Hello,
I´ve got a problem to establish a site2site IPSec vpn connection to another company. I´ll try to desribe the situation as detailed as possible. Thank you for
your help in advance.
We use Astaro Security Gateway v7.
Firmware version: 7.501
The other company sent me the configuration the expect:
Pre-Shared Key: ***
Peer-IP: ***.***.***.***
Lokal Network: 10.0.100.0 /24
IPSec Phase 1:
Mode: Main
NAT Traversal: 20 Seconds
Dead Peer Detection: 20 Seconds, max 5 Trys
Transform Setting:
authentication: SHA1
encryption 3DES
SA Life: 8 hours
Key Group: Diffie-Hellmann-Group 5
Phase 2:
PFS: Hellmann-Group 5
IPSec Proposals:
Type: ESP
authentication: AES256
encryption: SHA1
Key Expiration: enabled, 8 hours, 128000 kbytes
So far for the excepted configuration. I did the following:
Added a definition for the other vpn-gateway (host, external interface (WAN) & the external IP of the other company).
Added a definition for the remote network (network, adress: 10.0.100.0, interface external wan, netmask /24).
Then under site2site vpn I added a new remote gateway (gateway1):
- gateway type: initiate connection
- gateway: selected the gateway i defined before
- authentication type: preshared key
- key: *** , checked twice
- remote networks: selected the network i defined before
As i know, this seems correct so far...
Now comes the part which I am not sure about.
I created a new IPSec policy... lets call it policy1...
IKE encryption algorithm: 3DES
IKE authentication algorithm: SHA
IKE SA lifetime: 28800
IKE DH group: group 5
IPSec encryption algorithm: AES256
IPSec authentication algorithm: SHA
IPSec SA lifetime: 28800
IPSec PFS group: Group 5
strict policy: on
compression: off
Then I created a new IPSec connection (gateway1, external (wan), policy1, local network (internal network), auto packet filter off, strict routing off)
switched it on and here comes the log...
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loading secrets from "/etc/ipsec.secrets"
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded private key file '/etc/ipsec.d/private/Local X509 Cert.pem' (887 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded private key file '/etc/ipsec.d/private/Local X509 Cert.pem' (887 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded private key file '/etc/ipsec.d/private/Local X509 Cert.pem' (887 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded private key file '/etc/ipsec.d/private/Local X509 Cert.pem' (887 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded private key file '/etc/ipsec.d/private/Local X509 Cert.pem' (887 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded private key file '/etc/ipsec.d/private/Local X509 Cert.pem' (887 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded private key file '/etc/ipsec.d/private/Local X509 Cert.pem' (887 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded private key file '/etc/ipsec.d/private/Local X509 Cert.pem' (887 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded private key file '/etc/ipsec.d/private/Local X509 Cert.pem' (887 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded shared key for ***.***.***.*** ***.***.***.***
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: Changing to directory '/etc/ipsec.d/cacerts'
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded CA cert file 'VPN Signing CA.pem' (3214 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: loaded CA cert file 'VPN Signing CA (Tue Sep 1 14:01:20 2009).pem' (3212 bytes)
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: Changing to directory '/etc/ipsec.d/aacerts'
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: Changing to directory '/etc/ipsec.d/ocspcerts'
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: Changing to directory '/etc/ipsec.d/crls'
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: "***" #37: received Vendor ID payload [XAUTH]
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: "***" #37: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: "***" #37: received Vendor ID payload [Dead Peer Detection]
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: "***" #37: enabling possible NAT-traversal with method RFC 3947
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: "***" #37: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: "***" #37: Peer ID is ID_IPV4_ADDR: '***.***.***.***'
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: "***" #37: ISAKMP SA established
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: "***" #38: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#37}
2009:11:10-10:12:21 lzk-fw01 pluto[4993]: "***" #37: ignoring informational payload, type INVALID_ID_INFORMATION
2009:11:10-10:12:31 lzk-fw01 pluto[4993]: "***" #37: ignoring informational payload, type INVALID_ID_INFORMATION
2009:11:10-10:12:51 lzk-fw01 pluto[4993]: "***" #37: ignoring informational payload, type INVALID_ID_INFORMATION
2009:11:10-10:13:31 lzk-fw01 pluto[4993]: "***" #38: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
2009:11:10-10:13:31 lzk-fw01 pluto[4993]: "***" #38: starting keying attempt 2 of an unlimited number
2009:11:10-10:13:31 lzk-fw01 pluto[4993]: "***" #39: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #38 {using isakmp#37}
2009:11:10-10:13:32 lzk-fw01 pluto[4993]: "***" #37: ignoring informational payload, type INVALID_ID_INFORMATION
2009:11:10-10:13:41 lzk-fw01 pluto[4993]: "***" #37: ignoring informational payload, type INVALID_ID_INFORMATION
2009:11:10-10:14:01 lzk-fw01 pluto[4993]: "***" #37: ignoring informational payload, type INVALID_ID_INFORMATION
The log on the other firewall says:
iked WARNING: Rejected phase 2 negotiation from 80.152.248.246 due to no matching IPSec Selectors msg_id="0205-5205"
Where is my mistake? I´ve got no idea...
This thread was automatically locked due to age.
