Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSEC tunnel to internal network assistance 1

Status
Not open for further replies.
nkew

nkew

Programmer
Dec 18, 2007
23
GB
Dear Experts,

I have set up an IPSEC tunnel between mobile sites and our internal network.

The tunnel works perfectly and I'm able to access all internal hosts in our network.

In addition to these, I'd like to be able to access one or two external addresses.

Could anybody advise how I would add a rule enabling users who have successfully established an IPSEC connection to access these IPs?

Many thanks in advance,

Nick

From Trust To Untrust, total policy: 4
34 Internal Network #1 Vodafone Handset Range #1 ANY
32 Internal Network #1 Vodafone Handset Range #2 ANY

From Untrust To Trust, total policy: 5
35 Vodafone Handset Range #1 --> Internal Network #1 ANY
33 Vodafone Handset Range #2 --> Internal Network #1 ANY
 
Sort by date Sort by votes
John,

This is great - I can't thank you enough for your help.

Here's the output from your commands.

ns25-> get int tun.2
Interface tunnel.2:
description tunnel.2
number 20, if_info 4176, if_index 2, mode route
link ready
vsys Root, zone VPN Zone, vr trust-vr
admin mtu 1500, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 unnumbered, source interface ethernet3
*manage ip 0.0.0.0
bound vpn:
Vodafone VPN

Next-Hop Tunnel Binding table
Flag Status Next-Hop(IP) tunnel-id VPN

pmtu-v4 disabled
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled
RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Number of SW session: 24010, hw sess err cnt 0

ns25-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000020< 212.xxx.xxx.35 500 esp: des/md5 00000000 expir unlim I/I -1 0
00000020> 212.xxx.xxx.35 500 esp: des/md5 00000000 expir unlim I/I -1 0

ns25-> get event
Total event entries = 3070
Date Time Module Level Type Description
2007-12-20 22:46:07 system warn 00002 Cannot connect to e-mail server
192.168.1.10.
2007-12-20 22:41:46 system info 00536 IKE<212.xxx.xxx.35> Phase 1:
Retransmission limit has been reached.
2007-12-20 22:40:54 system info 00767 System configuration saved by user via
web from host 84.66.251.91 to
82.xxx.xxx.56:80 by user
2007-12-20 22:40:54 system notif 00018 Policy (46, Untrust->VPN Zone,
Vodafone Handset Range #1->Any,ANY,
Permit) was modified by user via web
from host 84.66.251.91 to
82.xxx.xxx.56:80
2007-12-20 22:40:54 system notif 00018 Policy (46, Untrust->VPN Zone,
Vodafone Handset Range #1->Any,ANY,
Permit) was modified by user via web
from host 84.66.251.91 to
82.xxx.xxx.56:80
2007-12-20 22:40:54 system notif 00018 Policy (46, Untrust->VPN Zone,
Vodafone Handset Range #1->Any,ANY,
Permit) was modified by user via web





ns25-> get ike cookie

Active: 0, Dead: 0, Total 0





ns25-> get db str
## 2007-12-20 22:49:22 : ms -465534289 rt-timer callback
## 2007-12-20 22:49:22 : ms -465534288 rt-timer callback
## 2007-12-20 22:49:23 : ms -465533289 rt-timer callback
## 2007-12-20 22:49:23 : ms -465533245 rt-timer callback
## 2007-12-20 22:49:24 : ms -465532289 rt-timer callback
## 2007-12-20 22:49:24 : ms -465532288 rt-timer callback
## 2007-12-20 22:49:25 : ms -465531289 rt-timer callback
## 2007-12-20 22:49:25 : ms -465531245 rt-timer callback
## 2007-12-20 22:49:26 : ms -465530289 rt-timer callback
## 2007-12-20 22:49:26 : ms -465530287 rt-timer callback
## 2007-12-20 22:49:27 : ms -465529289 rt-timer callback
## 2007-12-20 22:49:27 : ms -465529245 rt-timer callback
## 2007-12-20 22:49:27 : NHTB entry search no found: vpn none tif tunnel.2 nexthop 10.10.1.1
## 2007-12-20 22:49:27 : IKE<212.183.134.35> ****** Recv kernel msg IDX-0, TYPE-5 ******
## 2007-12-20 22:49:27 : IKE<212.183.134.35> ****** Recv kernel msg IDX-0, TYPE-5 ******
## 2007-12-20 22:49:27 : IKE<212.183.134.35> sa orig index<0>, peer_id<1>.
## 2007-12-20 22:49:27 : IKE<212.183.134.35> isadb get entry by peer/local ip and port
## 2007-12-20 22:49:27 : IKE<212.183.134.35> create sa: 82.108.195.56->212.183.134.35
## 2007-12-20 22:49:27 : getProfileFromP1Proposal->
## 2007-12-20 22:49:27 : find profile[0]=<00000001 00000001 00000001 00000001> for p1 proposal (id 20), xauth(0)
## 2007-12-20 22:49:27 : init p1sa, pidt = 0x0
## 2007-12-20 22:49:27 : change peer identity for p1 sa, pidt = 0x0

 
Upvote 0 Downvote
Hi,

Can your try the debug again with "detail"? Thanks.

undebug all
debug ike detail
clear db

test from laptop to client (let it run for 30 - 60 seconds)

undebug all
get db str (upload entire contents)

Rgds,

John
 
Upvote 0 Downvote
Is this any better?

ns25-> get db str
## 2007-12-20 23:01:12 : IKE<212.183.134.35> ****** Recv kernel msg IDX-0, TYPE-5 ******
## 2007-12-20 23:01:12 : IKE<212.183.134.35> ****** Recv kernel msg IDX-0, TYPE-5 ******
## 2007-12-20 23:01:12 : IKE<212.183.134.35> sa orig index<0>, peer_id<1>.
## 2007-12-20 23:01:12 : IKE<212.183.134.35> isadb get entry by peer/local ip and port
## 2007-12-20 23:01:12 : IKE<212.183.134.35> create sa: 82.108.195.56->212.183.134.35
## 2007-12-20 23:01:12 : getProfileFromP1Proposal->
## 2007-12-20 23:01:12 : find profile[0]=<00000001 00000001 00000001 00000001> for p1 proposal (id 20), xauth(0)
## 2007-12-20 23:01:12 : init p1sa, pidt = 0x0
## 2007-12-20 23:01:12 : change peer identity for p1 sa, pidt = 0x0
## 2007-12-20 23:01:12 : IKE<0.0.0.0 > create peer identity 0836dc20c
## 2007-12-20 23:01:12 : peer identity 36dc20c created.
## 2007-12-20 23:01:12 : IKE<0.0.0.0 > EDIPI disabled
## 2007-12-20 23:01:12 : IKE<212.183.134.35> Construct ISAKMP header.
## 2007-12-20 23:01:12 : IKE<212.183.134.35> Msg header built (next payload #1)
## 2007-12-20 23:01:12 : IKE<212.183.134.35> Construct [SA] for ISAKMP
## 2007-12-20 23:01:12 : IKE<212.183.134.35> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(1)
## 2007-12-20 23:01:12 : IKE<212.183.134.35> xauth attribute: disabled
## 2007-12-20 23:01:12 : IKE<212.183.134.35> lifetime/lifesize (86400/0)
## 2007-12-20 23:01:12 : IKE<212.183.134.35> Construct NetScreen [VID]
## 2007-12-20 23:01:12 : IKE<212.183.134.35> Construct custom [VID]
## 2007-12-20 23:01:12 : IKE<212.183.134.35> Construct custom [VID]
## 2007-12-20 23:01:12 : IKE<212.183.134.35 > Xmit : [SA] [VID] [VID] [VID]
## 2007-12-20 23:01:12 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.134.35/port 500
## 2007-12-20 23:01:12 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-20 23:01:12 : IKE<212.183.134.35> Phase 2 task added
## 2007-12-20 23:01:13 : IKE<212.183.134.35> nhtb_list_update_status: vpn Vodafone VPN
## 2007-12-20 23:01:13 : IKE<212.183.134.35> ** link ready return 8
## 2007-12-20 23:01:13 : IKE<212.183.134.35> sa_link_status_for_tunl_ifp: saidx 0, preliminary status 8
## 2007-12-20 23:01:16 : IKE<212.183.134.35> re-trans timer expired, msg retry (0) (0001/0)
## 2007-12-20 23:01:16 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.134.35/port 500
## 2007-12-20 23:01:16 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-20 23:01:20 : IKE<212.183.134.35> re-trans timer expired, msg retry (1) (0001/0)
## 2007-12-20 23:01:20 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.134.35/port 500
## 2007-12-20 23:01:20 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-20 23:01:24 : IKE<212.183.134.35> re-trans timer expired, msg retry (2) (0001/0)
## 2007-12-20 23:01:24 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.134.35/port 500
## 2007-12-20 23:01:24 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-20 23:01:28 : IKE<212.183.134.35> re-trans timer expired, msg retry (3) (0001/0)
## 2007-12-20 23:01:28 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.134.35/port 500
## 2007-12-20 23:01:28 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-20 23:01:32 : IKE<212.183.134.35> re-trans timer expired, msg retry (4) (0001/0)
## 2007-12-20 23:01:32 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.134.35/port 500
## 2007-12-20 23:01:32 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
 
