This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AWS UTM to SRX240

I've been trying to get the VPN set up between my SRX and an VPC EC2 instance in the AWS cloud for the last few days and I can't get anywhere.

Can someone give me a hint of where to go next?  I've read all the articles about enabling preshared key probing but I still get nothing.  If I'm doing something stupid please let me know!

Thanks in advance for your help.

SRX Config
ike {
        traceoptions {
            file ike size 1m;
            flag all;
        }
        proposal SophosPhase1 {
            authentication-method pre-shared-keys;
            dh-group group1;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 7800;
        }

policy ike_pol_AWS_USEast {
            mode main;
            proposals SophosPhase1;
            pre-shared-key ascii-text "encryptedKeyHere";
        }

gateway gw_AWS_USEast {
            ike-policy ike_pol_AWS_USEast;
            address AWS.US.East.IP;
            local-identity inet SRX.IP.Addr.ess;
            remote-identity inet AWS.US.East.IP;
            external-interface reth2;
        }

ipsec {
        proposal SophosPhase2 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 3600;
        }

policy ipsec_pol_AWS_USEast {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals SophosPhase2;
        }

vpn AWS_USEast {
            bind-interface st0.6;
            ike {
                gateway gw_AWS_USEast;
                proxy-identity {
                    remote 10.0.10.0/24;
                    service any;
                }
                ipsec-policy ipsec_pol_AWS_USEast;
            }
            establish-tunnels immediately;
        }

routing-options {
    static {
        route 10.0.10.0/24 next-hop st0.6;

UTM Configs
Policy
Compression off, not using strict policy.
IKE Settings: 3DES / SHA1 / Group 1: MODP 768   Lifetime: 7800 seconds
IPsec Settings: AES 128 / SHA1 / Group 2: MODP 1024   Lifetime: 3600 seconds

Gateway
name : gw-srx
Gateway type : initiate connection
Gateway : AWS.US.East.IP

Authentication type : preshared key
key : my_passwd_here
repeat : my_passwd_here

VPN IS type : IP Address
VPN ID (optional) : AWS.US.East.IP
Remote Networks : 10.0.10.0/24

VPN
Remote Gateway : gateway above
Local Interface : External (WAN)
Policy : policy above
Local Networks : Internal (Network)
Automatic Firewall Rules

Below are the logs from the UTM instance.
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: loading secrets from "/etc/ipsec.secrets"
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: loaded PSK secret for 10.0.0.5 SRX.IP.Addr.ess
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: added connection description "S_Immedion"
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: initiating Main Mode
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: received Vendor ID payload [Dead Peer Detection]
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-01]
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-02]
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: received Vendor ID payload [RFC 3947]
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: ignoring Vendor ID payload [699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500]
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: enabling possible NAT-traversal with method 3
2015:01:09-21:47:52 UTM-USEast01 pluto[622]: "S_Immedion" #1: NAT-Traversal: Result using RFC 3947: i am NATed
2015:01:09-21:48:02 UTM-USEast01 pluto[622]: "S_Immedion" #1: discarding duplicate packet; already STATE_MAIN_I3
2015:01:09-21:48:12 UTM-USEast01 pluto[622]: "S_Immedion" #1: discarding duplicate packet; already STATE_MAIN_I3
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: packet from SRX.IP.Addr.ess:500: received Vendor ID payload [Dead Peer Detection]
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: packet from SRX.IP.Addr.ess:500: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-01]
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: packet from SRX.IP.Addr.ess:500: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-02]
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: packet from SRX.IP.Addr.ess:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: packet from SRX.IP.Addr.ess:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: packet from SRX.IP.Addr.ess:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: packet from SRX.IP.Addr.ess:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: packet from SRX.IP.Addr.ess:500: received Vendor ID payload [RFC 3947]
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: packet from SRX.IP.Addr.ess:500: ignoring Vendor ID payload [699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500]
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: "S_Immedion" #2: responding to Main Mode
2015:01:09-21:48:26 UTM-USEast01 pluto[622]: | NAT-T: new mapping SRX.IP.Addr.ess:4500/500)
2015:01:09-21:48:27 UTM-USEast01 pluto[622]: "S_Immedion" #2: NAT-Traversal: Result using RFC 3947: i am NATed
2015:01:09-21:48:27 UTM-USEast01 pluto[622]: | NAT-T: new mapping SRX.IP.Addr.ess:500/4500)
2015:01:09-21:48:27 UTM-USEast01 pluto[622]: "S_Immedion" #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2015:01:09-21:48:27 UTM-USEast01 pluto[622]: "S_Immedion" #2: Peer ID is ID_IPV4_ADDR: 'SRX.IP.Addr.ess'
2015:01:09-21:48:27 UTM-USEast01 pluto[622]: "S_Immedion" #2: sent MR3, ISAKMP SA established
2015:01:09-21:48:37 UTM-USEast01 pluto[622]: "S_Immedion" #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2015:01:09-21:48:47 UTM-USEast01 pluto[622]: "S_Immedion" #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
2015:01:09-21:49:02 UTM-USEast01 pluto[622]: "S_Immedion" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
2015:01:09-21:49:02 UTM-USEast01 pluto[622]: "S_Immedion" #1: starting keying attempt 2 of an unlimited number
2015:01:09-21:49:02 UTM-USEast01 pluto[622]: "S_Immedion" #3: initiating Main Mode to replace #1

This thread was automatically locked due to age.

Parents

0 BAlfson over 10 years ago

Hi, and welcome to the User BB!

"Possible authentication failure: no acceptable response to our first encrypted message" probably means that there's a problem caused by NAT. The SRX should be in the equivalent of "Respond Only." If the SRX is behind a NATting router, then put the actual IP on it's interface into 'VPN ID (optional)' in the Remote Gateway in the UTM. Also, the two endpoints must agree on NAT-T and DPD. Any luck with any of that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 10 years ago

Hi, and welcome to the User BB!

"Possible authentication failure: no acceptable response to our first encrypted message" probably means that there's a problem caused by NAT. The SRX should be in the equivalent of "Respond Only." If the SRX is behind a NATting router, then put the actual IP on it's interface into 'VPN ID (optional)' in the Remote Gateway in the UTM. Also, the two endpoints must agree on NAT-T and DPD. Any luck with any of that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data