9 Replies Latest reply on Apr 30, 2010 11:04 AM by sliedl

    VPN sidewinder.

      Hello I'm configuring a VPN using pre-shared key in the sidewinder with the following configurations.

      Phase 1 - IKE

      Encryption: AES-128

      Hash: sha1

      PRF Algorithms: sha1

      Key exchange Groups: Group 5

      enable nat-traversal

      enable initial contact

      hard-limits: 3600 (sec) 0(kb)

      soft percentage: 85

      rekey

      hard lifetime: 700(sec) 0(kb)

       

      Phase 2 - ipsec

       

      Encryption: AES-128

      Hash: sha1

       

      Remote authentication

      method: password

      remote identify: dominio.com

       

      settings for shrew vpn client.

       

      Local identify:

           fully qualified domain name

           value: dominio.com

       

      Remote identify:

           fully qualified domain name

           value: dominio.com

       

      Pre-shared key: mcafee123

       

      other configurations of ike and ipsec are the same configuration sidewinder.

       

      I am using the shrew vpn client. When I try to close the vpn via command showaudit he shows me the following logs.

       

      Apr 27 10:39:07 2010 AMT  f_isakmp_daemon a_vpn t_error p_major
      pid: 2002 ruid: 0 euid: 0 pgid: 2002 logid: 0 cmd: 'ikmpd'
      domain: ikpd edomain: ikpd hostname: fw.dominio.com vpn_name: !DYNAMIC!
      cky_i: c5c6680340139f67 cky_r: 5216b3c3685c5e5e local_gw: 200.200.200.200
      remote_gw: 100.100.100.100 remote_id: dominio.com
      information: ...(cont)...
          [local identity]
            IPV4_ADDR-200.200.200.200
          [remote identity]
            FQDN-dominio.com
          vendor ids: SIDEWINDER|NATT_RFC|NATT_DRAFT3|NATT_DRAFT2A

      Apr 27 10:39:07 2010 AMT  f_isakmp_daemon a_vpn t_debug p_major
      pid: 2002 ruid: 0 euid: 0 pgid: 2002 logid: 0 cmd: 'ikmpd'
      domain: ikpd edomain: ikpd hostname: fw.dominio.com vpn_name: !DYNAMIC!
      cky_i: c5c6680340139f67 cky_r: 5216b3c3685c5e5e msg_id: ee3c41a3
      local_gw: 200.200.200.200 remote_gw: 100.100.100.100
      information: [outbound packet]
        [NONE]
          CKY_I: |c5c6680340139f67|, CKY_R: |5216b3c3685c5e5e|,
          exch: INFORMATIONAL(5), mess_id: 0xee3c41a3
        [DELETE]
          protocol: IKE
          spi(16): |c5c6680340139f675216b3c3685c5e5e|
        [NOTIFY]
          protocol: IKE, type: INVALID_ID_INFO(18)

      any idea.

       

      Regards

       

       

       

       

       

       

      Message was edited by: Ricardo Barbosa on 4/27/10 10:26:05 AM CDT
        • 1. Re: VPN sidewinder.
          oreeh

          The Sidewinder is using the IP 200.200.200.200 as the identity and not the FQDN.

          Either change the client or the firewall settings.

          • 2. Re: VPN sidewinder.

            Hi I changed the value of local authentication for "IP Address" and remote authentication on the remote identities let the domain name and IP address as the ip 100 100 100 100. still did not work. any idea where it would be wrong.

             

            Regards.

            • 3. Re: VPN sidewinder.
              oreeh

              Increase the audit level (cf ikmpd set audit=verbose) then check the audit stream for errors (if in doubt post it).

              Don't forget to reduce the audit level afterwards (audit=normal).

              • 4. Re: VPN sidewinder.

                Hello, oreeh.  I configured audit as requested and collected the following logs.

                 


                Apr 28 11:44:15 2010 AMT  f_isakmp_daemon a_vpn t_error p_major
                pid: 2002 ruid: 0 euid: 0 pgid: 2002 logid: 0 cmd: 'ikmpd'
                domain: ikpd edomain: ikpd hostname: fw2.dominio.com vpn_name: !DYNAMIC!
                cky_i: d54ba82941dc4163 cky_r: 7ac78787bda35767 local_gw: 200.200.200.200
                remote_gw: 100.100.100.100
                information: [detailed info]
                  [delete]
                    protocol: IKE
                    spi(16): |d54ba82941dc41637ac78787bda35767|
                  [error]
                    AGGRESSIVE_MODE exchange terminated - ACL check failed for SRC: 100.100.100.100, DST: 200.200.200.200, ACL error: Acld threw error during query request(-6)
                [AGGRESSIVE_MODE]
                  VPN: !DYNAMIC!, CKY_I: |d54ba82941dc4163|, CKY_R: |7ac78787bda35767|
                  [state info]
                    init/resp: RESPONDER, condition: DYING
                  [retry info]
                    counter: 0, num_trans: 0, total_time: 0, total_deviation: 0,
                    timestamp_out: 0, timestamp_in: 1272469455
                  [local gateway] IPV4_ADDR-200.200.200.200:500
                  [remote gateway] IPV4_ADDR-100.100.100.100:500
                  [exchange policy]
                    exchange: AGGRESSIVE_MODE, protocol: IKE,
                    options: [DYNAMIC|FORCED_REKEY|LEASED_IP|INITIAL_CONTACT|NAT_T],
                    version: 1, local authentication: RSA_SIG_I_XAUTH|RSA_SIG_R_XAUTH,
                    remote authentication: RSA_SIG_I_XAUTH|RSA_SIG_R_XAUTH,
                    encryption: DES|3DES|AES:128|AES:256, integ: MD5|SHA1, DH group: 1|2|5
                  [IKE info]
                    allocations: 0
                    [local identity]
                      IPV4_ADDR-200.200.200.200

                Where:

                 

                server: 200.200.200.200

                client: 100.100.100.100

                 

                I noticed that there is an error in the access-list that matches the traffic to be encrypted. where can I set this acl?
                I still do not understand how the local and remote identities identities.

                 

                Regars.

                 

                 

                Message was edited by: Ricardo Barbosa on 4/28/10 10:55:21 AM CDT
                • 5. Re: VPN sidewinder.
                  oreeh

                  Your firewall is missing the isakmp allow rule.

                   

                  Source: externel burb

                  Source IP: any

                  Destination: external burb

                  Dest IP: any

                  Service: isakmp

                  • 6. Re: VPN sidewinder.

                    Hi oreeh.

                     

                    I created the following rule more generic.

                     

                    Source: <any>

                    Source IP: any

                    Destination: <any>

                    Dest IP: any

                    Service: isakmp

                     

                    not work?

                     


                    Regards.

                    • 7. Re: VPN sidewinder.
                      oreeh

                      Any new errrors in the audit?

                      • 8. Re: VPN sidewinder.

                        Hi Oreeh,

                         

                        I reconfigured the definition of VPN and it worked but when I use IKE version 1 and main mode does not work generates the following error

                         

                          [error]
                            MAIN_MODE exchange processing failed
                          [error]
                            Received exchange type (MAIN_MODE) not supported by policy, packet dropped

                         

                        Any idea.

                         

                        Regards

                        • 9. Re: VPN sidewinder.
                          sliedl

                          Ricardo:  do you already have this ticket, 3-866796437, open with Tech Support about this issue?  I am working on that ticket.

                           

                          If you are trying to do a client to gateway VPN, the Sidewinder does not support Main Mode, it only supports Aggressive Mode (for client to gateway VPNs).