Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 2230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN to VPN-1 Edge instable

serpi
Hello,

we have a VPN connection betwwen out Astaro ASG220 Release 6.314 and a VPN-1 Edge Embedded NGX Version 7.0.48.
While the tunnel seems to be stable (always green in the connections tab in Astaro) we have a continuous ping to a machine in the other network which looses from time to it's connection.
Overall we have a ping loss between 5% to 15%.
The parameters for the connection are:
Phase1 IKE:
Encryption AES256
Hash. Alg. SHA
DH/Group 2
Lifetime 86400 seconds

Phase2 IPSec:
Encryption AES-256
Hash.Alg. SHA
PerfectForwardSecrecy Enabled
DH/Group 2

(as written down by the other side).
It seems, when the connection is lost, we have the following in the IPSec VPN live log: 
2008:11:14-13:14:19 (none) pluto[5053]: packet from 62.176.137.145:4500: next payload type of ISAKMP Message has an unknown value: 85

2008:11:14-13:14:19 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:21 (none) pluto[5053]: packet from 62.176.137.145:4500: next payload type of ISAKMP Message has an unknown value: 82

2008:11:14-13:14:21 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:23 (none) pluto[5053]: packet from 62.176.137.145:4500: next payload type of ISAKMP Message has an unknown value: 93

2008:11:14-13:14:23 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:25 (none) pluto[5053]: packet from 62.176.137.145:4500: next payload type of ISAKMP Message has an unknown value: 25

2008:11:14-13:14:25 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:27 (none) pluto[5053]: packet from 62.176.137.145:4500: ISAKMP version of ISAKMP Message has an unknown value: 0

2008:11:14-13:14:27 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:29 (none) pluto[5053]: packet from 62.176.137.145:4500: ISAKMP version of ISAKMP Message has an unknown value: 0

2008:11:14-13:14:29 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:33 (none) pluto[5053]: packet from 62.176.137.145:4500: ISAKMP version of ISAKMP Message has an unknown value: 0

2008:11:14-13:14:33 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:37 (none) pluto[5053]: packet from 62.176.137.145:4500: ISAKMP version of ISAKMP Message has an unknown value: 0

2008:11:14-13:14:37 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:41 (none) pluto[5053]: packet from 62.176.137.145:4500: ISAKMP version of ISAKMP Message has an unknown value: 0

2008:11:14-13:14:41 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:45 (none) pluto[5053]: packet from 62.176.137.145:4500: ISAKMP version of ISAKMP Message has an unknown value: 0

2008:11:14-13:14:45 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500

2008:11:14-13:14:50 (none) pluto[5053]: packet from 62.176.137.145:4500: ISAKMP version of ISAKMP Message has an unknown value: 0

2008:11:14-13:14:50 (none) pluto[5053]: packet from 62.176.137.145:4500: sending notification INVALID_MAJOR_VERSION to 62.176.137.145:4500


Does anybody have any ideas about it?

Thanks & Ciao,
Alfred


This thread was automatically locked due to age.
Parents
  • 0
    I know I've had a lot of trouble with Watchguard products not working properly with PFS enabled when talking to an Astaro gateway (the issue appears to be on the Watchguard side).  Another issue I've had with Watchguard (and it's confirmed by them) is that they do not properly support NAT-T... try disabling NAT-T on the Astaro so it doesn't negotiate that feature.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0
    I know I've had a lot of trouble with Watchguard products not working properly with PFS enabled when talking to an Astaro gateway (the issue appears to be on the Watchguard side).  Another issue I've had with Watchguard (and it's confirmed by them) is that they do not properly support NAT-T... try disabling NAT-T on the Astaro so it doesn't negotiate that feature.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data
Cookie Information Banner