This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to site vpn via RSA won't go up: we don't have a cert <--?

Hello there,

i have a site to site VPN between 2 ASG and im getting the following messages after enabling the site-to-site vpn:


2012:01:20-10:15:27 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: received Vendor ID payload [strongSwan]

2012:01:20-10:15:27 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: ignoring Vendor ID payload [Cisco-Unity]

2012:01:20-10:15:27 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: received Vendor ID payload [XAUTH]

2012:01:20-10:15:27 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: received Vendor ID payload [Dead Peer Detection]

2012:01:20-10:15:27 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: received Vendor ID payload [RFC 3947]

2012:01:20-10:15:27 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: enabling possible NAT-traversal with method 3

2012:01:20-10:15:28 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: NAT-Traversal: Result using RFC 3947: i am NATed

2012:01:20-10:15:28 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: we don't have a cert

2012:01:20-10:15:38 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: discarding duplicate packet; already STATE_MAIN_I3

2012:01:20-10:15:58 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: discarding duplicate packet; already STATE_MAIN_I3

2012:01:20-10:16:38 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

2012:01:20-10:16:38 LIB-AST-01 pluto[7964]: "S_WIBA" #50710: starting keying attempt 2 of an unlimited number

2012:01:20-10:16:38 LIB-AST-01 pluto[7964]: "S_WIBA" #50711: initiating Main Mode to replace #50710

The Logfile is from the initiating ASG.

Here is the Logfile from the responding ASG:


2012:01:20-10:15:27 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: received Vendor ID payload [Dead Peer Detection]

2012:01:20-10:15:27 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: received Vendor ID payload [RFC 3947]

2012:01:20-10:15:27 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

2012:01:20-10:15:27 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

2012:01:20-10:15:27 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2012:01:20-10:15:27 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

2012:01:20-10:15:27 WIBA-AST-01 pluto[847]: "S_Initiator"[1] 62.145.141.117 #4: responding to Main Mode from unknown peer 62.145.141.117

2012:01:20-10:15:27 WIBA-AST-01 pluto[847]: "S_Initiator"[1] 62.145.141.117 #4: NAT-Traversal: Result using RFC 3947: peer is NATed

2012:01:20-10:16:37 WIBA-AST-01 pluto[847]: "S_Initiator"[1] 62.145.141.117 #4: max number of retransmissions (2) reached STATE_MAIN_R2

2012:01:20-10:16:37 WIBA-AST-01 pluto[847]: "S_Initiator"[1] 62.145.141.117: deleting connection "S_Initiator"[1] instance with peer 62.145.141.117 {isakmp=#0/ipsec=#0}

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: received Vendor ID payload [strongSwan]

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: ignoring Vendor ID payload [Cisco-Unity]

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: received Vendor ID payload [XAUTH]

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: received Vendor ID payload [Dead Peer Detection]

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: received Vendor ID payload [RFC 3947]

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: packet from 62.145.141.117:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: "S_Initiator"[2] 62.145.141.117 #5: responding to Main Mode from unknown peer 

2012:01:20-10:21:47 WIBA-AST-01 pluto[847]: "S_Initiator"[2] 62.145.141.117 #5: NAT-Traversal: Result using RFC 3947: peer is NATed

why is the initating ASG telling me that we don't have a cert? Is it neccessary for the Site-to-Side VPN?

Hopefully somebody can tell me whats wrong here

Regards
Seel

This thread was automatically locked due to age.

0 coewar over 13 years ago

It is only necessary if you select to use a cert for authentication in the VPN configuration. You can instead to use "PSK" which is just a password.
You would define this in the Remote Gateway section.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 13 years ago

Please [Go Advanced] below and attach pics:

- Edit of 'IPsec Connection'
- Edit of 'Remote Gateway'
- 'Local RSA key VPN options'
- 'Advanced' tab
- From 'Certificate Management', show a pic of the cert used t the top of the 'Advanced' tab.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel