This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues with UTM 9 to cisco 887 VPN

Hi All,

 

I am setting up a VPN to a new site with a cisco 887 and UTM 9

I dont have full control over the other end but can get things changed if needed

UTM SETUP IS

Cisco Setup

Encryption:  aes 256

Hash : sha256

DH Group : group 14

isakmp pre share key :

 

from the log

2019:08:20-14:56:29 sophos pluto[25652]: "S_Seymour" #32: initiating Main Mode to replace #31
2019:08:20-14:56:29 sophos pluto[25652]: "S_Seymour" #32: received Vendor ID payload [RFC 3947]
2019:08:20-14:56:29 sophos pluto[25652]: "S_Seymour" #32: enabling possible NAT-traversal with method 3
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: ignoring Vendor ID payload [Cisco-Unity]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: received Vendor ID payload [Dead Peer Detection]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: ignoring Vendor ID payload [f610e1f7a1d15d340dec41bd18a5550b]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: received Vendor ID payload [XAUTH]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: NAT-Traversal: Result using RFC 3947: no NAT detected
2019:08:20-14:56:31 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:56:40 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:56:50 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:57:00 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:57:40 sophos pluto[25652]: "S_Seymour" #32: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
2019:08:20-14:57:40 sophos pluto[25652]: "S_Seymour" #32: starting keying attempt 33 of an unlimited number
 
 
 
 
Hope someone can help
 
Peter
 


This thread was automatically locked due to age.
Parents
  • Hi  

    Would you please change the IPSec encryption algorithm to AES 256 GCM (128 bit)? The rest of the configuration looks fine to me. 

    Regards

    Jaydeep

  • Thanks Jaydeep,

     

    Tried that but no luck

    New Config

    S_Seymour" #2: initiating Main Mode to replace #1
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: received Vendor ID payload [RFC 3947]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: enabling possible NAT-traversal with method 3
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: ignoring Vendor ID payload [Cisco-Unity]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: received Vendor ID payload [Dead Peer Detection]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: ignoring Vendor ID payload [f610e1f74042440add63af1b35b80bcf]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: received Vendor ID payload [XAUTH]
    2019:08:21-08:32:27 sophos pluto[23129]: "S_Seymour" #2: NAT-Traversal: Result using RFC 3947: no NAT detected
    2019:08:21-08:32:28 sophos pluto[23129]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:21-08:32:37 sophos pluto[23129]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:21-08:32:47 sophos pluto[23129]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:21-08:32:57 sophos pluto[23129]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:21-08:33:37 sophos pluto[23129]: "S_Seymour" #2: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2019:08:21-08:33:37 sophos pluto[23129]: "S_Seymour" #2: starting keying attempt 3 of an unlimited number
  • Hi  

    I should've asked you about this at first. Do you have configuration details on the Cisco device? The important log line is

    Possible authentication failure: no acceptable response to our first encrypted message


    Would you be able to verify that configuration and PSK matches on both sides? Further, Would you ask your colleagues managing the Cisco device to stop the current IPsec connection and start it again after a timeout?

    Regards

    Jaydeep

Reply
  • Hi  

    I should've asked you about this at first. Do you have configuration details on the Cisco device? The important log line is

    Possible authentication failure: no acceptable response to our first encrypted message


    Would you be able to verify that configuration and PSK matches on both sides? Further, Would you ask your colleagues managing the Cisco device to stop the current IPsec connection and start it again after a timeout?

    Regards

    Jaydeep

Children
  • Hi Jaydeep,

     

    I will get them to do that

    I got them to send me the error logs while I was waiting

    Aug 21 13:03:01.254: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 120.151.151.64 failed its sanity check or is malformed

     

    Crypto session current status

     

    Code: C - IKE Configuration mode, D - Dead Peer Detection

    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

    X - IKE Extended Authentication, F - IKE Fragmentation

    R - IKE Auto Reconnect, U - IKE Dynamic Route Update

    S - SIP VPN

     

    Interface: Ethernet0

    Session status: DOWN-NEGOTIATING

    Peer: 120.151.151.64 port 500 fvrf: (none) ivrf: (none)

          Desc: (none)

          Phase1_id: (none)

      Session ID: 0

      IKEv1 SA: local 203.45.157.215/500 remote 120.151.151.64/500 Inactive

              Capabilities:(none) connid:2400 lifetime:0

      Session ID: 0

      IKEv1 SA: local 203.45.157.215/500 remote 120.151.151.64/500 Inactive

              Capabilities:(none) connid:2399 lifetime:0

      IPSEC FLOW: permit ip 10.10.14.0/255.255.255.0 10.57.21.0/255.255.255.0

            Active SAs: 0, origin: crypto map

            Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

            Outbound: #pkts enc'ed 0 drop 2 life (KB/Sec) 0/0

     

     

    Exit Path Table - status: enable, current entry 1, deleted 0, max allow 50

    Error(2): A supplied parameter is incorrect

    -Traceback= 71ACF3Cz 6708C94z 66AE46Cz 670AA04z 670AB60z 670BD50z 70F46F4z 70F59F4z 7106EB0z A6C7A38z A6B9FD8z 60B5DC0z 609CCE0z

    Exit Path Table - status: enable, current entry 15, deleted 0, max allow 50

    Error(2992): Retransmitted packet detected.

