Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 37 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 97432 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CISCO ASA 5515 to UTM 9.4 (SG230) VPN Peer ID

J F1

 Our connection seems to be completing phase 1, but is failing on a matched/mismatched Pair ID. The thing is that the pair id actually matches, but the log says that it doesn't, but shows the same two words there.

I don't have access to the actual cisco box, it is with an external vendor. Here are the respective logs.

CISCO LOG

Mar 31 2017 08:21:08: %ASA-5-713201: Group = 1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected. Retransmitting last packet.
Mar 31 2017 08:21:08: %ASA-6-713905: Group =1.1.1.1, IP =1.1.1.1, P1 Retransmit msg dispatched to MM FSM
Mar 31 2017 08:21:08: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Mar 31 2017 08:20:58: %ASA-5-713068: Group =1.1.1.1, IP =1.1.1.1, Received non-routine Notify message: Invalid ID info (18)

SOPHOS LOG
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: enabling possible NAT-traversal with method RFC 3947
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco-Unity]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [XAUTH]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [26af64ae1ce2e355e599171584afb948]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [Dead Peer Detection]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: Peer ID is ID_KEY_ID: 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: we require peer to have ID 'abc', but peer declares 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:4500



This thread was automatically locked due to age.
Parents
  • 0

    I've got Cisco's connected to my UTM using the IP address as the peer ID and they are rock solid. As I wasn't in control of the other side of the link, we basically agreed a psk and that was it.

  • 0 in reply to Louis-M

    Thanks for the info. Unfortunately, our vendor doesn't seem to want to make any changes to their config to help us. Is the Sophos box really denying a matching peer id? We have a PSK with the Cisco that works, as far as I can tell we are passing phase 1. The following is a log from activating the vpn until the 'mismatch'.

     

    2017:03:31-17:46:47 50 pluto[28329]: loading secrets from "/etc/ipsec.secrets"
    2017:03:31-17:46:47 50 pluto[28329]: loaded PSK secret for 1.1.1.1 %any
    2017:03:31-17:46:47 50 pluto[28329]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2017:03:31-17:46:47 50 pluto[28329]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2017:03:31-17:46:47 50 pluto[28329]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2017:03:31-17:46:47 50 pluto[28329]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2017:03:31-17:46:47 50 pluto[28329]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2017:03:31-17:46:47 50 pluto[28329]: Changing to directory '/etc/ipsec.d/crls'
    2017:03:31-17:46:47 50 pluto[28329]: "S_KWIK-2": deleting connection
    2017:03:31-17:46:47 50 pluto[28329]: "S_KWIK-2" #63: deleting state (STATE_MAIN_I3)
    2017:03:31-17:46:52 50 pluto[28329]: forgetting secrets
    2017:03:31-17:46:52 50 pluto[28329]: loading secrets from "/etc/ipsec.secrets"
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 kwik
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 %any
    2017:03:31-17:46:52 50 pluto[28329]: listening for IKE messages
    2017:03:31-17:46:52 50 pluto[28329]: forgetting secrets
    2017:03:31-17:46:52 50 pluto[28329]: loading secrets from "/etc/ipsec.secrets"
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 kwik
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 %any
    2017:03:31-17:46:52 50 pluto[28329]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2017:03:31-17:46:52 50 pluto[28329]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2017:03:31-17:46:52 50 pluto[28329]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2017:03:31-17:46:52 50 pluto[28329]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2017:03:31-17:46:52 50 pluto[28329]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2017:03:31-17:46:52 50 pluto[28329]: Changing to directory '/etc/ipsec.d/crls'
    2017:03:31-17:46:52 50 pluto[28329]: added connection description "S_KWIK-2"
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: initiating Main Mode
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [FRAGMENTATION c0000000]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: enabling possible NAT-traversal with method RFC 3947
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [Cisco-Unity]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: received Vendor ID payload [XAUTH]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [f61928e27416a0664640815a03427909]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: received Vendor ID payload [Dead Peer Detection]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: Peer ID is ID_KEY_ID: 'abc'
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: we require peer to have ID 'abc', but peer declares 'abc'
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:4500
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Delete SA payload: ISAKMP SA not established

Reply
  • 0 in reply to Louis-M

    Thanks for the info. Unfortunately, our vendor doesn't seem to want to make any changes to their config to help us. Is the Sophos box really denying a matching peer id? We have a PSK with the Cisco that works, as far as I can tell we are passing phase 1. The following is a log from activating the vpn until the 'mismatch'.

     

    2017:03:31-17:46:47 50 pluto[28329]: loading secrets from "/etc/ipsec.secrets"
    2017:03:31-17:46:47 50 pluto[28329]: loaded PSK secret for 1.1.1.1 %any
    2017:03:31-17:46:47 50 pluto[28329]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2017:03:31-17:46:47 50 pluto[28329]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2017:03:31-17:46:47 50 pluto[28329]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2017:03:31-17:46:47 50 pluto[28329]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2017:03:31-17:46:47 50 pluto[28329]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2017:03:31-17:46:47 50 pluto[28329]: Changing to directory '/etc/ipsec.d/crls'
    2017:03:31-17:46:47 50 pluto[28329]: "S_KWIK-2": deleting connection
    2017:03:31-17:46:47 50 pluto[28329]: "S_KWIK-2" #63: deleting state (STATE_MAIN_I3)
    2017:03:31-17:46:52 50 pluto[28329]: forgetting secrets
    2017:03:31-17:46:52 50 pluto[28329]: loading secrets from "/etc/ipsec.secrets"
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 kwik
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 %any
    2017:03:31-17:46:52 50 pluto[28329]: listening for IKE messages
    2017:03:31-17:46:52 50 pluto[28329]: forgetting secrets
    2017:03:31-17:46:52 50 pluto[28329]: loading secrets from "/etc/ipsec.secrets"
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 kwik
    2017:03:31-17:46:52 50 pluto[28329]: loaded PSK secret for 1.1.1.1 %any
    2017:03:31-17:46:52 50 pluto[28329]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2017:03:31-17:46:52 50 pluto[28329]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2017:03:31-17:46:52 50 pluto[28329]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2017:03:31-17:46:52 50 pluto[28329]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2017:03:31-17:46:52 50 pluto[28329]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2017:03:31-17:46:52 50 pluto[28329]: Changing to directory '/etc/ipsec.d/crls'
    2017:03:31-17:46:52 50 pluto[28329]: added connection description "S_KWIK-2"
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: initiating Main Mode
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [FRAGMENTATION c0000000]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: enabling possible NAT-traversal with method RFC 3947
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [Cisco-Unity]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: received Vendor ID payload [XAUTH]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [f61928e27416a0664640815a03427909]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: received Vendor ID payload [Dead Peer Detection]
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: Peer ID is ID_KEY_ID: 'abc'
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: we require peer to have ID 'abc', but peer declares 'abc'
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:4500
    2017:03:31-17:46:52 50 pluto[28329]: "S_KWIK-2" #64: ignoring Delete SA payload: ISAKMP SA not established

Children
No Data
Unfiltered HTML