Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 4085 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Curious Case of a Cisco 2900 router and a UTM9 IPSec VPN

SinaOwolabi1

Hi

 

Ive been trying to setup an IPSec VPN with a customer's Cisco 2900 router. The admin is not very familiar with their network and with VPN tech in general.

These are the policies set in the UTM (and hopefully, on the other side):

 

3DES-OthersideDirect
Compression off, not using strict policy.
IKE Settings: 3DES / SHA1 / Group 2: MODP 1024 Lifetime: 86400 seconds
IPsec Settings: 3DES / SHA1 / Null (None) Lifetime: 3600 seconds

The 2900 is supposedly sitting in front of a firewall, and the host IP I'm trying to connect with , is behind said firewall.

I noticed something odd. Anytime I try to establish connection, the VPN appears to be established, but the UTM is still sending EVENT_TRANSMIT messages,

complains about no acceptable response to first Quick Mode messages and in the end receives a delete SA payload.

and the UI looks like this:

 OthersideDirect [0 of 1 IPsec SAs established]
SA: my.side.ip.50/32=my.side.ip other.side.ip.49=other.side.ip.53/32
VPN ID: my.side.ip.50
Error: No connection

 

Please what could be causing this? Here are some logs of what happens:


2016:11:10-09:23:07 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0": deleting connection
2016:11:10-09:23:07 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422592: deleting state (STATE_QUICK_I1)
2016:11:10-09:23:07 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #412936: deleting state (STATE_MAIN_I4)
2016:11:10-09:23:13 mysidefw pluto[4113]: added connection description "S_REF_IpsSitOtherside_0"
2016:11:10-09:23:13 mysidefw pluto[4113]: | Queuing pending Quick Mode with other.side.ip.49 "S_REF_IpsSitOtherside_0"
2016:11:10-09:23:13 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: initiating Main Mode
2016:11:10-09:23:13 mysidefw pluto[4113]: ERROR: "S_REF_IpsSitOtherside_0" #422602: sendto on eth1 to other.side.ip.49:500 failed in main_outI1. Errno 1: Operation not permitted
2016:11:10-09:23:23 mysidefw pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422602
2016:11:10-09:23:23 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: received Vendor ID payload [RFC 3947]
2016:11:10-09:23:23 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: enabling possible NAT-traversal with method 3
2016:11:10-09:23:33 mysidefw pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422602
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: discarding duplicate packet; already STATE_MAIN_I2
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: ignoring Vendor ID payload [Cisco-Unity]
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: received Vendor ID payload [Dead Peer Detection]
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: ignoring Vendor ID payload [b961a6f8f67ef21f8066417f4d56cbd4]
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: received Vendor ID payload [XAUTH]
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: NAT-Traversal: Result using RFC 3947: no NAT detected
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: Peer ID is ID_IPV4_ADDR: 'other.side.ip.49'
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: Dead Peer Detection (RFC 3706) enabled
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: ISAKMP SA established
2016:11:10-09:23:33 mysidefw pluto[4113]: | unqueuing pending Quick Mode with other.side.ip.49 "S_REF_IpsSitOtherside_0"
2016:11:10-09:23:33 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422606: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#422602}
2016:11:10-09:23:34 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2016:11:10-09:23:43 mysidefw pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422606
2016:11:10-09:24:03 mysidefw pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422606
2016:11:10-09:24:43 mysidefw pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422606
2016:11:10-09:24:43 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422606: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhapl
2016:11:10-09:24:43 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422606: starting keying attempt 2 of an unlimited number
2016:11:10-09:24:43 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422614: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #422606 {using isakmp#422602}
2016:11:10-09:24:43 mysidefw pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2016:11:10-09:24:53 mysidefw pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422614
2016:11:10-09:25:13 mysidefw pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422614
2016:11:10-09:37:33 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422731: starting keying attempt 13 of an unlimited number
2016:11:10-09:37:33 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422741: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #422731 {using isakmp#422602}
2016:11:10-09:37:34 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2016:11:10-09:37:43 qfw1 pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422741
2016:11:10-09:38:03 qfw1 pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422741
2016:11:10-09:38:34 qfw1 pluto[4113]: "S_REF_IpsSitOthersideni_0" #420968: received Delete SA(0x11f48800) payload: deleting IPSEC State #422484
2016:11:10-09:38:43 qfw1 pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422741
2016:11:10-09:38:43 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422741: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhapl
2016:11:10-09:38:43 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422741: starting keying attempt 14 of an unlimited number
2016:11:10-09:38:43 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422749: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #422741 {using isakmp#422602}
2016:11:10-09:38:43 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2016:11:10-09:38:53 qfw1 pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422749
2016:11:10-09:39:13 qfw1 pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422749
2016:11:10-09:39:35 qfw1 pluto[4113]: "S_REF_IpsSitOthersideni_0" #420968: received Delete SA(0x4f1acffa) payload: deleting IPSEC State #422497
2016:11:10-09:39:53 qfw1 pluto[4113]: | handling event EVENT_RETRANSMIT for other.side.ip.49 "S_REF_IpsSitOtherside_0" #422749
2016:11:10-09:39:53 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422749: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhapl
2016:11:10-09:39:53 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422749: starting keying attempt 15 of an unlimited number
2016:11:10-09:39:53 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422757: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #422749 {using isakmp#422602}
2016:11:10-09:39:54 qfw1 pluto[4113]: "S_REF_IpsSitOtherside_0" #422602: ignoring informational payload, type NO_PROPOSAL_CHOSEN



This thread was automatically locked due to age.
Parents
  • 0

    This could be several things: a mismatch of preshared keys, the other side being behind a NAT or a mismatch in the IPsec Settings are the first things that come to mind.  If you are using a PSK, have you selected 'Enable probing of preshared keys' on the 'Advanced' tab of 'IPsec'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    This could be several things: a mismatch of preshared keys, the other side being behind a NAT or a mismatch in the IPsec Settings are the first things that come to mind.  If you are using a PSK, have you selected 'Enable probing of preshared keys' on the 'Advanced' tab of 'IPsec'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Unfiltered HTML