    [conn id 2405, local 203.45.157.215:500 remote 120.151.151.64:500] 

    -Traceback= A92F20Cz A92F690z A927BF0z 60B5DC0z 609CCE0z

    Error(2222): Failed to retransmit phase1 message.

    [conn id 2405, local 203.45.157.215:500 remote 120.151.151.64:500] 

    -Traceback= A92F20Cz A92F690z A922020z A924644z A927A18z 60B5DC0z 609CCE0z

    Error(1500): Unexpected value.

    [conn id 2405, local 203.45.157.215:500 remote 120.151.151.64:500] 

    -Traceback= A92F20Cz A92F690z A904FD4z A927D64z 60B5DC0z 609CCE0z

    Error(1506): Failed to send delete, peer isn't authenticated.

    [conn id 2404, local 203.45.157.215:500 remote 120.151.151.64:500]

    state mask 0

    -Traceback= A92F20Cz A92F690z A91E870z A910E24z A8B43E4z A8B4430z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z

    Error(1502): Failed to access account record. 

    -Traceback= A92F20Cz A92F690z A8C44F8z A8E06B8z A8E0B2Cz A910DC4z A8B43E4z A8B4430z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z 

    Error(3): Wrong length.

    running len 28 id len 16148 total_len 76

    -Traceback= A92F20Cz A92F690z A90462Cz A9054F0z A927D64z 60B5DC0z 609CCE0z

    Error(4): Failed to access account record.

    -Traceback= A92F20Cz A92F690z A8C44F8z A8E06B8z A8E0B2Cz A8E0D64z A910E00z A8B43E4z A8B4430z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z

    Error(2): Unexpect state.

    [conn id 0, local 203.45.157.215:500 remote 216.218.206.114:4811]

    state_mask 0x

    -Traceback= A92F20Cz A92F690z A8B8B4Cz ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z

    Error(2): Policy not acceptable.

    [conn id 0, local 203.45.157.215:500 remote 216.218.206.114:4811]

    -Traceback= A92F20Cz A92F690z A9094F0z A8FBB94z A90381Cz A8B8B10z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z 

    Error(2): Invalid parameter.

    -Traceback= A92F20Cz A92F690z A929514z A8DC54Cz A8DC5D0z A90814Cz A8FBB94z A90381Cz A8B8B10z ADC2754z A8B9F90z A8BA160z A91AF04z A925274z 60B5DC0z 609CCE0z

    Error(12): Notify message requeue retry exceeded.

    [conn id 2344, local 203.45.157.215:500 remote 120.151.151.64:500]

    remote 120.1

    -Traceback= A92F20Cz A92F690z A927940z 60B5DC0z 609CCE0z

    Error(48): Notify message requeued.

    [conn id 2344, local 203.45.157.215:500 remote 120.151.151.64:500]

    remote 120.1

    -Traceback= A92F20Cz A92F690z A927998z 60B5DC0z 609CCE0z

    Error(2): SA is still negotiating.  Attached new ipsec request to it.

    [conn id 2344, local 203.45.157.215:500 remote 120.151.151.64:500]

    -Traceback= A92F20Cz A92F690z A9182A8z A920CD8z A969F00z A925390z 60B5DC0z 609CCE0z

    Error(2): Failed to retransmit phase1 message.

    [conn id 2333, local 203.45.157.215:500 remote 120.151.151.64:500]

    -Traceback= A92F20Cz A92F690z A922020z A924644z A927BC8z 60B5DC0z 609CCE0z

    Error(1): No SA found, ignore request to send delete.

    local 203.45.157.215/4500 remote 66.240.236.119/4500 fvrf 0x0 ivrf 0xFFFF for  

    -Traceback= A92F20Cz A92F690z A9212F0z A969FE0z A925390z 60B5DC0z 609CCE0z

     

    Regards

     

    Peter

  • Hi Jaydeep,

     

    Here is the cisco config

    crypto isakmp policy 10
     encr aes 256
     hash sha256
     authentication pre-share
     group 14
    crypto isakmp key 3TB34ut45uper$TCvpnWtoS address 120.151.151.64
    !
    !
    crypto ipsec transform-set TS esp-aes esp-sha256-hmac
     mode tunnel
    !
    !
    !
    crypto map CMAP 10 ipsec-isakmp
     set peer 120.151.151.64
     set transform-set TS
     match address VPN_to_Wang

  • Try Group 5, on no success SHA1

    In my experience, some Cisco-firmwares do no support more in IKEv1