I have a total of 11 XG 135's that I have setup a Site-To-Site IPSEC VPN using the 'DefaultHeadOffice' and 'DefaultBranchOffice' profiles. All are functioning as expected except the brand new one I took out of the box this morning (the others have been in place for months).
The new device will not connect back to the 'Head Office' XG. During a connection attempt, it posts the following in the VPN log.
__START_______________________
2019-07-23 18:38:04 13[IKE] <RemoteSite_MainSite-1|9> initiating Main Mode IKE_SA RemoteSite_MainSite-1[9] to 123.45.67.89
2019-07-23 18:38:04 13[ENC] <RemoteSite_MainSite-1|9> generating ID_PROT request 0 [ SA V V V V V V ]
2019-07-23 18:38:04 13[NET] <RemoteSite_MainSite-1|9> sending packet: from 192.168.0.3[500] to 123.45.67.89[500] (548 bytes)
2019-07-23 18:38:04 08[NET] <RemoteSite_MainSite-1|9> received packet: from 1123.45.67.89[500] to 192.168.0.3[500] (40 bytes)
2019-07-23 18:38:04 08[ENC] <RemoteSite_MainSite-1|9> parsed INFORMATIONAL_V1 request 3418570794 [ N(NO_PROP) ]
2019-07-23 18:38:04 08[IKE] <RemoteSite_MainSite-1|9> received NO_PROPOSAL_CHOSEN error notify
2019-07-23 18:38:04 08[IKE] <RemoteSite_MainSite-1|9> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
2019-07-23 18:38:04 08[IKE] <RemoteSite_MainSite-1|9> IKE_SA has_condition COND_START_OVER retry initiate in 60 sec
___END________________________
While attempting to troubleshoot it, I decided to use a different Preshared Key. I saw this in the VPN logs when I attempted to update the info.
__START_______________________
2019-07-23 18:37:58 10[CFG] rereading secrets
2019-07-23 18:37:58 10[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-07-23 18:37:58 10[CFG] expanding file expression '/_conf/ipsec/connections/*.secrets' failed
2019-07-23 18:37:59 19[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-07-23 18:37:59 25[CFG] rereading secrets
2019-07-23 18:37:59 25[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-07-23 18:37:59 25[CFG] expanding file expression '/_conf/ipsec/connections/*.secrets' failed
2019-07-23 18:37:59 31[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-07-23 18:38:01 12[CFG] rereading secrets
2019-07-23 18:38:01 12[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-07-23 18:38:01 12[CFG] loading secrets from '/_conf/ipsec/connections/RemoteSite.secrets'
2019-07-23 18:38:01 12[CFG] loaded IKE secret for 192.168.0.3 mainsite.myfirewall.co
2019-07-23 18:38:01 12[CFG] loaded IKE secret for remotesite.myfirewall.co mainsite.myfirewall.co
2019-07-23 18:38:01 32[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-07-23 18:38:01 09[CFG] received stroke: add connection 'RemoteSite_MainSite-1'
___END________________________
It appears to me the XG is unable to read the contents of the ipsec.secrets file. Does this make sense at all?
The XG is a brand new production device shipped with 17.5.3-MR3, updated to 17.5.7-MR7.
This thread was automatically locked due to age.