This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CISCO ASA 5515 to UTM 9.4 (SG230) VPN Peer ID

 Our connection seems to be completing phase 1, but is failing on a matched/mismatched Pair ID. The thing is that the pair id actually matches, but the log says that it doesn't, but shows the same two words there.

I don't have access to the actual cisco box, it is with an external vendor. Here are the respective logs.

CISCO LOG

Mar 31 2017 08:21:08: %ASA-5-713201: Group = 1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected. Retransmitting last packet.
Mar 31 2017 08:21:08: %ASA-6-713905: Group =1.1.1.1, IP =1.1.1.1, P1 Retransmit msg dispatched to MM FSM
Mar 31 2017 08:21:08: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Mar 31 2017 08:20:58: %ASA-5-713068: Group =1.1.1.1, IP =1.1.1.1, Received non-routine Notify message: Invalid ID info (18)

SOPHOS LOG
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: enabling possible NAT-traversal with method RFC 3947
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco-Unity]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [XAUTH]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [26af64ae1ce2e355e599171584afb948]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [Dead Peer Detection]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: Peer ID is ID_KEY_ID: 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: we require peer to have ID 'abc', but peer declares 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:4500



This thread was automatically locked due to age.
Parents
  • In your original post, you had the log line:

    2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: we require peer to have ID 'abc', but peer declares 'abc'

    Please insert a picture of the Edit of the Remote Gateway definition that resulted in that line.  If you haven't already opened a ticket with Sophos Support, you should get started on that now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

     

    I'm a colleague of J F1's. I'm attaching a screenshot of that definition. We do have a case open with support, and actually had a conference yesterday with them as well as the vendor who has the Cisco. Here's an interesting note-we currently have a Sonicwall deployed at one of our branch offices, and as a workaround, were able to route the traffic through there. However, we're retiring that Sonicwall within the next few weeks, sothis is only a temporary fix. Strangely enough, the configuration provided to us by the vendor worked just fine-no additional config needed on our end when going through the Sonicwall.

     

  • Please insert pictures of the Edits of both KWI Server definitions with 'Advanced' open.  Feel free to obfuscate the IPs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That looks good, so I vote for Louis' idea - use a Remote Gateway definition set to "Respond only" instead.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • We actually tried Respond Only with no success (with Sophos support as well). I also attempted to add the peer id as a dns name in the network definition and try setting the id type to IP address, but the same errors persisted. Sophos support was able to create a working test environment with an XG, see here:

     

    017:04:05-15:09:13 halnad pluto[28439]: added connection description "S_XG-To-UTM"
    2017:04:05-15:09:13 halnad pluto[28439]: "S_XG-To-UTM" #8: initiating Main Mode
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: received Vendor ID payload [Dead Peer Detection]
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: received Vendor ID payload [RFC 3947]
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: ignoring Vendor ID payload [Cisco-Unity]
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: enabling possible NAT-traversal with method 3
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: Peer ID is ID_FQDN: 'abc'
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: Dead Peer Detection (RFC 3706) enabled
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #8: ISAKMP SA established
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#8}
    2017:04:05-15:09:23 halnad pluto[28439]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="XG-To-UTM" address="24.53.246.134" local_net="192.168.1.0/24" remote_net="172.16.16.0/24"
    2017:04:05-15:09:23 halnad pluto[28439]: "S_XG-To-UTM" #9: sent QI2, IPsec SA established {ESP=>0x9ae7f256 <0x21353479 DPD}

     

    The most noticeable difference here is the Peer ID is a FQDN. This is what led me to try adding a DNS name in the network definition, but again, it didn't work. I haven't found any FQDN in the settings.

  • Louis-M said:

    Did the above work in both initiate connection and respond only and both ways?

    Yes

    Louis-M said:

    To the OP, there are some settings under advanced eg use VPN ID for preshared keys. Have you tried that?

    That's what you must configure if the remote site need VPN Typ "dns name" for psk.

    Louis-M said:

    eg on vpn host setup leave VPN ID as blank, go to advanced settings and then set it there eg try hostname and abc? shot in the dark really.

     

    At the remote host setup on your site you must choose the vpn type and id that the other site has configured. At advanced settings you must configure the vpn type and id that the remote site has also configured for your site.
    regards
    mod
     
  • There are two areas where the VPN TYPE ID can be placed.

    1. Under "Edit remote gateway"

    2. Under advanced which applies globally.

    I'm just wondering if it makes any difference if hostanme is applied under either or both at the same time?

  • Louis-M said:

    There are two areas where the VPN TYPE ID can be placed.

    1. Under "Edit remote gateway"

    2. Under advanced which applies globally.

    I'm just wondering if it makes any difference if hostanme is applied under either or both at the same time?

     

    Under Remote Gateway is placed the VPN ID for the Remote Gateway and under advanced is placed the VPN ID for the lokal UTM for all VPN Tunnels.
    regards
    mod
  • Editing it under advanced wouldn't work for us as we have another (working) tunnel that uses a different ID. Unless editing it in the specific remote gateway supersedes the global setting. Does anyone know if that's the case?

  • Please, open a support case.

    regards

    mod

  • We've got one open already, but were hoping that the hivemind on here could also be helpful to us. Thanks for the responses though!

Reply Children