Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Replies 11 replies
  • Subscribers 5 subscribers
  • Views 26249 views
  • Users 0 members are here
Options
Suggested

VPN to other vendors

TylerTodd

I saw a bug on here that VPNs between XGv17 and XGv16 were failing. I can say that from the upgrade that in my case, that is not the case. What I will say is that VPNs that were rock solid to other vendor firewalls, such as SonicWALL, are constantly either being denied, negotiated, and quickly terminated. The error in the logs are

 

"received IKE message with invalid SPI"

 

Both ends of the VPNs have not changed. Both the XG and other vendor firewall have been rebooted multiple times, but issue is persistent. I have verified all parameters for Phase 1 and Phase 2 are correct and equal on both sides. 

 

Also post upgrade form XG v16.5-6 to XG v17-Beta1, the VPN profiles were disabled and I had to manually enable them. I am running the software version of XGv17.

Parents Reply
  • 0 in reply to HeikoHund

    Sure.. There we go:

     

     

    I've tried with RSA, PSK, and several combinations of encryption parameters..

     

    This is what I get on the SG side:

     

    2017:11:17-13:03:17 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5428: cannot respond to IPsec SA request because no connection is known for 172.24.0.0/24===88.23.49.28[asgmfhq.metafrase.net]...195.77.144.20[195.77.144.20]===10.10.23.0/24
    2017:11:17-13:03:17 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5428: sending encrypted notification INVALID_ID_INFORMATION to 195.77.144.20:500
    2017:11:17-13:03:20 asgmfhq pluto[23383]: packet from 195.77.144.20:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2017:11:17-13:04:00 asgmfhq pluto[23383]: packet from 195.77.144.20:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2017:11:17-13:04:40 asgmfhq pluto[23383]: packet from 195.77.144.20:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Children
  • 0 in reply to Santiago Crespo Guillen

    Changing the encryption policy on the XG Side and the mode it seems to get a bit further but doesn't work either:

     

    2017:11:17-13:07:29 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: responding to Main Mode
    2017:11:17-13:07:29 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:11:17-13:07:30 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: Peer ID is ID_IPV4_ADDR: '195.77.144.20'
    2017:11:17-13:07:30 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: Dead Peer Detection (RFC 3706) enabled
    2017:11:17-13:07:30 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: sent MR3, ISAKMP SA established
    2017:11:17-13:07:30 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: cannot respond to IPsec SA request because no connection is known for 172.24.0.0/24===88.23.49.28[asgmfhq.metafrase.net]...195.77.144.20[195.77.144.20]===192.168.2.0/24
    2017:11:17-13:07:30 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: sending encrypted notification INVALID_ID_INFORMATION to 195.77.144.20:500
    2017:11:17-13:07:30 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: cannot respond to IPsec SA request because no connection is known for 172.24.0.0/24===88.23.49.28[asgmfhq.metafrase.net]...195.77.144.20[195.77.144.20]===192.168.2.0/24
    2017:11:17-13:07:30 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: sending encrypted notification INVALID_ID_INFORMATION to 195.77.144.20:500
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: received Vendor ID payload [XAUTH]
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: received Vendor ID payload [Dead Peer Detection]
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: received Vendor ID payload [RFC 3947]
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: enabling possible NAT-traversal with method 3
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: NAT-Traversal: Result using RFC 3947: no NAT detected
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: Peer ID is ID_IPV4_ADDR: '195.77.144.20'
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: Dead Peer Detection (RFC 3706) enabled
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: ISAKMP SA established
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5431: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#5427}
    2017:11:17-13:08:00 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: ignoring informational payload, type INVALID_ID_INFORMATION
    2017:11:17-13:08:02 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: cannot respond to IPsec SA request because no connection is known for 172.24.0.0/24===88.23.49.28[asgmfhq.metafrase.net]...195.77.144.20[195.77.144.20]===10.10.23.0/24
    2017:11:17-13:08:02 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: sending encrypted notification INVALID_ID_INFORMATION to 195.77.144.20:500
    2017:11:17-13:08:06 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x11f5e3cd (perhaps this is a duplicated packet)
    2017:11:17-13:08:06 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: sending encrypted notification INVALID_MESSAGE_ID to 195.77.144.20:500
    2017:11:17-13:08:10 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5430: received Delete SA payload: deleting ISAKMP State #5430
    2017:11:17-13:08:10 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: ignoring informational payload, type INVALID_HASH_INFORMATION
    2017:11:17-13:08:14 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x11f5e3cd (perhaps this is a duplicated packet)
    2017:11:17-13:08:14 asgmfhq pluto[23383]: "S_Tunel CarraOvejas" #5427: sending encrypted notification INVALID_MESSAGE_ID to 195.77.144.20:500
  • 0 in reply to Santiago Crespo Guillen

    There seems to be a misconfiguration with regards to VPN IDs and local/remote networks. Could you please review your configuration. The two gateways need to agree on both settings.

Unfiltered HTML