Upvote 0 Downvote
Hi,

This tells me that the remote end point is not responding to the request. Do you have access to that firewall? If not, what changed on the VPN Gateway between now and your previous config?

## 2007-12-20 23:01:24 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-20 23:01:28 : IKE<212.183.134.35> re-trans timer expired, msg retry (3) (0001/0)
## 2007-12-20 23:01:28 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.134.35/port 500
## 2007-12-20 23:01:28 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-20 23:01:32 : IKE<212.183.134.35> re-trans timer expired, msg retry (4) (0001/0)
 
Upvote 0 Downvote
The only thing I have changed in Autokey IKE is 'Bind to' from 'none' to tunnel.2

Nick
 
Upvote 0 Downvote
Also, I don't have access to the Voda router.

Nick
 
Upvote 0 Downvote
Are you using VPN Monitor? If so, can you disable it and send the results from another debug? Do you have access to the remote Firewall?
 
Upvote 0 Downvote
Hi John,

I disabled VPN monitor and did another debug... there was no output.

Is this expected?

Nick
 
Upvote 0 Downvote
I would try to start it again.

undebug all
debug ike detail
clear db

ping from PC, wait 60 secs

undebug all
get db str
get event
get ike cookie
get sa

Rgds,

John
 
Upvote 0 Downvote
Here's the output...

ns25-> undebug all
ns25-> get db str
## 2007-12-20 23:27:28 : IKE<212.183.134.35> ****** Recv kernel msg IDX-0, TYPE- 5 ******
## 2007-12-20 23:27:28 : IKE<212.183.134.35> ****** Recv kernel msg IDX-0, TYPE- 5 ******
## 2007-12-20 23:27:28 : IKE<212.183.134.35> sa orig index<0>, peer_id<1>.
## 2007-12-20 23:27:28 : IKE<212.183.134.35> isadb get entry by peer/local ip an d port
## 2007-12-20 23:27:28 : IKE<212.183.134.35> create sa: 82.108.195.56->212.183 .134.35
## 2007-12-20 23:27:28 : getProfileFromP1Proposal->
## 2007-12-20 23:27:28 : find profile[0]=<00000001 00000001 00000001 00000001> f or p1 proposal (id 20), xauth(0)
## 2007-12-20 23:27:28 : init p1sa, pidt = 0x0
## 2007-12-20 23:27:28 : change peer identity for p1 sa, pidt = 0x0
## 2007-12-20 23:27:28 : IKE<0.0.0.0 > create peer identity 0836dc20c
## 2007-12-20 23:27:28 : peer identity 36dc20c created.
## 2007-12-20 23:27:28 : IKE<0.0.0.0 > EDIPI disabled
## 2007-12-20 23:27:28 : IKE<212.183.134.35> Construct ISAKMP header.
## 2007-12-20 23:27:28 : IKE<212.183.134.35> Msg header built (next payload #1)
## 2007-12-20 23:27:28 : IKE<212.183.134.35> Construct [SA] for ISAKMP
## 2007-12-20 23:27:28 : IKE<212.183.134.35> auth(1)<PRESHRD>, encr(1)<DES>, has h(1)<MD5>, group(1)
## 2007-12-20 23:27:28 : IKE<212.183.134.35> xauth attribute: disabled
## 2007-12-20 23:27:28 : IKE<212.183.134.35> lifetime/lifesize (86400/0)
## 2007-12-20 23:27:28 : IKE<212.183.134.35> Construct NetScreen [VID]
## 2007-12-20 23:27:28 : IKE<212.183.134.35> Construct custom [VID]
## 2007-12-20 23:27:28 : IKE<212.183.134.35> Construct custom [VID]
## 2007-12-20 23:27:28 : IKE<212.183.134.35 > Xmit : [SA] [VID] [VID] [VID]
## 2007-12-20 23:27:28 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-20 23:27:28 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-20 23:27:28 : IKE<212.183.134.35> Phase 2 task added
## 2007-12-20 23:27:29 : IKE<212.183.134.35> nhtb_list_update_status: vpn Vodafo ne VPN
## 2007-12-20 23:27:29 : IKE<212.183.134.35> ** link ready return 8
## 2007-12-20 23:27:29 : IKE<212.183.134.35> sa_link_status_for_tunl_ifp: saidx 0, preliminary status 8
## 2007-12-20 23:27:33 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 0) (0001/0)
## 2007-12-20 23:27:33 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-20 23:27:33 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-20 23:27:37 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 1) (0001/0)
## 2007-12-20 23:27:37 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-20 23:27:37 : IKE<212.183.134.35> Send Phase 1 packet (len=160)






