Solved

Edgemax OS VPN, to Barracuda Link Balancer

Posted on 2016-09-10
7
82 Views
Last Modified: 2016-11-02
Hey!

I really need help on this one, I have an EdgeMax Lite with IPEC going to a Barracuda 430 LB with again IPSEC and for the life if me I can not get the too to connect. My last attempts is below:

Peer: ISP STATIC IP FOR REMOTE FIREWALL

Local IP ANY

Encrypt 3DES

Hash MD5

DH Group 1

Pre-Share Key  *******

LocalSub 192.168.1.0/24

RemoteSub 10.100.0.0/16

ESP-GROUP Lifetime is 3600 no compression, tunnel, PFS enabled 3des

IKE-GROUP Lifetime is 14400 ikev2-reauth no, key-exchange ikev1, mode none, DH-GROUP 2, 3des, md5

Below is what I am getting from the the Barracuda Link Balancer:

2016-09-10 13:50:56
"EDGEMAX-10.100.0.0-192.168.1.0" #274: initiating Main Mode
2016-09-10 13:50:56
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 13:50:56
loading secrets from "/etc/ipsec.secrets"
2016-09-10 13:50:56
forgetting secrets
2016-09-10 13:50:52
"EDGEMAX-10.100.0.0-192.168.1.0": deleting connection
2016-09-10 13:49:41
"EDGEMAX-10.100.0.0-192.168.1.0" #273: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:48:31
"EDGEMAX-10.100.0.0-192.168.1.0" #273: initiating Main Mode
2016-09-10 13:45:04
"EDGEMAX-10.100.0.0-192.168.1.0" #272: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received and ignored informational message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received Delete SA(0x19cb863d) payload: deleting IPSEC State #255
2016-09-10 13:43:54
"EDGEMAX-10.100.0.0-192.168.1.0" #272: initiating Main Mode

I have tried AES, SHA1, DES etc etc etc and nothing seems to do the trick, I tripple check each side to make sure they match (which they do) so I am at a loss on this?

Any help would be appreciated!
0
Comment
Question by:Jonathan Jones
  • 4
  • 3
7 Comments
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 500 total points
ID: 41792818
basically, the both sides should have the SAME or similar configuration for the VPN channel to be established. can you also provide the configuration of the other end?
0
 

Author Comment

by:Jonathan Jones
ID: 41792848
Thanks for the quick response!
Here is the data:

       Primary Local Link  50.0.0.0 /255.255.255.0
       Primary Remote Gateway  172.0.0.0/255.255.255.0
       Enable NAT-Traversal ​No ​      
       Remote NAT-T IP           NONE

       Masquerade IP Address/Range       NONE       

       Local Network      
        IP/Network Address      Netmask
        10.100.0.0      255.255.0.      

       Remote Network      
        IP/Network Address      Netmask      
        192.168.1.0       255.255.255.0
         Enable VPN      Yes      

Security Policies      
       IPsec Keying Mode            
        The mode used for encrypting data.
       Shared Secret      
        ••••••••••••••
        IPsec Key Exchange Policy Phase 1      
       Encryption      3DES

       Authentication      MD5 ​
       DH Group      Group-2
       Lifetime      14400

IPsec Key Exchange Policy Phase 2      

       Encryption 3DES
       Authentication      MD5
       Enable Perfect Forward Secrecy      YES
       DH Group       Group 2.
       Lifetime      3600

EDGEMAX SIDE:

# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn %default
        keyexchange=ikev1

conn peer-50.0.0.0-tunnel-1
        left=%any
        right=172.0.0.0/24
        leftsubnet=192.168.1.0/24
        rightsubnet=10.100.0.0/16
        ike=3des-md5-modp1024!
        keyexchange=ikev1
        ikelifetime=14400s
        esp=3des-md5-modp1024!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-50.0.0.0-tunnel-1
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41792875
one thing was noticed in my quick review: NAT Traversal.

is any of the two VPN gateways behind another NAT firewall?

another thing is "left=%any" at EDGEMAX side, why is it set to "any" instead of a specific address of the remote peer?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Jonathan Jones
ID: 41792896
Bing,

Thanks! The only NAT is at the firewalls themselves, so no NAT needed there, I changed the "left=%any" to "left-50.0.0.0/24" remote firewall IP, changed the IP on the PEER settings on the EDGEMAX, has those backwards I believe:

Site-to-site peers
Peer
50.0.0.0/24

Remote  Peer
Description PRSDNJ
Local IP 50.0.0.0/24
Pre-shared secret
***************
Local subnet 10.100.0.0/16 (BARRACUDA) internal
Remote subnet 192.168.1.0/24 (EDEMAX) internal


Below is from the Barracuda Side trying to initialize the VPN

2016-09-10 16:21:38
"EDGEMAX-10.100.0.0-192.168.1.0" #319: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:20:28
"EDGEMAX-10.100.0.0-192.168.1.0" #319: initiating Main Mode
2016-09-10 16:17:02
"EDGEMAX-10.100.0.0-192.168.1.0" #318: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:15:52
"EDGEMAX-10.100.0.0-192.168.1.0" #318: initiating Main Mode
2016-09-10 16:14:12
"EDGEMAX-10.100.0.0-192.168.1.0" #317: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:13:02
"EDGEMAX-10.100.0.0-192.168.1.0" #317: initiating Main Mode
2016-09-10 16:13:02
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 16:13:02
loading secrets from "/etc/ipsec.secrets"
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
ID: 41793598
it looks like the EDGEMAX side always retries duo to no response from the peer. does the Barracuda side work well with sites , if any? is the IP of Barracuda side load balanced?
0
 

Author Comment

by:Jonathan Jones
ID: 41794093
Bing,

Yes the Barracuda is working fine with IPSEC against 2 Cisco VPN Small Business Devices no problems, as for the barracuda, its only using 1 link out , so no balancing going on, our IPS is comcast metro ethernet  500mb up/down
0
 

Author Closing Comment

by:Jonathan Jones
ID: 41870789
Thanks!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Is your computer hacked? learn how to detect and delete malware in your PC
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now