Solved

Edgemax OS VPN, to Barracuda Link Balancer

Posted on 2016-09-10
7
189 Views
Last Modified: 2016-11-02
Hey!

I really need help on this one, I have an EdgeMax Lite with IPEC going to a Barracuda 430 LB with again IPSEC and for the life if me I can not get the too to connect. My last attempts is below:

Peer: ISP STATIC IP FOR REMOTE FIREWALL

Local IP ANY

Encrypt 3DES

Hash MD5

DH Group 1

Pre-Share Key  *******

LocalSub 192.168.1.0/24

RemoteSub 10.100.0.0/16

ESP-GROUP Lifetime is 3600 no compression, tunnel, PFS enabled 3des

IKE-GROUP Lifetime is 14400 ikev2-reauth no, key-exchange ikev1, mode none, DH-GROUP 2, 3des, md5

Below is what I am getting from the the Barracuda Link Balancer:

2016-09-10 13:50:56
"EDGEMAX-10.100.0.0-192.168.1.0" #274: initiating Main Mode
2016-09-10 13:50:56
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 13:50:56
loading secrets from "/etc/ipsec.secrets"
2016-09-10 13:50:56
forgetting secrets
2016-09-10 13:50:52
"EDGEMAX-10.100.0.0-192.168.1.0": deleting connection
2016-09-10 13:49:41
"EDGEMAX-10.100.0.0-192.168.1.0" #273: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:48:31
"EDGEMAX-10.100.0.0-192.168.1.0" #273: initiating Main Mode
2016-09-10 13:45:04
"EDGEMAX-10.100.0.0-192.168.1.0" #272: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received and ignored informational message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received Delete SA(0x19cb863d) payload: deleting IPSEC State #255
2016-09-10 13:43:54
"EDGEMAX-10.100.0.0-192.168.1.0" #272: initiating Main Mode

I have tried AES, SHA1, DES etc etc etc and nothing seems to do the trick, I tripple check each side to make sure they match (which they do) so I am at a loss on this?

Any help would be appreciated!
0
Comment
Question by:Jonathan Jones
  • 4
  • 3
7 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 500 total points
ID: 41792818
basically, the both sides should have the SAME or similar configuration for the VPN channel to be established. can you also provide the configuration of the other end?
0
 

Author Comment

by:Jonathan Jones
ID: 41792848
Thanks for the quick response!
Here is the data:

       Primary Local Link  50.0.0.0 /255.255.255.0
       Primary Remote Gateway  172.0.0.0/255.255.255.0
       Enable NAT-Traversal ​No ​      
       Remote NAT-T IP           NONE

       Masquerade IP Address/Range       NONE       

       Local Network      
        IP/Network Address      Netmask
        10.100.0.0      255.255.0.      

       Remote Network      
        IP/Network Address      Netmask      
        192.168.1.0       255.255.255.0
         Enable VPN      Yes      

Security Policies      
       IPsec Keying Mode            
        The mode used for encrypting data.
       Shared Secret      
        ••••••••••••••
        IPsec Key Exchange Policy Phase 1      
       Encryption      3DES

       Authentication      MD5 ​
       DH Group      Group-2
       Lifetime      14400

IPsec Key Exchange Policy Phase 2      

       Encryption 3DES
       Authentication      MD5
       Enable Perfect Forward Secrecy      YES
       DH Group       Group 2.
       Lifetime      3600

EDGEMAX SIDE:

# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn %default
        keyexchange=ikev1

conn peer-50.0.0.0-tunnel-1
        left=%any
        right=172.0.0.0/24
        leftsubnet=192.168.1.0/24
        rightsubnet=10.100.0.0/16
        ike=3des-md5-modp1024!
        keyexchange=ikev1
        ikelifetime=14400s
        esp=3des-md5-modp1024!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-50.0.0.0-tunnel-1
0
 
LVL 37

Expert Comment

by:bbao
ID: 41792875
one thing was noticed in my quick review: NAT Traversal.

is any of the two VPN gateways behind another NAT firewall?

another thing is "left=%any" at EDGEMAX side, why is it set to "any" instead of a specific address of the remote peer?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:Jonathan Jones
ID: 41792896
Bing,

Thanks! The only NAT is at the firewalls themselves, so no NAT needed there, I changed the "left=%any" to "left-50.0.0.0/24" remote firewall IP, changed the IP on the PEER settings on the EDGEMAX, has those backwards I believe:

Site-to-site peers
Peer
50.0.0.0/24

Remote  Peer
Description PRSDNJ
Local IP 50.0.0.0/24
Pre-shared secret
***************
Local subnet 10.100.0.0/16 (BARRACUDA) internal
Remote subnet 192.168.1.0/24 (EDEMAX) internal


Below is from the Barracuda Side trying to initialize the VPN

2016-09-10 16:21:38
"EDGEMAX-10.100.0.0-192.168.1.0" #319: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:20:28
"EDGEMAX-10.100.0.0-192.168.1.0" #319: initiating Main Mode
2016-09-10 16:17:02
"EDGEMAX-10.100.0.0-192.168.1.0" #318: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:15:52
"EDGEMAX-10.100.0.0-192.168.1.0" #318: initiating Main Mode
2016-09-10 16:14:12
"EDGEMAX-10.100.0.0-192.168.1.0" #317: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:13:02
"EDGEMAX-10.100.0.0-192.168.1.0" #317: initiating Main Mode
2016-09-10 16:13:02
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 16:13:02
loading secrets from "/etc/ipsec.secrets"
0
 
LVL 37

Accepted Solution

by:
bbao earned 500 total points
ID: 41793598
it looks like the EDGEMAX side always retries duo to no response from the peer. does the Barracuda side work well with sites , if any? is the IP of Barracuda side load balanced?
0
 

Author Comment

by:Jonathan Jones
ID: 41794093
Bing,

Yes the Barracuda is working fine with IPSEC against 2 Cisco VPN Small Business Devices no problems, as for the barracuda, its only using 1 link out , so no balancing going on, our IPS is comcast metro ethernet  500mb up/down
0
 

Author Closing Comment

by:Jonathan Jones
ID: 41870789
Thanks!
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question