This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG 120 V8 to Cisco 5505

Simon2003 over 13 years ago

Hi

we set a site to site VPN to a data center but connection cannot be established unless we ping from a machine in remote site to a machine in local network.  once the ping stop, the connection drop

Astaro
Compression off, not using strict policy.
IKE Settings: AES 256 / MD5 / Group 5: MODP 1536   Lifetime: 7800 seconds
IPSec Settings: AES 256 / MD5 / Group 2: MODP 1024   Lifetime: 3600 seconds

local networks are
and 10.242.1.0 and 10.242.2.0

anyone has any idea?  thanks a lot.

This thread was automatically locked due to age.

0 BAlfson over 13 years ago

Hi, Simon, and welcome to your first thread on the User BB!

Please show pictures of the 'IPsec Connection' and 'Remote Gateway' in Astaro. Please show the IPsec log lines for one connection attempt.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon2003 over 13 years ago in reply to BAlfson

Hi screen attached

when vpn start

2011:11:30-12:54:36 Gall ipsec_starter[19608]: Starting strongSwan 4.4.1git20100610 IPsec [starter]...
2011:11:30-12:54:36 Gall pluto[19615]: Starting IKEv1 pluto daemon (strongSwan 4.4.1git20100610) THREADS VENDORID CISCO_QUIRKS
2011:11:30-12:54:36 Gall ipsec_starter[19614]: pluto (19615) started after 20 ms
2011:11:30-12:54:36 Gall pluto[19615]: loaded plugins: curl ldap aes des blowfish serpent twofish sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem sqlite hmac gmp xauth attr attr-sql resolve
2011:11:30-12:54:36 Gall pluto[19615]: including NAT-Traversal patch (Version 0.6c)
2011:11:30-12:54:36 Gall pluto[19615]: Using Linux 2.6 IPsec interface code
2011:11:30-12:54:36 Gall pluto[19615]: loading ca certificates from '/etc/ipsec.d/cacerts'
2011:11:30-12:54:36 Gall pluto[19615]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
2011:11:30-12:54:36 Gall pluto[19615]: loading aa certificates from '/etc/ipsec.d/aacerts'
2011:11:30-12:54:36 Gall pluto[19615]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
2011:11:30-12:54:36 Gall pluto[19615]: Changing to directory '/etc/ipsec.d/crls'
2011:11:30-12:54:36 Gall pluto[19615]: loading attribute certificates from '/etc/ipsec.d/acerts'
2011:11:30-12:54:36 Gall pluto[19615]: listening for IKE messages
2011:11:30-12:54:36 Gall pluto[19615]: adding interface tun0/tun0 10.242.2.1:500
2011:11:30-12:54:36 Gall pluto[19615]: adding interface tun0/tun0 10.242.2.1:4500
2011:11:30-12:54:36 Gall pluto[19615]: adding interface eth0/eth0 192.168.2.100:500
2011:11:30-12:54:36 Gall pluto[19615]: adding interface eth0/eth0 192.168.2.100:4500
2011:11:30-12:54:36 Gall pluto[19615]: adding interface eth1/eth1 125.214.201.18:500
2011:11:30-12:54:36 Gall pluto[19615]: adding interface eth1/eth1 125.214.201.18:4500
2011:11:30-12:54:36 Gall pluto[19615]: adding interface lo/lo 127.0.0.1:500
2011:11:30-12:54:36 Gall pluto[19615]: adding interface lo/lo 127.0.0.1:4500
2011:11:30-12:54:36 Gall pluto[19615]: adding interface lo/lo ::1:500
2011:11:30-12:54:36 Gall pluto[19615]: loading secrets from "/etc/ipsec.secrets"
2011:11:30-12:54:36 Gall pluto[19615]: loaded PSK secret for 125.214.201.18 120.136.46.8
2011:11:30-12:54:36 Gall pluto[19615]: added connection description "S_Rackspace Firewall"
2011:11:30-12:54:36 Gall pluto[19615]: "S_Rackspace Firewall" #1: initiating Main Mode
2011:11:30-12:54:36 Gall pluto[19615]: added connection description "S_Rackspace Firewall"
2011:11:30-12:54:36 Gall pluto[19615]: added connection description "S_Rackspace Firewall"
2011:11:30-12:54:36 Gall pluto[19615]: "S_Rackspace Firewall" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2011:11:30-12:54:36 Gall pluto[19615]: "S_Rackspace Firewall" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2011:11:30-12:54:36 Gall pluto[19615]: "S_Rackspace Firewall" #1: enabling possible NAT-traversal with method RFC 3947
2011:11:30-12:54:36 Gall pluto[19615]: "S_Rackspace Firewall" #1: ignoring Vendor ID payload [Cisco-Unity]
2011:11:30-12:54:36 Gall pluto[19615]: "S_Rackspace Firewall" #1: received Vendor ID payload [XAUTH]
2011:11:30-12:54:36 Gall pluto[19615]: "S_Rackspace Firewall" #1: ignoring Vendor ID payload [df312bfa6c15f4696c4aa4c6b4df9ef5]
2011:11:30-12:54:36 Gall pluto[19615]: "S_Rackspace Firewall" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2011:11:30-12:54:36 Gall pluto[19615]: "S_Rackspace Firewall" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
2011:11:30-12:54:37 Gall pluto[19615]: "S_Rackspace Firewall" #1: received Vendor ID payload [Dead Peer Detection]
2011:11:30-12:54:37 Gall pluto[19615]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
2011:11:30-12:54:37 Gall pluto[19615]: "S_Rackspace Firewall" #1: Peer ID is ID_IPV4_ADDR: '120.136.46.8'
2011:11:30-12:54:37 Gall pluto[19615]: "S_Rackspace Firewall" #1: ISAKMP SA established
2011:11:30-12:54:37 Gall pluto[19615]: "S_Rackspace Firewall" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2011:11:30-12:54:37 Gall pluto[19615]: "S_Rackspace Firewall" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2011:11:30-12:54:37 Gall pluto[19615]: "S_Rackspace Firewall" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
2011:11:30-12:54:37 Gall pluto[19615]: "S_Rackspace Firewall" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2011:11:30-12:54:37 Gall pluto[19615]: "S_Rackspace Firewall" #1: received Delete SA payload: deleting ISAKMP State #1
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #4: starting keying attempt 2 of an unlimited number
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: initiating Main Mode
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #3: starting keying attempt 2 of an unlimited number
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #2: starting keying attempt 2 of an unlimited number
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: enabling possible NAT-traversal with method RFC 3947
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: ignoring Vendor ID payload [Cisco-Unity]
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: received Vendor ID payload [XAUTH]
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: ignoring Vendor ID payload [3b85eafd84899acd201a74eeb224eca6]
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: received Vendor ID payload [Dead Peer Detection]
2011:11:30-12:55:47 Gall pluto[19615]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: Peer ID is ID_IPV4_ADDR: '120.136.46.8'
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: ISAKMP SA established
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #2 {using isakmp#5}
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #3 {using isakmp#5}
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#5}
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2011:11:30-12:55:47 Gall pluto[19615]: "S_Rackspace Firewall" #5: received Delete SA payload: deleting ISAKMP State #5

