Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 37 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 97383 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CISCO ASA 5515 to UTM 9.4 (SG230) VPN Peer ID

J F1

 Our connection seems to be completing phase 1, but is failing on a matched/mismatched Pair ID. The thing is that the pair id actually matches, but the log says that it doesn't, but shows the same two words there.

I don't have access to the actual cisco box, it is with an external vendor. Here are the respective logs.

CISCO LOG

Mar 31 2017 08:21:08: %ASA-5-713201: Group = 1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected. Retransmitting last packet.
Mar 31 2017 08:21:08: %ASA-6-713905: Group =1.1.1.1, IP =1.1.1.1, P1 Retransmit msg dispatched to MM FSM
Mar 31 2017 08:21:08: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Mar 31 2017 08:20:58: %ASA-5-713068: Group =1.1.1.1, IP =1.1.1.1, Received non-routine Notify message: Invalid ID info (18)

SOPHOS LOG
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: enabling possible NAT-traversal with method RFC 3947
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco-Unity]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [XAUTH]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [26af64ae1ce2e355e599171584afb948]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [Dead Peer Detection]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: Peer ID is ID_KEY_ID: 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: we require peer to have ID 'abc', but peer declares 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:4500



This thread was automatically locked due to age.
  • 0

    I've got Cisco's connected to my UTM using the IP address as the peer ID and they are rock solid. As I wasn't in control of the other side of the link, we basically agreed a psk and that was it.

  • 0 in reply to Louis-M

    Thanks for the info. Unfortunately, our vendor doesn't seem to want to make any changes to their config to help us. Is the Sophos box really denying a matching peer id? We have a PSK with the Cisco that works, as far as I can tell we are passing phase 1. The following is a log from activating the vpn until the 'mismatch'.

     

    2017:03:31-17:46:47 50 pluto[28329]: loading secrets from "/etc/ipsec.secrets"
    2017:03:31-17:46:47 50 pluto[28329]: loaded PSK secret for 1.1.1.1 %any
    2017:03:31-17:46:47 50 pluto[28329]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2017:03:31-17:46:47 50 pluto[28329]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2017:03:31-17:46:47 50 pluto[28329]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2017:03:31-17:46:47 50 pluto[28329]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2017:03:31-17:46:47 50 pluto[28329]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2017:03:31-17:46:47 50 pluto[28329]: Changing to directory '/etc/ipsec.d/crls'
    2017:03:31-17:46:47 50 pluto[28329]: "S_KWIK-2": deleting connection
    2017:03:31-17:46:47 50 pluto[28329]: "S_KWIK-2" #63: deleting state (STATE_MAIN_I3)
    2017:03:31-17:46:52 50 pluto[28329]: forgetting secrets
    2017:03:31-17:46:52 50 pluto[28329]: loading secrets from "/etc/ipsec.secrets"
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 kwik
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 %any
    2017:03:31-17:46:52 50 pluto[28329]: listening for IKE messages
    2017:03:31-17:46:52 50 pluto[28329]: forgetting secrets
    2017:03:31-17:46:52 50 pluto[28329]: loading secrets from "/etc/ipsec.secrets"
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 kwik
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 %any
    2017:03:31-17:46:52 50 pluto[28329]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2017:03:31-17:46:52 50 pluto[28329]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2017:03:31-17:46:52 50 pluto[28329]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2017:03:31-17:46:52 50 pluto[28329]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2017:03:31-17:46:52 50 pluto[28329]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2017:03:31-17:46:52 50 pluto[28329]: Changing to directory '/etc/ipsec.d/crls'
    2017:03:31-17:46:52 50 pluto[28329]: added connection description "S_KWIK-2"
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: initiating Main Mode
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [FRAGMENTATION c0000000]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: enabling possible NAT-traversal with method RFC 3947
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [Cisco-Unity]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: received Vendor ID payload [XAUTH]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [f61928e27416a0664640815a03427909]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: received Vendor ID payload [Dead Peer Detection]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: Peer ID is ID_KEY_ID: 'abc'
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: we require peer to have ID 'abc', but peer declares 'abc'
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:4500
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Delete SA payload: ISAKMP SA not established

  • 0

    This is the Cisco setup that I have been sent

    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 general-attributes
    default-group-policy GroupPolicy_1.1.1.1
    tunnel-group 1.1.1.1 ipsec-attributes
    ikev1 pre-shared-key *****

    group-policy GroupPolicy_1.1.1.1 internal
    group-policy GroupPolicy_1.1.1.1 attributes
    vpn-tunnel-protocol ikev1


    crypto map outside_map 13 match address outside_cryptomap_12
    crypto map outside_map 13 set peer 1.1.1.1
    crypto map outside_map 13 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 13 set security-association lifetime seconds 3600

    access-list outside_cryptomap_12 line 1 extended permit ip host 192.9.200.169 host 192.168.140.1 (hitcnt=1538) 0x909951f8

  • 0 in reply to J F1

    Just to add a little more information: 192.168.140.1 is actually the LAN Address of my Sophos SG230

    We have an Amazon AWS instance that needs to query the remote MySQL dB that lives at 2.2.2.2 in the clips above

    I have a full NAT that converts the port traffic to our 1.1.1.1 -> 192.9.200.169 (lan of 2.2.2.2)

    ----

    This set up was working for a small amount of time if the remote network pinged us, but we could never initiate the tunnel. In fact, we would still get the same mismatched peer id (though matched in the log) if the tunnel was up.

     

  • 0

    Hi, JF, and welcome to the UTM Community!

    Could you draw us a simple diagram showing the IPs involved?  You lost me when you mentioned a Full NAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

     

    Thanks Bob. Here is the diagram, but the main issue is that the site to site VPN will not authenticate. Though the peer IDs match, the log says that they mismatch. The Peer ID is only 3 letters, not sure if that might be the problem.

  • 0 in reply to J F1

    Could you screenshot the remote gateway setup on the UTM?

  • 0 in reply to Louis-M

    just edited the log so that abc would be shown there as the VPN/Peer ID too.

  • 0 in reply to J F1

    Shot in the dark here but have you tried just leaving the VPN ID type as Ip address and leaving the VPN ID blank? I have some setup like that and they work?

     

    Not sure if these posts are relevant?

    They suggest that if a psk is used, you can only use the ip address as the vpn type id

    community.sophos.com/.../ipsec-vpn-id-question

    https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/54898/site-to-site---can-i-change-vpn-id

  • 0 in reply to Louis-M

    Hey Louis. Tried that, tried it again to paste the log...

    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: ignoring Vendor ID payload [FRAGMENTATION c0000000]
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: enabling possible NAT-traversal with method RFC 3947
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: ignoring Vendor ID payload [Cisco-Unity]
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: received Vendor ID payload [XAUTH]
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: ignoring Vendor ID payload [e57075983ea39b7e32ecac3b7a482c5f]
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: received Vendor ID payload [Dead Peer Detection]
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: Peer ID is ID_KEY_ID: 'abc'
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: we require peer to have ID '2.2.2.2', but peer declares 'abc'
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:4500
    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: ignoring Delete SA payload: ISAKMP SA not established
     
    I am going to restart the UTM in the morning and see if we continue to get the mismatch error. This has also been escalated with Sophos support. In the meantime (as they look into it), I am going to ask the vendor to set up a second site to site VPN for me and try to establish a connection at a remote site that has a Sonicwall to see if I run into the same issues.
Unfiltered HTML