Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 4339 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC ASG220 -> Symantec 320

klindsay
Astaro ASG220 ver. 8.302
Symantec 320 2.1.0(1336)


Hello, 

I'm trying to create a Site to Site IPSEC VPN between these two pieces of hardware but can't quite get it to work.
I can get the tunnel to come up, both devices will show "connected" but I can only get traffic to flow from the Astaro to the Symantec.  I can ping any device on the Symantec device's LAN from the Astaro LAN but not the reverse.  I can't see anything in the logs of either device showing the traffic as "blocked" so I'm at a loss as to where to even look next.  

My setup (on the Astaro) looks like this:
Policy 
(3DES, SHA1, Group1)

Remote Gateway
(Preshared key, VPN ID Type = IP Address, Remote Network = 10.1.15.0/24)

Connection
(Local Interface = External(WAN), Policy= Symantec 320, Local Networks= 10.1.1.0/24, Auto Firewall Rules = Checked, Strict Routing = Un-Checked

Any hints or suggestions on where to look next would be greatly appreciated.
Thank you


This thread was automatically locked due to age.
Parents
  • 0
    That all looks good.  I think you can turn off the IKE debugging since the IPsec SA gets established.

    Here are the three lines that make me think there's a disagreement about the PSK: 
    2012:05:03-15:47:35 gate1 pluto[7166]: "S_Brantford" #272: Can't authenticate: no preshared key found for '64.x.y.131' and '64.x.y.132'. Attribute OAKLEY_AUTHENTICATION_METHOD

    2012:05:03-15:47:35 gate1 pluto[7166]: "S_Brantford" #272: no acceptable Oakley Transform

    2012:05:03-15:47:35 gate1 pluto[7166]: "S_Brantford" #272: sending notification NO_PROPOSAL_CHOSEN to 64.x.y.132:500


    Does this work if you try a simple PSK like 123abc?

    If that doesn't do it, then, I'd suspect something in between that isn't letting protocol 50 &/or 51 get through.

    Cheers - Bob
    PS RSA keys are almost as secure as certificates and just as easy to configure as PSKs if the Symantec can do that.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    I can't try abc123 due to the fact that the Symantec requires a minimum 20 char long key.

    After trying every possible combination of policy values (that exist in both the ASG and the Symantec) I did find a different error.  Please see log entries below:

    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #52: starting keying attempt 2 of an unlimited number
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #53: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #52 {using isakmp#47}
    2012:05:07-09:16:41 gate1 pluto[786]: packet from 64.140.115.132:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: responding to Main Mode
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: Peer ID is ID_IPV4_ADDR: '64.140.115.132'
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: sent MR3, ISAKMP SA established
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: responding to Quick Mode
     
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun.10000@64.140.115.131 included errno 17: File exists
     
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: IPsec SA established {ESP=>0x83c2ee58 
Reply
  • 0 in reply to BAlfson
    Hi Bob,

    I can't try abc123 due to the fact that the Symantec requires a minimum 20 char long key.

    After trying every possible combination of policy values (that exist in both the ASG and the Symantec) I did find a different error.  Please see log entries below:

    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #52: starting keying attempt 2 of an unlimited number
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #53: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #52 {using isakmp#47}
    2012:05:07-09:16:41 gate1 pluto[786]: packet from 64.140.115.132:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: responding to Main Mode
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: Peer ID is ID_IPV4_ADDR: '64.140.115.132'
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: sent MR3, ISAKMP SA established
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: responding to Quick Mode
     
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun.10000@64.140.115.131 included errno 17: File exists
     
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: IPsec SA established {ESP=>0x83c2ee58 
Children
No Data
Cookie Information Banner