Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 5 subscribers
  • Views 3349 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues with UTM 9 to cisco 887 VPN

PFras

Hi All,

 

I am setting up a VPN to a new site with a cisco 887 and UTM 9

I dont have full control over the other end but can get things changed if needed

UTM SETUP IS

Cisco Setup

Encryption:  aes 256

Hash : sha256

DH Group : group 14

isakmp pre share key :

 

from the log

2019:08:20-14:56:29 sophos pluto[25652]: "S_Seymour" #32: initiating Main Mode to replace #31
2019:08:20-14:56:29 sophos pluto[25652]: "S_Seymour" #32: received Vendor ID payload [RFC 3947]
2019:08:20-14:56:29 sophos pluto[25652]: "S_Seymour" #32: enabling possible NAT-traversal with method 3
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: ignoring Vendor ID payload [Cisco-Unity]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: received Vendor ID payload [Dead Peer Detection]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: ignoring Vendor ID payload [f610e1f7a1d15d340dec41bd18a5550b]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: received Vendor ID payload [XAUTH]
2019:08:20-14:56:30 sophos pluto[25652]: "S_Seymour" #32: NAT-Traversal: Result using RFC 3947: no NAT detected
2019:08:20-14:56:31 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:56:40 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:56:50 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:57:00 sophos pluto[25652]: "S_Seymour" #32: discarding duplicate packet; already STATE_MAIN_I3
2019:08:20-14:57:40 sophos pluto[25652]: "S_Seymour" #32: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
2019:08:20-14:57:40 sophos pluto[25652]: "S_Seymour" #32: starting keying attempt 33 of an unlimited number
 
 
 
 
Hope someone can help
 
Peter
 


This thread was automatically locked due to age.
Parents
  • 0

    Hi Peter and welcome to the UTM Community!

    Is your UTM behind a NAT?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi Peter and welcome to the UTM Community!

    Is your UTM behind a NAT?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for the welcome

    We have a Netgear DM200 in bridge mode connected to VDSL and then plugged into eth1

     

    Hope this helps

     

     

    Peter

  • 0 in reply to PFras

    Let's take a look at the UTM's IPsec log, Peter.

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Show us about 60 lines from enabling through any error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob,

     

    Here they are


    Live Log: IPsec VPN    
    Filter:    
        Autoscroll    
    Reload
    2019:08:26-09:23:43 sophos ipsec_starter[9613]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
    2019:08:26-09:23:43 sophos pluto[9626]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
    2019:08:26-09:23:43 sophos ipsec_starter[9619]: pluto (9626) started after 20 ms
    2019:08:26-09:23:43 sophos pluto[9626]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
    2019:08:26-09:23:43 sophos pluto[9626]: including NAT-Traversal patch (Version 0.6c)
    2019:08:26-09:23:43 sophos pluto[9626]: Using Linux 2.6 IPsec interface code
    2019:08:26-09:23:43 sophos pluto[9626]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2019:08:26-09:23:43 sophos pluto[9626]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2019:08:26-09:23:43 sophos pluto[9626]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2019:08:26-09:23:43 sophos pluto[9626]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2019:08:26-09:23:43 sophos pluto[9626]: Changing to directory '/etc/ipsec.d/crls'
    2019:08:26-09:23:43 sophos pluto[9626]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth4.10/eth4.10 10.10.10.254:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth4.10/eth4.10 10.10.10.254:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth4.12/eth4.12 10.10.12.254:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth4.12/eth4.12 10.10.12.254:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.116:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.116:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.115:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.115:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.114:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.114:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.113:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.113:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.64:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth1/eth1 xxx.xx.xx.64:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth0/eth0 10.57.21.253:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface eth0/eth0 10.57.21.253:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface lo/lo 127.0.0.1:500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface lo/lo 127.0.0.1:4500
    2019:08:26-09:23:43 sophos pluto[9626]: adding interface lo/lo ::1:500
    2019:08:26-09:23:43 sophos pluto[9626]: loading secrets from "/etc/ipsec.secrets"
    2019:08:26-09:23:43 sophos pluto[9626]: loaded PSK secret for xxx.xx.xx.64 xxx.xx.xxx.215
    2019:08:26-09:23:43 sophos pluto[9626]: listening for IKE messages
    2019:08:26-09:23:43 sophos pluto[9626]: added connection description "S_Seymour"
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: initiating Main Mode
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: received Vendor ID payload [RFC 3947]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: enabling possible NAT-traversal with method 3
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: ignoring Vendor ID payload [Cisco-Unity]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: received Vendor ID payload [Dead Peer Detection]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: ignoring Vendor ID payload [f610e1f75d95df3f1a95e3bfc0d7448c]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: received Vendor ID payload [XAUTH]
    2019:08:26-09:23:43 sophos pluto[9626]: "S_Seymour" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
    2019:08:26-09:23:44 sophos pluto[9626]: "S_Seymour" #1: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:23:54 sophos pluto[9626]: "S_Seymour" #1: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:24:04 sophos pluto[9626]: "S_Seymour" #1: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:24:13 sophos pluto[9626]: "S_Seymour" #1: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #1: starting keying attempt 2 of an unlimited number
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: initiating Main Mode to replace #1
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: received Vendor ID payload [RFC 3947]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: enabling possible NAT-traversal with method 3
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: ignoring Vendor ID payload [Cisco-Unity]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: received Vendor ID payload [Dead Peer Detection]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: ignoring Vendor ID payload [f610e1f75c98c882e13806da0f37e9db]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: received Vendor ID payload [XAUTH]
    2019:08:26-09:24:53 sophos pluto[9626]: "S_Seymour" #2: NAT-Traversal: Result using RFC 3947: no NAT detected
    2019:08:26-09:24:54 sophos pluto[9626]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:25:04 sophos pluto[9626]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:25:14 sophos pluto[9626]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:25:23 sophos pluto[9626]: "S_Seymour" #2: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #2: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #2: starting keying attempt 3 of an unlimited number
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #3: initiating Main Mode to replace #2
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #3: received Vendor ID payload [RFC 3947]
    2019:08:26-09:26:03 sophos pluto[9626]: "S_Seymour" #3: enabling possible NAT-traversal with method 3
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: ignoring Vendor ID payload [Cisco-Unity]
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: received Vendor ID payload [Dead Peer Detection]
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: ignoring Vendor ID payload [f610e1f7d52302e91e65d3d2bb0b5ed9]
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: received Vendor ID payload [XAUTH]
    2019:08:26-09:26:04 sophos pluto[9626]: "S_Seymour" #3: NAT-Traversal: Result using RFC 3947: no NAT detected
    2019:08:26-09:26:05 sophos pluto[9626]: "S_Seymour" #3: discarding duplicate packet; already STATE_MAIN_I3
    2019:08:26-09:26:14 sophos pluto[9626]: "S_Seymour" #3: discarding duplicate packet; already STATE_MAIN_I3

  • 0 in reply to PFras

    Does the Cisco have NAT-T enabled?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    HI Bob,

    Yes it does

    Thanks Peter

Unfiltered HTML