ns25-> get event
Total event entries = 3070
Date Time Module Level Type Description
2007-12-20 23:26:09 system info 00536 IKE<212.183.134.35> Phase 1:
Retransmission limit has been reached.
2007-12-20 23:26:07 system warn 00002 Cannot connect to e-mail server
192.168.1.10.
2007-12-20 23:25:18 system info 00767 System configuration saved by user via
web from host 84.66.251.91 to
82.108.195.56:80 by user
2007-12-20 23:25:18 system notif 00009 DNS proxy was disabled on interface
tunnel.2
2007-12-20 23:24:47 system info 00536 IKE<212.183.134.35> Phase 1:
Retransmission limit has been reached.
2007-12-20 23:24:11 system info 00767 System configuration saved by user via
web from host 84.66.251.91 to
82.108.195.56:80 by user
2007-12-20 23:24:11 system notif 00009 DNS proxy was disabled on interface
tunnel.2
2007-12-20 23:23:49 system info 00767 System configuration saved by user via
web from host 84.66.251.91 to
82.108.195.56:80 by user
2007-12-20 23:23:49 system notif 00009 DNS proxy was disabled on interface
tunnel.2
2007-12-20 23:23:00 system info 00767 System configuration saved by user via
web from host 84.66.251.91 to
82.108.195.56:80 by user
2007-12-20 23:23:00 system notif 00017 VPN monitoring for VPN Vodafone VPN
has been disabled.
2007-12-20 23:23:00 system notif 00017 VPN Vodafone VPN with gateway To
Vodafone and P2 proposal
ToVodafoneFirewall has been modified
by user via web from host 84.66.251.91





ns25-> get ike cookie

Active: 0, Dead: 0, Total 0





ns25-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000022< 212.183.134.35 500 esp: des/md5 00000000 expir unlim I/I -1 0
00000022> 212.183.134.35 500 esp: des/md5 00000000 expir unlim I/I -1 0

 
Upvote 0 Downvote
OK, I'm guessing we don't have access to the remote Firewall, yes? Typically, the most helpful Phase 1 messages are logged on the responding Firewall. Since we are initiating the tunnel, we need to get creative.

Can you send me the address objects used on the old config and new config. Also, did you add a proxy id to the VPN? Based on the config above, it doesn't look like you did.

For example:

Old Policy Based VPN:
Trust 192.168.1.0/24, Untrust 10.10.1.0/24, service = any
Untrust 10.10.1.0/24, Trust 192.168.1.0/24, service = any

New Firewall (same as above).

Also, upload the output from:

get vpn Vodafone VPN gateway

 
Upvote 0 Downvote
Hi John,

Sadly, I don't have access to the Vodafone firewall. Change requests typically take around 7 days to complete on their end.

