Solved

Trouble creating VPN from Firebox III/500 to Nortel Contivity 222

Posted on 2008-10-28
34
1,071 Views
Last Modified: 2012-05-05
Hello,

I am experiencing difficulty creating a VPN between a Firebox III/500 and a Nortel Contivity 222.

IPSEC Tunnel

Phase 1 Settings:

MD5/DES
DH1

24H Key Negotiation

Phase 2 Settings

ESP/MD5/DES

24H Key Negotiation

Aggressive Mode OFF

Local Network 192.168.1.1
Remote Network 192.168.5.1

Here's a copy of the error logs from the Firebox.

10/28/08 10:32  iked[315]:  FROM  74.210.36.60 MM-HDR   ISA_KE ISA_NONCE
10/28/08 10:32  iked[315]:  TO    74.210.36.60 MM-HDR   ISA_KE ISA_NONCE
10/28/08 10:32  iked[315]:  CRYPTO ACTIVE after delay
10/28/08 10:32  firewalld[293]:  allow out eth1 52 tcp 20 128 192.168.1.7 216.143.70.105 50528 80 syn (HTTP)
10/28/08 10:32  iked[315]:  FROM  74.210.36.60 MM-HDR*  ISA_ID ISA_HASH ISA_NOTIFY
10/28/08 10:32  iked[315]:  Received INITIAL_CONTACT message, mess_id=0x00000000
10/28/08 10:32  iked[315]:  TO    74.210.36.60 MM-HDR*  ISA_ID ISA_HASH
10/28/08 10:32  iked[315]:  FROM  74.210.36.60 QM-HDR* -DFB775C1 ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
10/28/08 10:32  iked[315]:  Phase 1 completed as responder
10/28/08 10:32  iked[315]:  Deleting old phase 1 SA for 74.210.36.60
10/28/08 10:32  iked[315]:  Deleting SA: peer        74.210.36.60
10/28/08 10:32  iked[315]:               my_cookie   6B5A1AC0009FF6E3
10/28/08 10:32  iked[315]:               peer_cookie 2AEA9CEA84553F96
10/28/08 10:32  iked[315]:  idpayload2idstruct: Unknown ID type: ID_IPV4_ADDR_RANGE
10/28/08 10:32  iked[315]:  Error processing (id)
10/28/08 10:32  iked[315]:  ProcessQM: ERR-3
10/28/08 10:32  iked[315]:  Quick Mode processing failed
0
Comment
Question by:walltech
  • 19
  • 15
34 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22830309
In the Contivity VPN Branch Office config section is where the IPSEC settings are configured.
See attachment.
Make sure they all match what is used in the Firebox.  
contivity-200-series.doc
0
 

Author Comment

by:walltech
ID: 22830418
I have verified all settings match the Firebox with the Contivity, in the section you included in your screen shot.
0
 

Author Comment

by:walltech
ID: 22830431
Attached are my settings.
contivity-vpn.doc
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22836073
It looks like you have aggressive mode off above in the original question text and on for the other side or I am misreading that.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22840040
I have only used Nortel Contivity VPNs but this is usually caused by a config or preshared key mismatch. What are the Local/Remote Addresses used on the Contivity side?  Can you get the log from the Contivity?
0
 

