215/500 remote 120.151.151.64/500 Inactive

              Capabilities:(none) connid:2400 lifetime:0

      Session ID: 0

      IKEv1 SA: local 203.45.157.215/500 remote 120.151.151.64/500 Inactive

              Capabilities:(none) connid:2399 lifetime:0

      IPSEC FLOW: permit ip 10.10.14.0/255.255.255.0 10.57.21.0/255.255.255.0

            Active SAs: 0, origin: crypto map

            Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

            Outbound: #pkts enc'ed 0 drop 2 life (KB/Sec) 0/0

     

     

    Exit Path Table - status: enable, current entry 1, deleted 0, max allow 50

    Error(2): A supplied parameter is incorrect

    -Traceback= 71ACF3Cz 6708C94z 66AE46Cz 670AA04z 670AB60z 670BD50z 70F46F4z 70F59F4z 7106EB0z A6C7A38z A6B9FD8z 60B5DC0z 609CCE0z

    Exit Path Table - status: enable, current entry 15, deleted 0, max allow 50

    Error(2992): Retransmitted packet detected.

    [conn id 2405, local 203.45.157.215:500 remote 120.151.151.64:500] 

    -Traceback= A92F20Cz A92F690z A927BF0z 60B5DC0z 609CCE0z

    Error(2222): Failed to retransmit phase1 message.

    [conn id 2405, local 203.45.157.215:500 remote 120.151.151.64:500] 

    -Traceback= A92F20Cz A92F690z A922020z A924644z A927A18z 60B5DC0z 609CCE0z

    Error(1500): Unexpected value.

    [conn id 2405, local 203.45.157.215:500 remote 120.151.151.64:500] 

    -Traceback= A92F20Cz A92F690z A904FD4z A927D64z 60B5DC0z 609CCE0z

    Error(1506): Failed to send delete, peer isn't authenticated.

    [conn id 2404, local 203.45.157.215:500 remote 120.151.151.64:500]

    state mask 0

    -Traceback= A92F20Cz A92F690z A91E870z A910E24z A8B43E4z A8B4430z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z

    Error(1502): Failed to access account record. 

    -Traceback= A92F20Cz A92F690z A8C44F8z A8E06B8z A8E0B2Cz A910DC4z A8B43E4z A8B4430z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z 

    Error(3): Wrong length.

    running len 28 id len 16148 total_len 76

    -Traceback= A92F20Cz A92F690z A90462Cz A9054F0z A927D64z 60B5DC0z 609CCE0z

    Error(4): Failed to access account record.

    -Traceback= A92F20Cz A92F690z A8C44F8z A8E06B8z A8E0B2Cz A8E0D64z A910E00z A8B43E4z A8B4430z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z

    Error(2): Unexpect state.

    [conn id 0, local 203.45.157.215:500 remote 216.218.206.114:4811]

    state_mask 0x

    -Traceback= A92F20Cz A92F690z A8B8B4Cz ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z

    Error(2): Policy not acceptable.

    [conn id 0, local 203.45.157.215:500 remote 216.218.206.114:4811]

    -Traceback= A92F20Cz A92F690z A9094F0z A8FBB94z A90381Cz A8B8B10z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z 

    Error(2): Invalid parameter.

    -Traceback= A92F20Cz A92F690z A929514z A8DC54Cz A8DC5D0z A90814Cz A8FBB94z A90381Cz A8B8B10z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z

    Error(12): Notify message requeue retry exceeded.

    [conn id 2344, local 203.45.157.215:500 remote 120.151.151.64:500]

    remote 120.1

    -Traceback= A92F20Cz A92F690z A927940z 60B5DC0z 609CCE0z

    Error(48): Notify message requeued.

    [conn id 2344, local 203.45.157.215:500 remote 120.151.151.64:500]

    remote 120.1

    -Traceback= A92F20Cz A92F690z A927998z 60B5DC0z 609CCE0z

    Error(2): SA is still negotiating.  Attached new ipsec request to it.

    [conn id 2344, local 203.45.157.215:500 remote 120.151.151.64:500]

    -Traceback= A92F20Cz A92F690z A9182A8z A920CD8z A969F00z A925390z 60B5DC0z 609CCE0z

    Error(2): Failed to retransmit phase1 message.

    [conn id 2333, local 203.45.157.215:500 remote 120.151.151.64:500]

    -Traceback= A92F20Cz A92F690z A922020z A924644z A927BC8z 60B5DC0z 609CCE0z

    Error(1): No SA found, ignore request to send delete.

    local 203.45.157.215/4500 remote 66.240.236.119/4500 fvrf 0x0 ivrf 0xFFFF for  

    -Traceback= A92F20Cz A92F690z A9212F0z A969FE0z A925390z 60B5DC0z 609CCE0z

     

    Regards

     

    Peter

  • 0 in reply to PFras

    Hi Jaydeep,

     

    Here is the cisco config

    crypto isakmp policy 10
     encr aes 256
     hash sha256
     authentication pre-share
     group 14
    crypto isakmp key 3TB34ut45uper$TCvpnWtoS address 120.151.151.64
    !
    !
    crypto ipsec transform-set TS esp-aes esp-sha256-hmac
     mode tunnel
    !
    !
    !
    crypto map CMAP 10 ipsec-isakmp
     set peer 120.151.151.64
     set transform-set TS
     match address VPN_to_Wang

  • 0 in reply to PFras

    Try Group 5, on no success SHA1

    In my experience, some Cisco-firmwares do no support more in IKEv1

  • 0

    Hi Peter and welcome to the UTM Community!