when we ping from remote

2011:11:30-12:57:08 Gall pluto[19615]: "S_Rackspace Firewall" #13: Peer ID is ID_IPV4_ADDR: '120.136.46.8'
2011:11:30-12:57:08 Gall pluto[19615]: "S_Rackspace Firewall" #13: sent MR3, ISAKMP SA established
2011:11:30-12:57:08 Gall pluto[19615]: "S_Rackspace Firewall" #13: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2011:11:30-12:57:08 Gall pluto[19615]: "S_Rackspace Firewall" #14: responding to Quick Mode
2011:11:30-12:57:09 Gall pluto[19615]: "S_Rackspace Firewall" #14: IPsec SA established {ESP=>0x9f451d98
- 02.jpg
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 13 years ago

Thanks - We still need to see the 'IPsec Connection'.

It looks like there's not 100% agreement on the policy or on the PSK. The log from the Cisco might tell you that.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon2003 over 13 years ago in reply to BAlfson

thanks for your help and you're right.

change the settings to

Compression off, not using strict policy.
IKE Settings: AES 256 / MD5 / Group 5: MODP 1536 Lifetime: 7800 seconds
IPSec Settings: AES 256 / MD5 / Group 5: MODP 1536 Lifetime: 3600 seconds

fixed the problem.
Cancel
Vote Up 0 Vote Down

Cancel