Author Comment

by:walltech
ID: 22840298
I will post the log from the Contivity later today.
0
 

Author Comment

by:walltech
ID: 22843929
4
      10/30/2008 18:31:46       Configured Peer ID Content: [ 74.210.36.60]       69.159.198.221       74.210.36.60       IKE
5
      10/30/2008 18:31:46       Incoming ID Content: [ 69.159.198.221 ]       69.159.198.221       74.210.36.60       IKE
6
      10/30/2008 18:31:46       Rule [GEORGDOWNS] ID content mismatch       69.159.198.221       74.210.36.60       IKE
7
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       69.159.198.221       74.210.36.60       IKE
8
      10/30/2008 18:31:46       Send:[HASH][NOTFY:ERR_ID_INFO]       74.210.36.60       69.159.198.221       IKE
9
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       74.210.36.60       69.159.198.221       IKE
10
      10/30/2008 18:31:46       Rule [GEORGDOWNS] Phase 1 ID mismatch       69.159.198.221       74.210.36.60       IKE
11
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       69.159.198.221       74.210.36.60       IKE
12
      10/30/2008 18:31:46       Recv:[SA][KE][NONCE][ID][HASH]       69.159.198.221       74.210.36.60       IKE
13
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x2187BFEA3EF61AF3       69.159.198.221       74.210.36.60       IKE
14
      10/30/2008 18:31:46       Firewall default policy: UDP (W to W/Business Secure Router)       74.210.110.90:1027       255.255.255.255:5200       ACCESS BLOCK
15
      10/30/2008 18:31:46       Send:[SA][KE][NONCE][ID][VID][VID]       74.210.36.60       69.159.198.221       IKE
16
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x0000000000000000       74.210.36.60       69.159.198.221       IKE
17
      10/30/2008 18:31:46       Send Aggressive Mode request to [69.159.198.221]       74.210.36.60       69.159.198.221       IKE
18
      10/30/2008 18:31:46       Rule [GEORGDOWNS] Sending IKE request       74.210.36.60       69.159.198.221       IKE
19
      10/30/2008 18:31:46       The cookie pair is : 0xD9DA278FF5C70BEC / 0x0000000000000000       74.210.36.60       69.159.198.221       IKE
0
 

Author Comment

by:walltech
ID: 22845183
I have also included a screenshot of the addresses as well.
contivity-vpn2.doc
0
 

Author Comment

by:walltech
ID: 22845203
Also, sorry AGGRESSIVE MODE is turned ON.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22846299
Try the local and remote networks on the Firebox as 192.168.1.0 and 192.168.5.0
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22846351
Same thing in the Contivity for the local and remote networks. Local 192.168.5.0 and remote 192.168.1.0
0
 

Author Comment

by:walltech
ID: 22849042
Ok, I have configured the local/remote networks on the firebox and contivity exactly the same. Also, while watching the logs on the contivity, I see this:

61
10/31/2008 11:24:16      Configured Peer ID Content: [ 74.210.36.60]      69.159.198.221      74.210.36.60      IKE
62
10/31/2008 11:24:16      Incoming ID Content: [ 69.159.198.221 ]      69.159.198.221      74.210.36.60      IKE
63
10/31/2008 11:24:16      Rule [GEORGDOWNS] ID content mismatch      69.159.198.221      74.210.36.60      IKE
0
 

Author Comment

by:walltech
ID: 22849050
Sorry... dis-regard that last post, here is the entire section of the log:

10
10/31/2008 11:26:16      Configured Peer ID Content: [ 74.210.36.60]      69.159.198.221      74.210.36.60      IKE
11
10/31/2008 11:26:16      Incoming ID Content: [ 69.159.198.221 ]      69.159.198.221      74.210.36.60      IKE
12
10/31/2008 11:26:16      Rule [GEORGDOWNS] ID content mismatch      69.159.198.221      74.210.36.60      IKE
13
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      69.159.198.221      74.210.36.60      IKE
14
10/31/2008 11:26:16      Send:[HASH][NOTFY:ERR_ID_INFO]      74.210.36.60      69.159.198.221      IKE
15
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      74.210.36.60      69.159.198.221      IKE
16
10/31/2008 11:26:16      Rule [GEORGDOWNS] Phase 1 ID mismatch      69.159.198.221      74.210.36.60      IKE
17
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      69.159.198.221      74.210.36.60      IKE
18
10/31/2008 11:26:16      Recv:[SA][KE][NONCE][ID][HASH][VID]EA20989C      69.159.198.221      74.210.36.60      IKE
19
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x57F136CAEA20989C      69.159.198.221      74.210.36.60      IKE
20
10/31/2008 11:26:16      Send:[SA][KE][NONCE][ID][VID][VID][00000000      74.210.36.60      69.159.198.221      IKE
21
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x0000000000000000      74.210.36.60      69.159.198.221      IKE
22
10/31/2008 11:26:16      Send Aggressive Mode request to [69.159.198.221]      74.210.36.60      69.159.198.221      IKE
23
10/31/2008 11:26:16      Rule [GEORGDOWNS] Sending IKE request      74.210.36.60      69.159.198.221      IKE
24
10/31/2008 11:26:16      The cookie pair is : 0x473BA3EB2453FEB8 / 0x0000000000000000      74.210.36.60      69.159.198.221      IKE
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22851084
Not exactly the same but reversed right? What is local at one end is remote for the other end correct?
0
 