    Is your UTM behind a NAT?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for the welcome

    We have a Netgear DM200 in bridge mode connected to VDSL and then plugged into eth1

     

    Hope this helps

     

     

    Peter

  • 0 in reply to PFras

    Let's take a look at the UTM's IPsec log, Peter.

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Show us about 60 lines from enabling through any error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob,

     

    Here they are


    Live Log: IPsec VPN    
    Filter:    
        Autoscroll    
    Reload
    2019:08:26-09:23:43 sophos ipsec_starter[9613]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2019:08:26-09:23:43 sophos pluto[9626]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2019:08:26-09:23:43 sophos ipsec_starter[9619]: pluto (9626) started after 20 ms
    2019:08:26-09:23:43 sophos pluto[9626]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2019:08:26-09:23:43 sophos pluto[9626]: including NAT-Traversal patch (Version 0.6c)
    2019:08:26-09:23:43 sophos pluto[9626]: Using Linux 2.6 IPsec interface code
    2019:08:26-09:23:43 sophos pluto[9626]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2019:08:26-09:23:43 sophos pluto[9626]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2019:08:26-09:23:43 sophos pluto[9626]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2019:08:26-09:23:43 sophos pluto[9626]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2019:08:26-09:23:43 sophos pluto[9626]: Changing to directory '/etc/ipsec.d/crls'
    2019:08:26-09:23:43 sophos pluto[9626]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth4.10/eth4.10 10.10.10.254:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth4.10/eth4.10 10.10.10.254:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth4.12/eth4.12 10.10.12.254:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth4.12/eth4.12 10.10.12.254:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.116:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.116:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.115:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.115:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.114:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.114:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.113:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.113:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.64:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.64:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth0/eth0 10.57.21.253:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth0/eth0 10.57.21.253:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface lo/lo 127.0.0.1:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface lo/lo 127.0.0.1:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface lo/lo ::1:500
    2019:08:26-09:23:43 sophos pluto[9626]: loading secrets from "/etc/ipsec.secrets"
    2019:08:26-09:23:43 sophos pluto[9626]: loaded PSK secret for xxx.xx.xx.64 xxx.xx.xxx.215
    2019:08:26-09:23:43 sophos pluto[9626]: listening for IKE messages
    2019:08:26-09:23:43 sophos pluto[9626]: added connection description "S_Seymour"
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: initiating Main Mode
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: received Vendor ID payload [RFC 3947]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: enabling possible NAT-traversal with method 3
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: ignoring Vendor ID payload [Cisco-Unity]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: received Vendor ID payload [Dead Peer Detection]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: ignoring Vendor ID payload [f610e1f75d95df3f1a95e3bfc0d7448c]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: received Vendor ID payload [XAUTH]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
    2019:08:26-09:23:44 sophos pluto[9626]: "S_Seymour" #1: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:23:54 sophos pluto[9626]: "S_Seymour" #1: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:24:04 sophos pluto[9626]: "S_Seymour" #1: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:24:13 sophos pluto[9626]: "S_Seymour" #1: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #1: starting keying attempt 2 of an unlimited number
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: initiating Main Mode to replace #1
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: received Vendor ID payload [RFC 3947]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: enabling possible NAT-traversal with method 3
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: ignoring Vendor ID payload [Cisco-Unity]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: received Vendor ID payload [Dead Peer Detection]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: ignoring Vendor ID payload [f610e1f75c98c882e13806da0f37e9db]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: received Vendor ID payload [XAUTH]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: NAT-Traversal: Result using RFC 3947: no NAT detected
    2019:08:26-09:24:54 sophos pluto[9626]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:25:04 sophos pluto[9626]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:25:14 sophos pluto[9626]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:25:23 sophos pluto[9626]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #2: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #2: starting keying attempt 3 of an unlimited number
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #3: initiating Main Mode to replace #2
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #3: received Vendor ID payload [RFC 3947]
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #3: enabling possible NAT-traversal with method 3
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: ignoring Vendor ID payload [Cisco-Unity]
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: received Vendor ID payload [Dead Peer Detection]
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: ignoring Vendor ID payload [f610e1f7d52302e91e65d3d2bb0b5ed9]
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: received Vendor ID payload [XAUTH]
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: NAT-Traversal: Result using RFC 3947: no NAT detected
    2019:08:26-09:26:05 sophos pluto[9626]: "S_Seymour" #3: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:26:14 sophos pluto[9626]: "S_Seymour" #3: discarding duplicate packet; already STATE_MAIN_I3

Unfiltered HTML