This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ipsec vpn between the houses XG does not connect.

Hi guys.
I'm having a problem connecting an ipsec vpn between two XG HOME, follow the settings on both ends.

Configuration of the pair that initiates the connection:

Configuration of the pair receiving the connection:

Error: 

I'm using the firewall rule that the vpn configuration itself creates.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Thank you for sharing the error message; it appears that at the peer side, required ports for IPsec are blocked.

    Could you please check if you see traffic on the peer firewall on port 500 and 4500 when you try to activate the tunnel? If not, check with your ISP and ensure that ports required to IPsec are open. 

    Thanks,

  • Another approach would be, try to use RED Site to Site. 

    https://community.sophos.com/kb/en-us/125101

    Maybe this works? 

    __________________________________________________________________________________________________________________

  • I checked the logs, and he shows me that.

    [IKE] ### queue_child invoking quick_mode_create
    [IKE] ### quick_mode_create: 0x7fb2f4001ef0 config 0x7fb334002b70
    [IKE] initiating Main Mode IKE_SA vpn_nova-1[1] to 186.2*****
    [ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    [NET] sending packet: from 201.*****[500] to 186.2*****[500] (440 byte s)
    [NET] received packet: from 186.215*****[500] to 2*****[500] (180 byt es)
    [ENC] parsed ID_PROT response 0 [ SA V V V V V ]
    [IKE] received XAuth vendor ID
    [IKE] received DPD vendor ID
    [IKE] received Cisco Unity vendor ID
    [IKE] received FRAGMENTATION vendor ID
    [IKE] received NAT-T (RFC 3947) vendor ID
    [ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    [NET] sending packet: from 201.*****[500] to 1*****[500] (172 byte s)
    [NET] received packet: from 186.*****[500] to 201.*****[500] (172 byt es)
    [ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    [ENC] generating ID_PROT request 0 [ ID HASH ]
    [NET] sending packet: from 201.*****[500] to 186.*****[500] (92 bytes )
    [NET] received packet: from 186.*****[500] to 201.*****[500] (92 byte s)
    [ENC] invalid HASH_V1 payload length, decryption failed?
    [ENC] could not decrypt payloads
    [IKE] message parsing failed
    [IKE] ignore malformed INFORMATIONAL request
    [IKE] INFORMATIONAL_V1 request with message ID 1808606986 processing failed
    [DMN] [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 186.2*****[500] failed
    [IKE] sending retransmit 1 of request message ID 0, seq 3
    [NET] sending packet: from 201.*****[500] to 186.*****[500] (92 bytes )
    [NET] received packet: from 186.2*****[500] to 201.4*****[500] (92 byte s)
    [ENC] invalid HASH_V1 payload length, decryption failed?
    [ENC] could not decrypt payloads
    [IKE] message parsing failed
    [IKE] ignore malformed INFORMATIONAL request
    [IKE] INFORMATIONAL_V1 request with message ID 1370646680 processing failed
    [DMN] [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 186.*****[500] failed
    [IKE] sending retransmit 2 of request message ID 0, seq 3
    [NET] sending packet: from 201.*****[500] to 186.215.*****[500] (92 bytes )
    [NET] received packet: from 186.*****[500] to 201.*****[500] (92 byte s)
    [ENC] invalid HASH_V1 payload length, decryption failed?
    [ENC] could not decrypt payloads
    [IKE] message parsing failed
    [IKE] ignore malformed INFORMATIONAL request
    [IKE] INFORMATIONAL_V1 request with message ID 1295825823 processing failed
    [DMN] [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 186.*****[500] failed
    kill -9 12400 > /dev/null 2>&1
    2010-01-06 11:24:49 - initiate timeout for vpn_nova-1
    2010-01-06 11:24:49 - Operation fails status: 255
    SF01V_SO01_SFOS 18.0.1 MR-1-Build396# terminate IKE SA 'vpn_nova-1 #5 - failed: terminating SA failed
    > 2010-01-06 11:24:34 - swanctl --initiate --timeout 15 --child vpn_nova-1
    > initiate failed: CHILD_SA 'vpn_nova-1' not established after 15000ms
    > [IKE] ### queue_child invoking quick_mode_create
    > [IKE] ### quick_mode_create: 0x7fb2f4001ef0 config 0x7fb334002b70
    > [IKE] initiating Main Mode IKE_SA vpn_nova-1[1] to 186.*****
    > [ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    > [NET] sending packet: from 201.48.*****[500] to 186.215.*****[500] (440 byte
    s)
    > [NET] received packet: from 186.*****[500] to 201.*****[500] (180 byt
    es)
    [IKE] received Cisco Unity vendor ID
    [IKE] received FRAGMENTATION vendor ID
    > [ENC] parsed ID_PROT response 0 [ SA V V V V V ]
    > [IKE] received XAuth vendor ID
    > [IKE] received DPD vendor ID
    > [IKE] received Cisco Unity vendor ID
    > [IKE] received FRAGMENTATION vendor ID
    > [IKE] received NAT-T (RFC 3947) vendor ID
    > [ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    > [NET] sending packet: from 201.4*****[500] to 186.*****9[500] (172 byte
    s)
    > [NET] received packet: from 186.215.*****[500] to 201.48.1*****[500] (172 byt
    es)
    > [ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    > [ENC] generating ID_PROT request 0 [ ID HASH ]
    > [NET] sending packet: from 201.48.*****[500] to 186.2*****[500] (92 bytes
    )
    > [NET] received packet: from 186.*****[500] to 201.4*****[500] (92 byte
    s)
    > [ENC] invalid HASH_V1 payload length, decryption failed?
    > [ENC] could not decrypt payloads
    > [IKE] message parsing failed
    > [IKE] ignore malformed INFORMATIONAL request
    > [IKE] INFORMATIONAL_V1 request with message ID 1808606986 processing failed
    [ENC] could not decrypt payloads
    [IKE] message parsing failed
    [IKE] ignore malformed INFORMATIONAL request
    > [DMN] [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 186.*****[500] failed
    > [IKE] sending retransmit 1 of request message ID 0, seq 3
    > [NET] sending packet: from 201.***[500] to 186.2*****[500] (92 bytes
    )
    > [NET] received packet: from 186.***[500] to 201.*****[500] (92 byte
    s)
    > [ENC] invalid HASH_V1 payload length, decryption failed?
    > [ENC] could not decrypt payloads
    > [IKE] message parsing failed
    > [IKE] ignore malformed INFORMATIONAL request
    > [IKE] INFORMATIONAL_V1 request with message ID 1370646680 processing failed
    > [DMN] [GARNER-LOGGING] (child_alert) ALERT: parsing IKE message from 186.******
    .209[500] failed
    > [IKE] sending retransmit 2 of request message ID 0, seq 3
    > [NET] sending packet: from 201.******[500] to 186.*****[500] (92 bytes
    )
    > [NET] received packet: from 186.*******[500] to 201.48.*****[500] (92 byte
    s)
    > [ENC] invalid HASH_V1 payload length, decryption failed?
    > [ENC] could not decrypt payloads
    > [IKE] message parsing failed
    > [IKE] ignore malformed INFORMATIONAL request
    > [IKE] INFORMATIONAL_V1 request with message ID 1295825823 processing failed

