Trouble creating VPN from Firebox III/500 to Nortel Contivity 222

Hello,

I am experiencing difficulty creating a VPN between a Firebox III/500 and a Nortel Contivity 222.

IPSEC Tunnel

Phase 1 Settings:

MD5/DES
DH1

24H Key Negotiation

Phase 2 Settings

ESP/MD5/DES

24H Key Negotiation

Aggressive Mode OFF

Local Network 192.168.1.1
Remote Network 192.168.5.1

Here's a copy of the error logs from the Firebox.

10/28/08 10:32  iked[315]:  FROM  74.210.36.60 MM-HDR   ISA_KE ISA_NONCE
10/28/08 10:32  iked[315]:  TO    74.210.36.60 MM-HDR   ISA_KE ISA_NONCE
10/28/08 10:32  iked[315]:  CRYPTO ACTIVE after delay
10/28/08 10:32  firewalld[293]:  allow out eth1 52 tcp 20 128 192.168.1.7 216.143.70.105 50528 80 syn (HTTP)
10/28/08 10:32  iked[315]:  FROM  74.210.36.60 MM-HDR*  ISA_ID ISA_HASH ISA_NOTIFY
10/28/08 10:32  iked[315]:  Received INITIAL_CONTACT message, mess_id=0x00000000
10/28/08 10:32  iked[315]:  TO    74.210.36.60 MM-HDR*  ISA_ID ISA_HASH
10/28/08 10:32  iked[315]:  FROM  74.210.36.60 QM-HDR* -DFB775C1 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
10/28/08 10:32  iked[315]:  Phase 1 completed as responder
10/28/08 10:32  iked[315]:  Deleting old phase 1 SA for 74.210.36.60
10/28/08 10:32  iked[315]:  Deleting SA: peer        74.210.36.60
10/28/08 10:32  iked[315]:               my_cookie   6B5A1AC0009FF6E3
10/28/08 10:32  iked[315]:               peer_cookie 2AEA9CEA84553F96
10/28/08 10:32  iked[315]:  idpayload2idstruct: Unknown ID type: ID_IPV4_ADDR_RANGE
10/28/08 10:32  iked[315]:  Error processing (id)
10/28/08 10:32  iked[315]:  ProcessQM: ERR-3
10/28/08 10:32  iked[315]:  Quick Mode processing failed
walltechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick_O_ShayCommented:
In the Contivity VPN Branch Office config section is where the IPSEC settings are configured.
See attachment.
Make sure they all match what is used in the Firebox.  
contivity-200-series.doc
0
walltechAuthor Commented:
I have verified all settings match the Firebox with the Contivity, in the section you included in your screen shot.
0
walltechAuthor Commented:
Attached are my settings.
contivity-vpn.doc
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Rick_O_ShayCommented:
It looks like you have aggressive mode off above in the original question text and on for the other side or I am misreading that.
0
Rick_O_ShayCommented:
I have only used Nortel Contivity VPNs but this is usually caused by a config or preshared key mismatch. What are the Local/Remote Addresses used on the Contivity side?  Can you get the log from the Contivity?
0
walltechAuthor Commented:
I will post the log from the Contivity later today.
0
walltechAuthor Commented:
4
      10/30/2008 18:31:46       Configured Peer ID Content: [ 74.210.36.60]       69.159.198.221       74.210.36.60       IKE
5
      10/30/2008 18:31:46       Incoming ID Content: [ 69.159.198.221 ]       69.159.198.221       74.210.36.60       IKE
6
      10/30/2008 18:31:46       Rule [GEORGDOWNS] ID content mismatch       69.159.198.221       74.210.36.60       IKE
7
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       69.159.198.221       74.210.36.60       IKE
8
      10/30/2008 18:31:46       Send:[HASH][NOTFY:ERR_ID_INFO]       74.210.36.60       69.159.198.221       IKE
9
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       74.210.36.60       69.159.198.221       IKE
10
      10/30/2008 18:31:46       Rule [GEORGDOWNS] Phase 1 ID mismatch       69.159.198.221       74.210.36.60       IKE
11
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       69.159.198.221       74.210.36.60       IKE
12
      10/30/2008 18:31:46       Recv:[SA][KE][NONCE][ID][HASH]       69.159.198.221       74.210.36.60       IKE
13
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       69.159.198.221       74.210.36.60       IKE
14
      10/30/2008 18:31:46       Firewall default policy: UDP (W to W/Business Secure Router)       74.210.110.90:1027       255.255.255.255:5200       ACCESS BLOCK
15
      10/30/2008 18:31:46       Send:[SA][KE][NONCE][ID][VID][VID]       74.210.36.60       69.159.198.221       IKE
16
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x0000000000000000       74.210.36.60       69.159.198.221       IKE
17
      10/30/2008 18:31:46       Send Aggressive Mode request to [69.159.198.221]       74.210.36.60       69.159.198.221       IKE
18
      10/30/2008 18:31:46       Rule [GEORGDOWNS] Sending IKE request       74.210.36.60       69.159.198.221       IKE
19
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x0000000000000000       74.210.36.60       69.159.198.221       IKE
0
walltechAuthor Commented:
I have also included a screenshot of the addresses as well.
contivity-vpn2.doc
0
walltechAuthor Commented:
Also, sorry AGGRESSIVE MODE is turned ON.
0
Rick_O_ShayCommented:
Try the local and remote networks on the Firebox as 192.168.1.0 and 192.168.5.0
0
Rick_O_ShayCommented:
Same thing in the Contivity for the local and remote networks. Local 192.168.5.0 and remote 192.168.1.0
0
walltechAuthor Commented:
Ok, I have configured the local/remote networks on the firebox and contivity exactly the same. Also, while watching the logs on the contivity, I see this:

