Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 3003 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco ASA 5505 to ASG

Wolfman
Hi,

I've succefully connected an ASG to a Cisco ASA (https://kb-beta.astaro.com/support/index.php/ASG_V7_to_Cisco_ASA_5505_IPSec_VPN_Example) but now I'm trying to connect an ASA to an ASG.

The ASA doesn't have a fixed IP address but the ASG does.

I tried to use the example above and changed the Gateway Type: Initiate connection to respond only... 
On the ASA site I send some packets to the ASG LAN to bring the tunnel up.
Live Log shows me that something is happening but the tunnel is still down.

Any ideas?

Thanks for your support!
Kind regards,


This thread was automatically locked due to age.
Parents
  • 0
    I couldn't see in your pictures if the networks & gateways looked correct, but, since you already have two other VPNs, I bet they're perfect.  I also couldn't tell if you were showing the IPsec Connection with Auto firewall rules off, and that might be the issue.  A glance in the Firewall (Packet Filter) log would reveal that.

    I see you're using a pre-shared key, and that could be a problem.  Prior to V9, there's only a single pre-shared key for IPsec in "Respond only" mode.  If you already have one defined in IPsec Remote Access or in L2TP over IPsec, you must use the same one here.

    In general, a certificate is much more secure for site-to-site VPNs, as best practice recommends changing a PSK at least everry 3 months, preferably, every month.

    If that doesn't resolve your issue, then please make sure you don't have debugging enabled, and show the IPsec log lines for one connection attempt.

    Cheers - Bob
Reply
  • 0
    I couldn't see in your pictures if the networks & gateways looked correct, but, since you already have two other VPNs, I bet they're perfect.  I also couldn't tell if you were showing the IPsec Connection with Auto firewall rules off, and that might be the issue.  A glance in the Firewall (Packet Filter) log would reveal that.

    I see you're using a pre-shared key, and that could be a problem.  Prior to V9, there's only a single pre-shared key for IPsec in "Respond only" mode.  If you already have one defined in IPsec Remote Access or in L2TP over IPsec, you must use the same one here.

    In general, a certificate is much more secure for site-to-site VPNs, as best practice recommends changing a PSK at least everry 3 months, preferably, every month.

    If that doesn't resolve your issue, then please make sure you don't have debugging enabled, and show the IPsec log lines for one connection attempt.

    Cheers - Bob
Children
  • 0 in reply to BAlfson
    I was showing the one with Auto firewall on

    I'm using a preshared key on one respond only IPsec connection and I'm running 8.202.
    I thought the ASG will give me an error if I set up another respond only connection with a different preshared key (I remember the message from older version), but this time I was able to set the psk.

    (IPs changed)
    2011:11:07-21:56:47 fw02-2 pluto[11252]: packet from 177.26.26.26:500: ignoring Vendor ID payload [FRAGMENTATION c0000000]
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[2] 177.26.26.26 #5: responding to Main Mode from unknown peer 177.26.26.26
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[2] 177.26.26.26 #5: ignoring Vendor ID payload [Cisco-Unity]
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[2] 177.26.26.26 #5: received Vendor ID payload [XAUTH]
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[2] 177.26.26.26 #5: ignoring Vendor ID payload [469cf98be8ad6992d4952901e03a69a2]
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[2] 177.26.26.26 #5: ignoring Vendor ID payload [Cisco VPN 3000 Series]
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[2] 177.26.26.26 #5: received Vendor ID payload [Dead Peer Detection]
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[2] 177.26.26.26 #5: Peer ID is ID_IPV4_ADDR: '192.168.0.123'
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #5: deleting connection "S_tunnel5"[2] instance with peer 177.26.26.26 {isakmp=#0/ipsec=#0}
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #5: sent MR3, ISAKMP SA established
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #6: responding to Quick Mode
    2011:11:07-21:56:47 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #6: cannot route -- route already in use for "X_tunnel5"
    2011:11:07-21:56:57 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #6: cannot route -- route already in use for "X_tunnel5"
    2011:11:07-21:57:17 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #6: cannot route -- route already in use for "X_tunnel5"
    2011:11:07-21:57:57 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #6: max number of retransmissions (2) reached STATE_QUICK_R1
    2011:11:07-21:57:57 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #6: ERROR: netlink response for Del SA esp.44a3a26e@2.2.2.2 included errno 3: No such process
    2011:11:07-21:57:57 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26 #5: received Delete SA payload: deleting ISAKMP State #5
    2011:11:07-21:57:57 fw02-2 pluto[11252]: "S_tunnel5"[3] 177.26.26.26: deleting connection "S_tunnel5"[3] instance with peer 177.26.26.26 {isakmp=#0/ipsec=#0}
    2011:11:07-21:57:57 fw02-1 pluto[25102]: "S_tunnel5"[3] 177.26.26.26: deleting connection "S_tunnel5"[3] instance with peer 177.26.26.26 {isakmp=#0/ipsec=#0} 

    Thank you!