Doesn't look as if I've added a proxy-id. Could you advise as I'm not 100% sure what to put here:

Proxy-ID
Local IP / Netmask /
Remote IP / Netmask /
Service

The address list is as follows:

set address "Trust" "Internal Network #1" 192.168.1.0 255.255.255.0
set address "Untrust" "Vodafone Handset Range #1" 10.10.1.0 255.255.255.0
set address "Untrust" "Vodafone Handset Range #2" 10.10.2.0 255.255.255.0
set address "DMZ" "Internal Network #2" 192.168.2.0 255.255.255.0

With the below, I removed the space and still doesn't return anything..

ns25-> get vpn VodafoneVPN gateway
^---------unknown keyword gateway

Thanks

Nick
 
Upvote 0 Downvote
Hi,

How many Policy-based VPN's were configured previously? Is the remote firewall a netscreen? The reason I ask is because not all firewalls treat the Proxy ID the same.

Try adding the following:

Proxy ID:
Local IP: 192.168.1.0
Netmask: 255.255.255.0
Remote IP: 10.10.1.0
Netmask: 255.255.255.0
Service = any

Then debug and run those commands aqain (w/ testing).

Rgds,

John
 
Upvote 0 Downvote
Hi John,

I'm pretty sure it's a Cisco PIX on the other end.

2007-12-21 00:17:23 info IKE<212.183.134.35> Phase 2: No policy exists for the proxy ID received: local ID (<192.168.1.0>/<255.255.255.0>, <0>, <0>) remote ID (<10.10.1.0>/<255.255.255.0>, <0>, <0>).

ns25-> get db str
## 2007-12-21 00:22:55 : IKE<212.183.134.35> ****** Recv kernel msg IDX-0, TYPE- 5 ******
## 2007-12-21 00:22:55 : IKE<212.183.134.35> ****** Recv kernel msg IDX-0, TYPE- 5 ******
## 2007-12-21 00:22:55 : IKE<212.183.134.35> sa orig index<0>, peer_id<1>.
## 2007-12-21 00:22:55 : IKE<212.183.134.35> isadb get entry by peer/local ip an d port
## 2007-12-21 00:22:55 : IKE<212.183.134.35> create sa: 82.108.195.56->212.183 .134.35
## 2007-12-21 00:22:55 : getProfileFromP1Proposal->
## 2007-12-21 00:22:55 : find profile[0]=<00000001 00000001 00000001 00000001> f or p1 proposal (id 20), xauth(0)
## 2007-12-21 00:22:55 : init p1sa, pidt = 0x0
## 2007-12-21 00:22:55 : change peer identity for p1 sa, pidt = 0x0
## 2007-12-21 00:22:55 : IKE<0.0.0.0 > create peer identity 0836dc20c
## 2007-12-21 00:22:55 : peer identity 36dc20c created.
## 2007-12-21 00:22:55 : IKE<0.0.0.0 > EDIPI disabled
## 2007-12-21 00:22:55 : IKE<212.183.134.35> Construct ISAKMP header.
## 2007-12-21 00:22:55 : IKE<212.183.134.35> Msg header built (next payload #1)
## 2007-12-21 00:22:55 : IKE<212.183.134.35> Construct [SA] for ISAKMP
## 2007-12-21 00:22:55 : IKE<212.183.134.35> auth(1)<PRESHRD>, encr(1)<DES>, has h(1)<MD5>, group(1)
## 2007-12-21 00:22:55 : IKE<212.183.134.35> xauth attribute: disabled
## 2007-12-21 00:22:55 : IKE<212.183.134.35> lifetime/lifesize (86400/0)
## 2007-12-21 00:22:55 : IKE<212.183.134.35> Construct NetScreen [VID]
## 2007-12-21 00:22:55 : IKE<212.183.134.35> Construct custom [VID]
## 2007-12-21 00:22:55 : IKE<212.183.134.35> Construct custom [VID]
## 2007-12-21 00:22:55 : IKE<212.183.134.35 > Xmit : [SA] [VID] [VID] [VID]
## 2007-12-21 00:22:55 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:22:55 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:22:55 : IKE<212.183.134.35> Phase 2 task added
## 2007-12-21 00:22:56 : IKE<212.183.134.35> nhtb_list_update_status: vpn Vodafo neVPN
## 2007-12-21 00:22:56 : IKE<212.183.134.35> ** link ready return 8
## 2007-12-21 00:22:56 : IKE<212.183.134.35> sa_link_status_for_tunl_ifp: saidx 0, preliminary status 8
## 2007-12-21 00:23:00 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 0) (0001/0)
## 2007-12-21 00:23:00 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:00 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:04 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 1) (0001/0)
## 2007-12-21 00:23:04 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:04 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:08 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 2) (0001/0)
## 2007-12-21 00:23:08 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:08 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:12 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 3) (0001/0)
## 2007-12-21 00:23:12 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:12 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:16 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 4) (0001/0)
## 2007-12-21 00:23:16 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:16 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:20 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 5) (0001/0)
## 2007-12-21 00:23:20 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:20 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:24 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 6) (0001/0)
## 2007-12-21 00:23:24 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:24 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:28 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 7) (0001/0)
## 2007-12-21 00:23:28 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:28 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:32 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 8) (0001/0)
## 2007-12-21 00:23:32 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:32 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:36 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 9) (0001/0)
## 2007-12-21 00:23:36 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:36 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:40 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 10) (0001/0)
## 2007-12-21 00:23:40 : IKE<212.183.134.35> Initiator sending IPv4 IP 212.183.1 34.35/port 500
## 2007-12-21 00:23:40 : IKE<212.183.134.35> Send Phase 1 packet (len=160)
## 2007-12-21 00:23:44 : IKE<212.183.134.35> re-trans timer expired, msg retry ( 11) (0001/0)
## 2007-12-21 00:23:44 : IKE<212.183.134.35> Phase 1: Retransmission limit has b een reached.
## 2007-12-21 00:23:49 : reap_db. deleting p1sa 185fb94
## 2007-12-21 00:23:49 : IKE<212.183.134.35> xauth_cleanup()
## 2007-12-21 00:23:49 : IKE<212.183.134.35> Done cleaning up IKE Phase 1 SA
## 2007-12-21 00:23:49 : peer_identity_unregister_p1_sa.
## 2007-12-21 00:23:49 : IKE<0.0.0.0 > delete peer identity 0x36dc20c
## 2007-12-21 00:23:49 : peer_idt.c peer_identity_unregister_p1_sa 506: pidt del eted.
## 2007-12-21 00:23:50 : IKE<212.183.134.35> nhtb_list_update_status: vpn Vodafo neVPN
## 2007-12-21 00:23:50 : IKE<212.183.134.35> ** link ready return 8
## 2007-12-21 00:23:50 : IKE<212.183.134.35> sa_link_status_for_tunl_ifp: saidx 0, preliminary status 8
 
