Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 37 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 96262 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CISCO ASA 5515 to UTM 9.4 (SG230) VPN Peer ID

J F1

 Our connection seems to be completing phase 1, but is failing on a matched/mismatched Pair ID. The thing is that the pair id actually matches, but the log says that it doesn't, but shows the same two words there.

I don't have access to the actual cisco box, it is with an external vendor. Here are the respective logs.

CISCO LOG

Mar 31 2017 08:21:08: %ASA-5-713201: Group = 1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected. Retransmitting last packet.
Mar 31 2017 08:21:08: %ASA-6-713905: Group =1.1.1.1, IP =1.1.1.1, P1 Retransmit msg dispatched to MM FSM
Mar 31 2017 08:21:08: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Mar 31 2017 08:20:58: %ASA-5-713068: Group =1.1.1.1, IP =1.1.1.1, Received non-routine Notify message: Invalid ID info (18)

SOPHOS LOG
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: enabling possible NAT-traversal with method RFC 3947
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco-Unity]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [XAUTH]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [26af64ae1ce2e355e599171584afb948]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: received Vendor ID payload [Dead Peer Detection]
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: Peer ID is ID_KEY_ID: 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: we require peer to have ID 'abc', but peer declares 'abc'
2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:4500



This thread was automatically locked due to age.
  • 0 in reply to J F1

    Looking at the links I sent, they appear to suggest that you need to get the peer to change it's ID type to IP address.

    They suggest that because you are using a PSK, the VPN ID type has to be IP address on the peer ie not hostname or email address as the UTM forces it to be the IP address only

  • 0 in reply to J F1

    So, the Full NAT is in the UTM and is just used to get traffic from external clients to the server and back.  Clearer now, but still not crystal...

    Is this simply an IPsec SA 'Internet = 1.1.1.1 <> 2.2.2.2 = 192.9.200.169'?  If so, then the simplest answer is to use Louis' suggestion.  If 1.1.1.1 and 2.2.2.2 are not the endpoints, then it's a little trickier.

    I don't understand the reason to try to use a non-existent hostname for the VPN ID.  Are you certain the following line from your log above is correctly reflecting what you see in the log that's had private details obfuscated?

    2017:04:02-15:40:48 50 pluto[22287]: "S_KWIK-2" #1383: we require peer to have ID '2.2.2.2', but peer declares 'abc'

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    to me it looks that simple too. But according to the links I sent, the UTM by design only allows the VPN ID type to be ip address due to using a PSK.
    According to them, if using a PSK it does not matter what you set, the UTM will overwrite it and default to the IP address.

    It suggests that you may need to use certs to use a VPN ID of host or email.

  • 0 in reply to BAlfson

    Hi Bob,

     

    Yes, the log line is correct. If I leave it blank, the Sophos requires the peer to have the 2.2.2.2 (WAN address of the Cisco). If I enter 192.9.200.169, I get the following:

    we require peer to have ID '192.9.200.169', but peer declares 'abc'

     The abc is required by the Cisco (whose policies I have little/no control over). They have 40 some other clients that can connect without error with the abc identifier.

     The NATs will work, it is the initial connection that remains the issue. I'll keep at it.

     Thanks,

    Jon

  • 0 in reply to Louis-M

    I'll look into the certs idea.

    Thanks,

    Jon

  • 0 in reply to J F1

    Hi JF1,

    did you have defined under s2svpn / ipsec / advanced Preshared Key Settings the VPN ID type "hostname" and as vpn id "abc"?

    regards

    mod

  • 0 in reply to mod2402

    Hello,

    Adding the ID in advanced has no effect, the same errors persist in the log.

  • 0 in reply to J F1

    Hi JF1,

    "we require peer to have ID 'abc', but peer declares 'abc'" sounds like, one site has VPN ID "abc" configured with wrong VPN ID Type. (ID "abc" and Type "IP-Address"). Don't know, if this is possible on cisco site.

    regards

    mod

  • 0 in reply to J F1

    Using a cert doesn't get us passed the PSK in phase 1.

  • 0

    In your original post, you had the log line:

    2017:03:31-10:06:52 50 pluto[3800]: "S_KWIK-2" #1: we require peer to have ID 'abc', but peer declares 'abc'

    Please insert a picture of the Edit of the Remote Gateway definition that resulted in that line.  If you haven't already opened a ticket with Sophos Support, you should get started on that now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML