Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 4327 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC ASG220 -> Symantec 320

klindsay
Astaro ASG220 ver. 8.302
Symantec 320 2.1.0(1336)


Hello, 

I'm trying to create a Site to Site IPSEC VPN between these two pieces of hardware but can't quite get it to work.
I can get the tunnel to come up, both devices will show "connected" but I can only get traffic to flow from the Astaro to the Symantec.  I can ping any device on the Symantec device's LAN from the Astaro LAN but not the reverse.  I can't see anything in the logs of either device showing the traffic as "blocked" so I'm at a loss as to where to even look next.  

My setup (on the Astaro) looks like this:
Policy 
(3DES, SHA1, Group1)

Remote Gateway
(Preshared key, VPN ID Type = IP Address, Remote Network = 10.1.15.0/24)

Connection
(Local Interface = External(WAN), Policy= Symantec 320, Local Networks= 10.1.1.0/24, Auto Firewall Rules = Checked, Strict Routing = Un-Checked

Any hints or suggestions on where to look next would be greatly appreciated.
Thank you


This thread was automatically locked due to age.
Parents
  • 0
    That all looks good.  I think you can turn off the IKE debugging since the IPsec SA gets established.

    Here are the three lines that make me think there's a disagreement about the PSK: 
    2012:05:03-15:47:35 gate1 pluto[7166]: "S_Brantford" #272: Can't authenticate: no preshared key found for '64.x.y.131' and '64.x.y.132'. Attribute OAKLEY_AUTHENTICATION_METHOD

    2012:05:03-15:47:35 gate1 pluto[7166]: "S_Brantford" #272: no acceptable Oakley Transform

    2012:05:03-15:47:35 gate1 pluto[7166]: "S_Brantford" #272: sending notification NO_PROPOSAL_CHOSEN to 64.x.y.132:500


    Does this work if you try a simple PSK like 123abc?

    If that doesn't do it, then, I'd suspect something in between that isn't letting protocol 50 &/or 51 get through.

    Cheers - Bob
    PS RSA keys are almost as secure as certificates and just as easy to configure as PSKs if the Symantec can do that.
  • 0 in reply to BAlfson
    Hi Bob,

    I can't try abc123 due to the fact that the Symantec requires a minimum 20 char long key.

    After trying every possible combination of policy values (that exist in both the ASG and the Symantec) I did find a different error.  Please see log entries below:

    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #52: starting keying attempt 2 of an unlimited number
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #53: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #52 {using isakmp#47}
    2012:05:07-09:16:41 gate1 pluto[786]: packet from 64.140.115.132:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: responding to Main Mode
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: Peer ID is ID_IPV4_ADDR: '64.140.115.132'
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: sent MR3, ISAKMP SA established
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: responding to Quick Mode
     
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun.10000@64.140.115.131 included errno 17: File exists
     
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: IPsec SA established {ESP=>0x83c2ee58 
Reply
  • 0 in reply to BAlfson
    Hi Bob,

    I can't try abc123 due to the fact that the Symantec requires a minimum 20 char long key.

    After trying every possible combination of policy values (that exist in both the ASG and the Symantec) I did find a different error.  Please see log entries below:

    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #52: starting keying attempt 2 of an unlimited number
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #53: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #52 {using isakmp#47}
    2012:05:07-09:16:41 gate1 pluto[786]: packet from 64.140.115.132:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: responding to Main Mode
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: Peer ID is ID_IPV4_ADDR: '64.140.115.132'
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: sent MR3, ISAKMP SA established
    2012:05:07-09:16:41 gate1 pluto[786]: "S_Brantford" #54: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: responding to Quick Mode
     
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow tun.10000@64.140.115.131 included errno 17: File exists
     
    2012:05:07-09:16:42 gate1 pluto[786]: "S_Brantford" #55: IPsec SA established {ESP=>0x83c2ee58 
Children
No Data