Upvote 0 Downvote
Do you have your previous config? I would like to take a look at the VPN's and Policies. Let me know.
 
Upvote 0 Downvote
Here it is:

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set vrouter name "VR-NEW" id 1025
unset vrouter "VR-NEW" nsrp-config-sync
set vrouter "VR-NEW"
unset auto-route-export
exit
set service "RTP_XLITE" protocol udp src-port 8000-8001 dst-port 1-65535
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "user"
set admin password
set admin mail alert
set admin mail server-name "192.168.1.10"
set admin mail mail-addr1 "nick@growsales.co.uk"
set admin mail mail-addr2 "david@growsales.co.uk"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "VPN Zone"
set zone "VPN Zone" vrouter "untrust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "VPN Zone" tcp-rst
set zone "Trust" screen alarm-without-drop
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen syn-flood
set zone "Trust" screen ip-spoofing
set zone "Trust" screen ping-death
set zone "Trust" screen ip-filter-src
set zone "Trust" screen land
set zone "Trust" screen syn-frag
set zone "Trust" screen tcp-no-flag
set zone "Trust" screen unknown-protocol
set zone "Trust" screen ip-bad-option
set zone "Trust" screen ip-record-route
set zone "Trust" screen ip-timestamp-opt
set zone "Trust" screen ip-security-opt
set zone "Trust" screen ip-loose-src-route
set zone "Trust" screen ip-strict-src-route
set zone "Trust" screen ip-stream-opt
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen syn-fin
set zone "Trust" screen fin-no-ack
set zone "Trust" screen limit-session source-ip-based
set zone "Trust" screen syn-ack-ack-proxy
set zone "Trust" screen block-frag
set zone "Trust" screen limit-session destination-ip-based
set zone "Trust" screen component-block zip
set zone "Trust" screen component-block jar
set zone "Trust" screen component-block exe
set zone "Trust" screen component-block activex
set zone "Trust" screen icmp-id
set zone "Trust" screen ip-spoofing drop-no-rpf-route
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen component-block zip
set zone "Untrust" screen component-block jar
set zone "Untrust" screen component-block exe
set zone "Untrust" screen component-block activex
set zone "Untrust" screen icmp-id
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "VPN Zone"
unset interface vlan1 ip
set interface ethernet1 ip 192.168.1.1/24
set interface ethernet1 nat
set interface ethernet2 ip 192.168.2.1/24
set interface ethernet2 nat
set interface ethernet3 ip 82.xxx.xxx.56/27
set interface ethernet3 nat
set interface tunnel.1 ip unnumbered interface ethernet3
set interface ethernet3 gateway 82.xxx.xxx.33
set interface ethernet3 mtu 1500
set interface tunnel.2 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 ip manageable
set interface ethernet1 manage mtrace
set interface ethernet2 manage ssh
set interface ethernet2 manage telnet
set interface ethernet2 manage snmp
set interface ethernet2 manage web
set interface ethernet3 manage ping
set interface ethernet3 manage ssh
set interface ethernet3 manage telnet
set interface ethernet3 manage snmp
set interface ethernet3 manage web
set interface vlan1 manage mtrace
set interface ethernet1 dhcp server service
set interface ethernet1 dhcp server enable
set interface ethernet1 dhcp server option gateway 192.168.1.1
set interface ethernet1 dhcp server option netmask 255.255.255.0
set interface ethernet1 dhcp server option dns1 192.168.2.10
set interface ethernet1 dhcp server ip 192.168.1.100 to 192.168.1.150
set interface "ethernet3" mip 82.xxx.xxx.43 host 192.168.2.30 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.42 host 192.168.2.11 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.60 host 192.168.2.31 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.41 host 192.168.2.20 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.44 host 192.168.2.12 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.40 host 192.168.2.10 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.37 host 192.168.2.99 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.38 host 192.168.2.150 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.39 host 192.168.1.201 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 82.xxx.xxx.45 host 10.10.1.11 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname ns25
set pki authority default scep mode "auto"
set dns host dns1 212.135.1.36
set dns host dns2 195.40.1.36
set address "Trust" "Internal Network #1" 192.168.1.0 255.255.255.0
set address "Untrust" "Grow Sales" growsales.co.uk
set address "Untrust" "Vodafone Handset Range #1" 10.10.1.0 255.255.255.0
set address "Untrust" "Vodafone Handset Range #2" 10.10.2.0 255.255.255.0
set address "Global" "Fasthosts Server" 88.208.232.211 255.255.255.255
set address "DMZ" "Internal Network #2" 192.168.2.0 255.255.255.0
set user "nick" uid 1
set user "nick" ike-id fqdn "nick" share-limit 1
set user "nick" type ike
set user "nick" "enable"
set ike p1-proposal "ToVodafoneFirewall" preshare group1 esp des md5 second 86400