Author Comment

by:walltech
ID: 22851100
Yes, sorry!.. It was early in the morning when I wrote that.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22851618
The log is still showing a mismatch between the 2 VPNs.
0
 

Author Comment

by:walltech
ID: 22851643
Yes... a content mismatch.. not IP Address Range.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22852630
I'm not being much help here am I. Sorry about that.
Can you try setting perfect forward secrecy to none on both VPNs?
0
 

Author Comment

by:walltech
ID: 22852656
I have turned off forward perfect secrecy on both ends.
0
 

Author Comment

by:walltech
ID: 22852877
I have the content Id's matching now. The logs on the contivity indicate phase 1 of the negotiation is completing. The failure appears to be occurring in phase 2.
0
 

Author Comment

by:walltech
ID: 22853201
10/31/08 15:19  iked[315]:  FROM  74.210.36.60 AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID ISA_VENDORID
10/31/08 15:19  iked[315]:  TO    74.210.36.60 AG-HDR   ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_HASH
10/31/08 15:19  iked[315]:  CRYPTO ACTIVE after delay
10/31/08 15:19  firewalld[293]:  allow out eth1 44 tcp 20 60 192.168.1.248 204.141.57.102 3606 80 syn (HTTP)
10/31/08 15:19  iked[315]:  FROM  74.210.36.60 AG-HDR*  ISA_HASH ISA_NOTIFY
10/31/08 15:19  iked[315]:  Received INITIAL_CONTACT message, mess_id=0x00000000
10/31/08 15:19  iked[315]:  Deleting old phase 1 SA for GEORGDOWNS.DYNDNS.ORG
10/31/08 15:19  iked[315]:  Deleting SA: peer        74.210.36.60
10/31/08 15:19  iked[315]:               my_cookie   216F483EDA49F94E
10/31/08 15:19  iked[315]:               peer_cookie 990A111F6A337598
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  GEORGDOWNS unbound
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  Updated GEORGDOWNS channel for GEORGDOWNS rgw
10/31/08 15:19  iked[315]:  Sending INITIAL_CONTACT message
10/31/08 15:19  iked[315]:  TO    74.210.36.60 IF-HDR* -A16CA6B9 ISA_HASH ISA_NOTIFY
10/31/08 15:19  iked[315]:  Ending phase1 as RESPONDER
10/31/08 15:19  iked[315]:  FROM  74.210.36.60 QM-HDR* -D533455C ISA_HASH ISA_SA ISA_NONCE ISA_ID ISA_ID
10/31/08 15:19  iked[315]:  idpayload2idstruct: Unknown ID type: ID_IPV4_ADDR_RANGE
10/31/08 15:19  iked[315]:  Error processing (id)
10/31/08 15:19  iked[315]:  ProcessQM: ERR-3
10/31/08 15:19  iked[315]:  Quick Mode processing failed
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22853348
Is the peer ID type on the Contivity set to IP?
0
 

Author Comment

by:walltech
ID: 22853378
I have attached a screenshot showing the ID types.
contivity-vpn3.doc
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22853457
Your preshared key needs to be minimum 8 characters and match the other VPN's key.
0
 

Author Comment

by:walltech
ID: 22853476
I blanked the pre-shared key out as I didn't want to reveal sensitive data.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22854150
Is the remote ID type on the Firebox set to DNS and using that DNS name that is the local ID in the Contivity.
0
 

Author Comment

by:walltech
ID: 22867574
I have attempted using the DNS names on both the contivity, and firebox with no success. I have set both back to IP addresses for now.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22867921
Can you confirm that the local and remote address type is set to subnet.
0
 

Author Comment

by:walltech
ID: 22867972
I have changed the remote to subnet, under the IP policy but the local address type remains greyed out.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22869940
I saw a note in the documentation warning about not using the 192.168.1.0 network for the peer site.
Is it possible the Contivity is not liking that?
0
 

Author Comment

by:walltech
ID: 22870897
I had to disable the private ip range, as well as enable agressive mode on both ends and use the IP/Subnet for the local and remote IP policy.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22879242
Did that get you any further toward getting the tunnel to come up correctly?
0
 

Accepted Solution

by:
walltech earned 0 total points
ID: 22880792
Yes, the tunnel is now 100% operational :)
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 22885324
Great.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now