CANNOT ESTABLISH VPN TUNNEL BETWEEN CONTIVITY 1750 AND BSR222

[smahajan]

We cannot set up a branch office VPN tunnel between BSR222 and contivity 1750.
->We have selected IPSEC with 3DES and MD5 encryption and ->ISAKMP is enabled on both sides.
->Perfect Forward Secrecy is disabled on both sides.
->The connection type is Peer to Peer and we have setup the same preshared key on both sides.
->Phase 1 and Phase 2 options in BSR222 are set to use 3DES and MD5 with Diffie Helman.

As seen from the log below, the contivity says "No IPsec encryption type selected for BSR222" and then closes the connection request

We are getting the following log on the contivity1750

---------------Branch Office Test Initiated: [192.168.7.254:192.168.6.254]---------------

4 12/12/2007 16:23:39 (BoTest ) INFO TUNNEL BRANCHOFFICE Code 78
o Initiating the first connection within the branch-office tunnel....

5 12/12/2007 16:23:39 (BoTest ) INFO TUNNEL BRANCHOFFICE Code 65
IPSEC branch office connection initiated to rem[192.168.15.0-255.255.255.0]@[192.168.6.254] loc[192.168.16.2-255.255.255.255]

6 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 40
Session: IPSEC[192.168.6.254] attempting login

7 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 49
Session: IPSEC[192.168.6.254] has no active sessions

8 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 157
Session: IPSEC[192.168.6.254] VPN has no active accounts

9 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 80
Session: IPSEC[192.168.6.254]:33 SHARED-SECRET authenticate attempt...
10 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 83
Session: IPSEC[192.168.6.254]:33 attempting authentication using LOCAL

11 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 84
Session: IPSEC[192.168.6.254]:33 authenticated using LOCAL

12 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 73
Session: IPSEC[192.168.6.254]:33 bound to group /Base/VPN

13 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 133
Session: IPSEC[192.168.6.254]:33 Building group filter Management Only

14 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 127
Session: IPSEC[192.168.6.254]:33 RESTRICTED FILTER 1 deny TCP any GT 1023 any EQ 113

15 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 139
Session: IPSEC[192.168.6.254]:33 Applying group filter Management Only

16 12/12/2007 16:23:39 (Security ) INFO SECURITY SESSIONCLS Code 94
Session: IPSEC[192.168.6.254]:33 authorized

17 12/12/2007 16:23:39 (tIsakmp ) ERR SECURITY ISAKMP Code 147
No IPsec encryption type selected for 192.168.6.254 - terminating connection attempt

18 12/12/2007 16:23:39 (tIsakmp ) ERR SECURITY ISAKMP Code 89
Authentication failure in message from 192.168.6.254

19 12/12/2007 16:23:39 (Security ) NOTICE SECURITY SESSIONCLS Code 9
Session 6bf9b58: IPSEC[192.168.6.254]:33 logged out
20 12/12/2007 16:23:39 (tIsakmp ) NOTICE SECURITY ISAKMP Code 175
Deleting ISAKMP SA with 192.168.6.254

21 12/12/2007 16:25:39 (BoTest ) INFO TUNNEL BRANCHOFFICE Code 84
***** Test Aborted (timeout) [192.168.7.254:192.168.6.254]

22 12/12/2007 16:25:39 (BoTest ) INFO TUNNEL BRANCHOFFICE Code 83


----------------------------------------------Test Failed [192.168.7.254:192.168.6.254]---------------------------------------------------------






WE ARE USING PRIVATE IP'S ABOVE SINCE WE ARE TRYING TO TEST THE TUNNEL IN OUR LAB,

-------------------------------------
LAN IP of Contivity = 192.168.16.1
WAN IP of Contivity = 192.168.7.254


LAN IP of BSR222 = 192.168.15.1
WAN IP of BSR222 = 192.168.6.254
--------------------------------------


CAN SOMEONE PLEASE HELP

 

[MagnaRGP]

Turn on EVERY IPSec type of encryption in the 1750. This is telling you that the two units could not decide on a policy.

 

[smahajan]

Thanks for getting back to me MagnaRGP.
I enabled all the IPSEC encryption types on the contivity 1750 and it is giving me a different error in the log now

Following is the log on Contivity 1750:-

---------------Branch Office Test Initiated: [192.168.7.254:192.168.6.254]---------------

4 12/13/2007 13:25:46 (BoTest ) INFO TUNNEL BRANCHOFFICE Code 78
o Initiating the first connection within the branch-office tunnel....

5 12/13/2007 13:25:46 (BoTest ) INFO TUNNEL BRANCHOFFICE Code 65
IPSEC branch office connection initiated to rem[192.168.15.0-255.255.255.0]@[192.168.6.254] loc[192.168.16.3-255.255.255.255]

6 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 40
Session: IPSEC[192.168.6.254] attempting login

7 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 49
Session: IPSEC[192.168.6.254] has no active sessions

8 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 157
Session: IPSEC[192.168.6.254] VPN has no active accounts

9 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 80
Session: IPSEC[192.168.6.254]:72 SHARED-SECRET authenticate attempt...
10 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 83
Session: IPSEC[192.168.6.254]:72 attempting authentication using LOCAL

11 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 84
Session: IPSEC[192.168.6.254]:72 authenticated using LOCAL

12 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 73
Session: IPSEC[192.168.6.254]:72 bound to group /Base/VPN

13 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 133
Session: IPSEC[192.168.6.254]:72 Building group filter Management Only

14 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 127
Session: IPSEC[192.168.6.254]:72 RESTRICTED FILTER 1 deny TCP any GT 1023 any EQ 113

15 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 139
Session: IPSEC[192.168.6.254]:72 Applying group filter Management Only

16 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 94
Session: IPSEC[192.168.6.254]:72 authorized

17 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 29
Session: network IPSEC[192.168.15.0-255.255.255.0] attempting login

18 12/13/2007 13:25:46 (Security ) INFO SECURITY SESSIONCLS Code 32
Session: network IPSEC[192.168.15.0-255.255.255.0] logged in from gateway [192.168.6.254]

19 12/13/2007 13:25:46 (tIsakmp ) NOTICE SECURITY ISAKMP Code 185
ISAKMP SA established with 192.168.6.254
20 12/13/2007 13:25:46 (tIsakmp ) ERR SECURITY ISAKMP Code 94
Error notification (Invalid ID information) received from 192.168.6.254

21 12/13/2007 13:25:46 (Security ) NOTICE SECURITY SESSIONCLS Code 9
Session 6bf9120: IPSEC[-]:73 logged out

22 12/13/2007 13:25:46 (Security ) NOTICE SECURITY SESSIONCLS Code 9
Session 6bf9488: IPSEC[192.168.6.254]:72 logged out

23 12/13/2007 13:25:46 (tIsakmp ) NOTICE SECURITY ISAKMP Code 175
Deleting ISAKMP SA with 192.168.6.254

24 12/13/2007 13:27:46 (BoTest ) INFO TUNNEL BRANCHOFFICE Code 84
***** Test Aborted (timeout) [192.168.7.254:192.168.6.254]

25 12/13/2007 13:27:46 (BoTest ) INFO TUNNEL BRANCHOFFICE Code 83
---------------Test Failed [192.168.7.254:192.168.6.254]-----------------------------------




THANKS A LOT FOR YOUR HELP

 

[MagnaRGP]

Error notification (Invalid ID information) received from 192.168.6.254

This says to me that there is a mis-match in the ID string you are using to authenticate. Why don't you use a pre-shared key rather than a dns string?

 

[smahajan]

We got it working.
Thanks a lot for your help.