Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 37 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 96265 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CISCO ASA 5515 to UTM 9.4 (SG230) VPN Peer ID

J F1

 Our connection seems to be completing phase 1, but is failing on a matched/mismatched Pair ID. The thing is that the pair id actually matches, but the log says that it doesn't, but shows the same two words there.

I don't have access to the actual cisco box, it is with an external vendor. Here are the respective logs.

CISCO LOG

Mar 31 2017 08:21:08: %ASA-5-713201: Group = 1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected. Retransmitting last packet.
Mar 31 2017 08:21:08: %ASA-6-713905: Group =1.1.1.1, IP =1.1.1.1, P1 Retransmit msg dispatched to MM FSM
Mar 31 2017 08:21:08: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Mar 31 2017 08:20:58: %ASA-5-713068: Group =1.1.1.1, IP =1.1.1.1, Received non-routine Notify message: Invalid ID info (18)

SOPHOS LOG
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: enabling possible NAT-traversal with method RFC 3947
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco-Unity]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [XAUTH]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [26af64ae1ce2e355e599171584afb948]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [Dead Peer Detection]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: Peer ID is ID_KEY_ID: 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: we require peer to have ID 'abc', but peer declares 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:4500



This thread was automatically locked due to age.
Parents
  • 0

    This is the Cisco setup that I have been sent

    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 general-attributes
    default-group-policy GroupPolicy_1.1.1.1
    tunnel-group 1.1.1.1 ipsec-attributes
    ikev1 pre-shared-key *****

    group-policy GroupPolicy_1.1.1.1 internal
    group-policy GroupPolicy_1.1.1.1 attributes
    vpn-tunnel-protocol ikev1


    crypto map outside_map 13 match address outside_cryptomap_12
    crypto map outside_map 13 set peer 1.1.1.1
    crypto map outside_map 13 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 13 set security-association lifetime seconds 3600

    access-list outside_cryptomap_12 line 1 extended permit ip host 192.9.200.169 host 192.168.140.1 (hitcnt=1538) 0x909951f8

  • 0 in reply to J F1

    Just to add a little more information: 192.168.140.1 is actually the LAN Address of my Sophos SG230

    We have an Amazon AWS instance that needs to query the remote MySQL dB that lives at 2.2.2.2 in the clips above

    I have a full NAT that converts the port traffic to our 1.1.1.1 -> 192.9.200.169 (lan of 2.2.2.2)

    ----

    This set up was working for a small amount of time if the remote network pinged us, but we could never initiate the tunnel. In fact, we would still get the same mismatched peer id (though matched in the log) if the tunnel was up.

     

Reply
  • 0 in reply to J F1

    Just to add a little more information: 192.168.140.1 is actually the LAN Address of my Sophos SG230

    We have an Amazon AWS instance that needs to query the remote MySQL dB that lives at 2.2.2.2 in the clips above

    I have a full NAT that converts the port traffic to our 1.1.1.1 -> 192.9.200.169 (lan of 2.2.2.2)

    ----

    This set up was working for a small amount of time if the remote network pinged us, but we could never initiate the tunnel. In fact, we would still get the same mismatched peer id (though matched in the log) if the tunnel was up.

     

Children
No Data
Unfiltered HTML