61
10/31/2008 11:24:16      Configured Peer ID Content: [ 74.210.36.60]      69.159.198.221      74.210.36.60      IKE
62
10/31/2008 11:24:16      Incoming ID Content: [ 69.159.198.221 ]      69.159.198.221      74.210.36.60      IKE
63
10/31/2008 11:24:16      Rule [GEORGDOWNS] ID content mismatch      69.159.198.221      74.210.36.60      IKE
0
walltechAuthor Commented:
Sorry... dis-regard that last post, here is the entire section of the log:

10
10/31/2008 11:26:16      Configured Peer ID Content: [ 74.210.36.60]      69.159.198.221      74.210.36.60      IKE
11
10/31/2008 11:26:16      Incoming ID Content: [ 69.159.198.221 ]      69.159.198.221      74.210.36.60      IKE
12
10/31/2008 11:26:16      Rule [GEORGDOWNS] ID content mismatch      69.159.198.221      74.210.36.60      IKE
13
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      69.159.198.221      74.210.36.60      IKE
14
10/31/2008 11:26:16      Send:[HASH][NOTFY:ERR_ID_INFO]      74.210.36.60      69.159.198.221      IKE
15
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      74.210.36.60      69.159.198.221      IKE
16
10/31/2008 11:26:16      Rule [GEORGDOWNS] Phase 1 ID mismatch      69.159.198.221      74.210.36.60      IKE
17
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      69.159.198.221      74.210.36.60      IKE
18
10/31/2008 11:26:16      Recv:[SA][KE][NONCE][ID][HASH][VID]EA20989C      69.159.198.221      74.210.36.60      IKE
19
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      69.159.198.221      74.210.36.60      IKE
20
10/31/2008 11:26:16      Send:[SA][KE][NONCE][ID][VID][VID][00000000      74.210.36.60      69.159.198.221      IKE
21
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x0000000000000000      74.210.36.60      69.159.198.221      IKE
22
10/31/2008 11:26:16      Send Aggressive Mode request to [69.159.198.221]      74.210.36.60      69.159.198.221      IKE
23
10/31/2008 11:26:16      Rule [GEORGDOWNS] Sending IKE request      74.210.36.60      69.159.198.221      IKE
24
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x0000000000000000      74.210.36.60      69.159.198.221      IKE
0
Rick_O_ShayCommented:
Not exactly the same but reversed right? What is local at one end is remote for the other end correct?
0
walltechAuthor Commented:
Yes, sorry!.. It was early in the morning when I wrote that.
0
Rick_O_ShayCommented:
The log is still showing a mismatch between the 2 VPNs.
0
walltechAuthor Commented:
Yes... a content mismatch.. not IP Address Range.
0
Rick_O_ShayCommented:
I'm not being much help here am I. Sorry about that.
Can you try setting perfect forward secrecy to none on both VPNs?
0
walltechAuthor Commented:
I have turned off forward perfect secrecy on both ends.
0
walltechAuthor Commented:
I have the content Id's matching now. The logs on the contivity indicate phase 1 of the negotiation is completing. The failure appears to be occurring in phase 2.
0
walltechAuthor Commented:
10/31/08 15:19  iked[315]:  FROM  74.210.36.60 AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID
10/31/08 15:19  iked[315]:  TO    74.210.36.60 AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH
10/31/08 15:19  iked[315]:  CRYPTO ACTIVE after delay
10/31/08 15:19  firewalld[293]:  allow out eth1 44 tcp 20 60 192.168.1.248 204.141.57.102 3606 80 syn (HTTP)
10/31/08 15:19  iked[315]:  FROM  74.210.36.60 AG-HDR*  ISA_HASH ISA_NOTIFY
10/31/08 15:19  iked[315]:  Received INITIAL_CONTACT message, mess_id=0x00000000
10/31/08 15:19  iked[315]:  Deleting old phase 1 SA for GEORGDOWNS.DYNDNS.ORG
10/31/08 15:19  iked[315]:  Deleting SA: peer        74.210.36.60
10/31/08 15:19  iked[315]:               my_cookie   216F483EDA49F94E
10/31/08 15:19  iked[315]:               peer_cookie 990A111F6A337598
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  GEORGDOWNS unbound
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  Sending INITIAL_CONTACT message
10/31/08 15:19  iked[315]:  TO    74.210.36.60 IF-HDR* -A16CA6B9 ISA_HASH ISA_NOTIFY
10/31/08 15:19  iked[315]:  Ending phase1 as RESPONDER
10/31/08 15:19  iked[315]:  FROM  74.210.36.60 QM-HDR* -D533455C ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
10/31/08 15:19  iked[315]:  idpayload2idstruct: Unknown ID type: ID_IPV4_ADDR_RANGE
10/31/08 15:19  iked[315]:  Error processing (id)
10/31/08 15:19  iked[315]:  ProcessQM: ERR-3
10/31/08 15:19  iked[315]:  Quick Mode processing failed
0
Rick_O_ShayCommented:
Is the peer ID type on the Contivity set to IP?
0
walltechAuthor Commented:
I have attached a screenshot showing the ID types.
contivity-vpn3.doc
0
Rick_O_ShayCommented:
Your preshared key needs to be minimum 8 characters and match the other VPN's key.
0
walltechAuthor Commented:
I blanked the pre-shared key out as I didn't want to reveal sensitive data.
0
Rick_O_ShayCommented:
Is the remote ID type on the Firebox set to DNS and using that DNS name that is the local ID in the Contivity.
0
walltechAuthor Commented:
I have attempted using the DNS names on both the contivity, and firebox with no success. I have set both back to IP addresses for now.
0
Rick_O_ShayCommented:
Can you confirm that the local and remote address type is set to subnet.
0
walltechAuthor Commented:
I have changed the remote to subnet, under the IP policy but the local address type remains greyed out.
0
Rick_O_ShayCommented:
I saw a note in the documentation warning about not using the 192.168.1.0 network for the peer site.
Is it possible the Contivity is not liking that?
0
walltechAuthor Commented:
I had to disable the private ip range, as well as enable agressive mode on both ends and use the IP/Subnet for the local and remote IP policy.
0
Rick_O_ShayCommented:
Did that get you any further toward getting the tunnel to come up correctly?
0
walltechAuthor Commented:
Yes, the tunnel is now 100% operational :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rick_O_ShayCommented:
Great.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.