set ike p2-proposal "ToVodafoneFirewall" group1 esp des md5 second 86400 kbyte 4194302
set ike gateway "To Vodafone" address 212.183.134.35 Main outgoing-interface "ethernet3" preshare "hqFcrzfoN=" proposal "ToVodafoneFirewall"
set ike gateway "To Vodafone" cert peer-ca all
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Vodafone VPN" gateway "To Vodafone" no-replay tunnel idletime 0 proposal "ToVodafoneFirewall"
set vpn "Vodafone VPN" monitor
set vpn-group id 1
set url protocol type sc-cpa
set url type netscreen
set url fail-mode permit
set url protocol sc-cpa
exit
set policy id 37 from "Untrust" to "DMZ" "Vodafone Handset Range #1" "Internal Network #2" "ANY" tunnel vpn "Vodafone VPN" id 24 pair-policy 38
set policy id 37
exit
set policy id 39 from "Untrust" to "DMZ" "Vodafone Handset Range #2" "Internal Network #2" "ANY" tunnel vpn "Vodafone VPN" id 21 pair-policy 40
set policy id 39
exit
set policy id 21 from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.40)" "ANY" permit url-filter
set policy id 21
exit
set policy id 34 from "Trust" to "Untrust" "Internal Network #1" "Vodafone Handset Range #1" "ANY" tunnel vpn "Vodafone VPN" id 15 pair-policy 35
set policy id 34
exit
set policy id 32 from "Trust" to "Untrust" "Internal Network #1" "Vodafone Handset Range #2" "ANY" tunnel vpn "Vodafone VPN" id 14 pair-policy 33
set policy id 32
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit url-filter
set policy id 1
exit
set policy id 3 from "DMZ" to "Trust" "Any" "Any" "ANY" permit url-filter
set policy id 3
exit
set policy id 4 from "Trust" to "DMZ" "Any" "Any" "ANY" permit url-filter
set policy id 4
exit
set policy id 38 from "DMZ" to "Untrust" "Internal Network #2" "Vodafone Handset Range #1" "ANY" tunnel vpn "Vodafone VPN" id 24 pair-policy 37
set policy id 38
exit
set policy id 40 from "DMZ" to "Untrust" "Internal Network #2" "Vodafone Handset Range #2" "ANY" tunnel vpn "Vodafone VPN" id 21 pair-policy 39
set policy id 40
exit
set policy id 7 from "DMZ" to "Untrust" "Any" "Any" "ANY" permit url-filter
set policy id 7
exit
set policy id 8 name "External to MHE03" from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.43)" "ANY" permit
set policy id 8
exit
set policy id 10 from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.42)" "ANY" permit
set policy id 10
exit
set policy id 12 name "MHE03 31" from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.60)" "ANY" permit
set policy id 12
exit
set policy id 13 name "MHE02 40" from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.41)" "ANY" permit
set policy id 13
exit
set policy id 16 name "MHE01 12" from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.44)" "ANY" permit
set policy id 16
exit
set policy id 17 from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.37)" "ANY" permit
set policy id 17
exit
set policy id 35 from "Untrust" to "Trust" "Vodafone Handset Range #1" "Internal Network #1" "ANY" tunnel vpn "Vodafone VPN" id 15 pair-policy 34
set policy id 35
exit
set policy id 33 from "Untrust" to "Trust" "Vodafone Handset Range #2" "Internal Network #1" "ANY" tunnel vpn "Vodafone VPN" id 14 pair-policy 32
set policy id 33
exit
set policy id 22 from "Untrust" to "Trust" "Any" "Any" "ANY" permit url-filter
set policy id 22
exit
set policy id 36 from "Untrust" to "DMZ" "Any" "MIP(82.xxx.xxx.38)" "ANY" permit
set policy id 36
exit
set policy id 41 from "Untrust" to "Trust" "Any" "MIP(82.xxx.xxx.39)" "ANY" permit
set policy id 41
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ssl port 4443
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "VR-NEW"
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter "VR-NEW"
exit
 
Upvote 0 Downvote
Hello Nick,

Based on what I can see, your old config had eight VPN Rules. I would try to delete the proxy ID and add the rules to match your old config. This should help complete the SA. I would start with the Trust to VPN if you are testing from 192.168.1.0/24. When you are done, run some more tests and debug. Please include the new policies and don't forget to remove and disable the Proxy ID.

Rgds,

John
 
Upvote 0 Downvote
Great stuff, trying to add the rules now...

When I try to add 'Trust' to VPN', there's no tunnel interface available in the 'Tunnel' dropdown list.

Nick
 
Upvote 0 Downvote
Hello Nick,

In a route based VPN, you created standard rules (e.g. permit), not "tunnel". Pretend that you are not creating rules that handle VPN traffic. Keep me posted.

Rgds,

John
 
Upvote 0 Downvote
Thanks John,

One last one ...

Shuold 'Vodafone Handset Range #1' 10.10.1.0/24 be in VPN Group rather than Untrust?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
301
Johnkite
Johnkite
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
156
hairlessupportmonkey
hairlessupportmonkey
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
92
Russtoleum
Russtoleum
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
136
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top