Solved

Trouble creating VPN from Firebox III/500 to Nortel Contivity 222

Posted on 2008-10-28
34
1,077 Views
Last Modified: 2012-05-05
Hello,

I am experiencing difficulty creating a VPN between a Firebox III/500 and a Nortel Contivity 222.

IPSEC Tunnel

Phase 1 Settings:

MD5/DES
DH1

24H Key Negotiation

Phase 2 Settings

ESP/MD5/DES

24H Key Negotiation

Aggressive Mode OFF

Local Network 192.168.1.1
Remote Network 192.168.5.1

Here's a copy of the error logs from the Firebox.

10/28/08 10:32  iked[315]:  FROM  74.210.36.60 MM-HDR   ISA_KE ISA_NONCE
10/28/08 10:32  iked[315]:  TO    74.210.36.60 MM-HDR   ISA_KE ISA_NONCE
10/28/08 10:32  iked[315]:  CRYPTO ACTIVE after delay
10/28/08 10:32  firewalld[293]:  allow out eth1 52 tcp 20 128 192.168.1.7 216.143.70.105 50528 80 syn (HTTP)
10/28/08 10:32  iked[315]:  FROM  74.210.36.60 MM-HDR*  ISA_ID ISA_HASH ISA_NOTIFY
10/28/08 10:32  iked[315]:  Received INITIAL_CONTACT message, mess_id=0x00000000
10/28/08 10:32  iked[315]:  TO    74.210.36.60 MM-HDR*  ISA_ID ISA_HASH
10/28/08 10:32  iked[315]:  FROM  74.210.36.60 QM-HDR* -DFB775C1 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
10/28/08 10:32  iked[315]:  Phase 1 completed as responder
10/28/08 10:32  iked[315]:  Deleting old phase 1 SA for 74.210.36.60
10/28/08 10:32  iked[315]:  Deleting SA: peer        74.210.36.60
10/28/08 10:32  iked[315]:               my_cookie   6B5A1AC0009FF6E3
10/28/08 10:32  iked[315]:               peer_cookie 2AEA9CEA84553F96
10/28/08 10:32  iked[315]:  idpayload2idstruct: Unknown ID type: ID_IPV4_ADDR_RANGE
10/28/08 10:32  iked[315]:  Error processing (id)
10/28/08 10:32  iked[315]:  ProcessQM: ERR-3
10/28/08 10:32  iked[315]:  Quick Mode processing failed
0
Comment
Question by:walltech
  • 19
  • 15
34 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22830309
In the Contivity VPN Branch Office config section is where the IPSEC settings are configured.
See attachment.
Make sure they all match what is used in the Firebox.  
contivity-200-series.doc
0
 

Author Comment

by:walltech
ID: 22830418
I have verified all settings match the Firebox with the Contivity, in the section you included in your screen shot.
0
 

Author Comment

by:walltech
ID: 22830431
Attached are my settings.
contivity-vpn.doc
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22836073
It looks like you have aggressive mode off above in the original question text and on for the other side or I am misreading that.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22840040
I have only used Nortel Contivity VPNs but this is usually caused by a config or preshared key mismatch. What are the Local/Remote Addresses used on the Contivity side?  Can you get the log from the Contivity?
0
 