  • The Red tunnel goes up but the machines do not communicate even with the static routing

    13:22:38.170254 Port1, IN: ARP, Request who-has 172.16.16.16 tell 172.16.16.18, length 46
    13:22:38.170274 Port1, OUT: ARP, Reply 172.16.16.16 is-at 70:71:bc:66:7d:df (oui Unknown), length 28
    13:22:51.694737 Port1, IN: IP 172.16.16.18.57738 > 172.16.16.16.domain: 8926+ A? a.root-servers.net. (36)
    13:22:51.694831 Port1, OUT: IP 172.16.16.16.domain > 172.16.16.18.57738: 8926 1/0/0 A 198.41.0.4 (52)
    13:23:03.898812 Port1, IN: ARP, Request who-has 172.16.16.16 tell 172.16.16.18, length 46
    13:23:03.898831 Port1, OUT: ARP, Reply 172.16.16.16 is-at 70:71:bc:66:7d:df (oui Unknown), length 28
    13:23:21.727376 Port1, IN: IP 172.16.16.18.60390 > 172.16.16.16.domain: 8927+ A? a.root-servers.net. (36)
    13:23:21.727473 Port1, OUT: IP 172.16.16.16.domain > 172.16.16.18.60390: 8927 1/0/0 A 198.41.0.4 (52)
    13:23:26.427308 Port1, IN: ARP, Request who-has 172.16.16.16 tell 172.16.16.18, length 46
    13:23:26.427327 Port1, OUT: ARP, Reply 172.16.16.16 is-at 70:71:bc:66:7d:df (oui Unknown), length 28

  • I solved the IPSEC problem by creating a new ipsec policy.