Author Comment

by:walltech
ID: 22840298
I will post the log from the Contivity later today.
0
 

Author Comment

by:walltech
ID: 22843929
4
      10/30/2008 18:31:46       Configured Peer ID Content: [ 74.210.36.60]       69.159.198.221       74.210.36.60       IKE
5
      10/30/2008 18:31:46       Incoming ID Content: [ 69.159.198.221 ]       69.159.198.221       74.210.36.60       IKE
6
      10/30/2008 18:31:46       Rule [GEORGDOWNS] ID content mismatch       69.159.198.221       74.210.36.60       IKE
7
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       69.159.198.221       74.210.36.60       IKE
8
      10/30/2008 18:31:46       Send:[HASH][NOTFY:ERR_ID_INFO]       74.210.36.60       69.159.198.221       IKE
9
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       74.210.36.60       69.159.198.221       IKE
10
      10/30/2008 18:31:46       Rule [GEORGDOWNS] Phase 1 ID mismatch       69.159.198.221       74.210.36.60       IKE
11
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       69.159.198.221       74.210.36.60       IKE
12
      10/30/2008 18:31:46       Recv:[SA][KE][NONCE][ID][HASH]       69.159.198.221       74.210.36.60       IKE
13
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       69.159.198.221       74.210.36.60       IKE
14
      10/30/2008 18:31:46       Firewall default policy: UDP (W to W/Business Secure Router)       74.210.110.90:1027       255.255.255.255:5200       ACCESS BLOCK
15
      10/30/2008 18:31:46       Send:[SA][KE][NONCE][ID][VID][VID]       74.210.36.60       69.159.198.221       IKE
16
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x0000000000000000       74.210.36.60       69.159.198.221       IKE
17
      10/30/2008 18:31:46       Send Aggressive Mode request to [69.159.198.221]       74.210.36.60       69.159.198.221       IKE
18
      10/30/2008 18:31:46       Rule [GEORGDOWNS] Sending IKE request       74.210.36.60       69.159.198.221       IKE
19
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x0000000000000000       74.210.36.60       69.159.198.221       IKE
0
 

Author Comment

by:walltech
ID: 22845183
I have also included a screenshot of the addresses as well.
contivity-vpn2.doc
0
 

Author Comment

by:walltech
ID: 22845203
Also, sorry AGGRESSIVE MODE is turned ON.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22846299
Try the local and remote networks on the Firebox as 192.168.1.0 and 192.168.5.0
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22846351
Same thing in the Contivity for the local and remote networks. Local 192.168.5.0 and remote 192.168.1.0
0
 

Author Comment

by:walltech
ID: 22849042
Ok, I have configured the local/remote networks on the firebox and contivity exactly the same. Also, while watching the logs on the contivity, I see this:

61
10/31/2008 11:24:16      Configured Peer ID Content: [ 74.210.36.60]      69.159.198.221      74.210.36.60      IKE
62
10/31/2008 11:24:16      Incoming ID Content: [ 69.159.198.221 ]      69.159.198.221      74.210.36.60      IKE
63
10/31/2008 11:24:16      Rule [GEORGDOWNS] ID content mismatch      69.159.198.221      74.210.36.60      IKE
0
 

Author Comment

by:walltech
ID: 22849050
Sorry... dis-regard that last post, here is the entire section of the log:

10
10/31/2008 11:26:16      Configured Peer ID Content: [ 74.210.36.60]      69.159.198.221      74.210.36.60      IKE
11
10/31/2008 11:26:16      Incoming ID Content: [ 69.159.198.221 ]      69.159.198.221      74.210.36.60      IKE
12
10/31/2008 11:26:16      Rule [GEORGDOWNS] ID content mismatch      69.159.198.221      74.210.36.60      IKE
13
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      69.159.198.221      74.210.36.60      IKE
14
10/31/2008 11:26:16      Send:[HASH][NOTFY:ERR_ID_INFO]      74.210.36.60      69.159.198.221      IKE
15
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      74.210.36.60      69.159.198.221      IKE
16
10/31/2008 11:26:16      Rule [GEORGDOWNS] Phase 1 ID mismatch      69.159.198.221      74.210.36.60      IKE
17
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      69.159.198.221      74.210.36.60      IKE
18
10/31/2008 11:26:16      Recv:[SA][KE][NONCE][ID][HASH][VID]EA20989C      69.159.198.221      74.210.36.60      IKE
19
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      69.159.198.221      74.210.36.60      IKE
20
10/31/2008 11:26:16      Send:[SA][KE][NONCE][ID][VID][VID][00000000      74.210.36.60      69.159.198.221      IKE
21
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x0000000000000000      74.210.36.60      69.159.198.221      IKE
22
10/31/2008 11:26:16      Send Aggressive Mode request to [69.159.198.221]      74.210.36.60      69.159.198.221      IKE
23
10/31/2008 11:26:16      Rule [GEORGDOWNS] Sending IKE request      74.210.36.60      69.159.198.221      IKE
24
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x0000000000000000      74.210.36.60      69.159.198.221      IKE
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22851084
Not exactly the same but reversed right? What is local at one end is remote for the other end correct?
0
 

Author Comment

by:walltech
ID: 22851100
Yes, sorry!.. It was early in the morning when I wrote that.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22851618
The log is still showing a mismatch between the 2 VPNs.
0
 

Author Comment

by:walltech
ID: 22851643
Yes... a content mismatch.. not IP Address Range.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22852630
I'm not being much help here am I. Sorry about that.
Can you try setting perfect forward secrecy to none on both VPNs?
0
 

Author Comment

by:walltech
ID: 22852656
I have turned off forward perfect secrecy on both ends.
0
 

Author Comment

by:walltech
ID: 22852877
I have the content Id's matching now. The logs on the contivity indicate phase 1 of the negotiation is completing. The failure appears to be occurring in phase 2.
0
 

Author Comment

by:walltech
ID: 22853201
10/31/08 15:19  iked[315]:  FROM  74.210.36.60 AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID
10/31/08 15:19  iked[315]:  TO    74.210.36.60 AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH
10/31/08 15:19  iked[315]:  CRYPTO ACTIVE after delay
10/31/08 15:19  firewalld[293]:  allow out eth1 44 tcp 20 60 192.168.1.248 204.141.57.102 3606 80 syn (HTTP)
10/31/08 15:19  iked[315]:  FROM  74.210.36.60 AG-HDR*  ISA_HASH ISA_NOTIFY
10/31/08 15:19  iked[315]:  Received INITIAL_CONTACT message, mess_id=0x00000000
10/31/08 15:19  iked[315]:  Deleting old phase 1 SA for GEORGDOWNS.DYNDNS.ORG
10/31/08 15:19  iked[315]:  Deleting SA: peer        74.210.36.60
10/31/08 15:19  iked[315]:               my_cookie   216F483EDA49F94E
10/31/08 15:19  iked[315]:               peer_cookie 990A111F6A337598
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  GEORGDOWNS unbound
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  Sending INITIAL_CONTACT message
10/31/08 15:19  iked[315]:  TO    74.210.36.60 IF-HDR* -A16CA6B9 ISA_HASH ISA_NOTIFY
10/31/08 15:19  iked[315]:  Ending phase1 as RESPONDER
10/31/08 15:19  iked[315]:  FROM  74.210.36.60 QM-HDR* -D533455C ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
10/31/08 15:19  iked[315]:  idpayload2idstruct: Unknown ID type: ID_IPV4_ADDR_RANGE
10/31/08 15:19  iked[315]:  Error processing (id)
10/31/08 15:19  iked[315]:  ProcessQM: ERR-3
10/31/08 15:19  iked[315]:  Quick Mode processing failed
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22853348
Is the peer ID type on the Contivity set to IP?
0
 

Author Comment

by:walltech
ID: 22853378
I have attached a screenshot showing the ID types.
contivity-vpn3.doc
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22853457
Your preshared key needs to be minimum 8 characters and match the other VPN's key.
0
 

Author Comment

by:walltech
ID: 22853476
I blanked the pre-shared key out as I didn't want to reveal sensitive data.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22854150
Is the remote ID type on the Firebox set to DNS and using that DNS name that is the local ID in the Contivity.
0
 

Author Comment

by:walltech
ID: 22867574
I have attempted using the DNS names on both the contivity, and firebox with no success. I have set both back to IP addresses for now.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22867921
Can you confirm that the local and remote address type is set to subnet.
0
 

Author Comment

by:walltech
ID: 22867972
I have changed the remote to subnet, under the IP policy but the local address type remains greyed out.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22869940
I saw a note in the documentation warning about not using the 192.168.1.0 network for the peer site.
Is it possible the Contivity is not liking that?
0
 

Author Comment

by:walltech
ID: 22870897
I had to disable the private ip range, as well as enable agressive mode on both ends and use the IP/Subnet for the local and remote IP policy.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22879242
Did that get you any further toward getting the tunnel to come up correctly?
0
 

Accepted Solution

by:
walltech earned 0 total points
ID: 22880792
Yes, the tunnel is now 100% operational :)
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22885324
Great.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stuck in INIT/DROTHER 2 75
Review of OCA certificate policy 1 41
BGP Local Preference 5 44
Start Cisco VPN AnyConnect Client Before Windows Login 4 34
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question