• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 247
  • Last Modified:

Edgemax OS VPN, to Barracuda Link Balancer

Hey!

I really need help on this one, I have an EdgeMax Lite with IPEC going to a Barracuda 430 LB with again IPSEC and for the life if me I can not get the too to connect. My last attempts is below:

Peer: ISP STATIC IP FOR REMOTE FIREWALL

Local IP ANY

Encrypt 3DES

Hash MD5

DH Group 1

Pre-Share Key  *******

LocalSub 192.168.1.0/24

RemoteSub 10.100.0.0/16

ESP-GROUP Lifetime is 3600 no compression, tunnel, PFS enabled 3des

IKE-GROUP Lifetime is 14400 ikev2-reauth no, key-exchange ikev1, mode none, DH-GROUP 2, 3des, md5

Below is what I am getting from the the Barracuda Link Balancer:

2016-09-10 13:50:56
"EDGEMAX-10.100.0.0-192.168.1.0" #274: initiating Main Mode
2016-09-10 13:50:56
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 13:50:56
loading secrets from "/etc/ipsec.secrets"
2016-09-10 13:50:56
forgetting secrets
2016-09-10 13:50:52
"EDGEMAX-10.100.0.0-192.168.1.0": deleting connection
2016-09-10 13:49:41
"EDGEMAX-10.100.0.0-192.168.1.0" #273: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:48:31
"EDGEMAX-10.100.0.0-192.168.1.0" #273: initiating Main Mode
2016-09-10 13:45:04
"EDGEMAX-10.100.0.0-192.168.1.0" #272: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received and ignored informational message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received Delete SA(0x19cb863d) payload: deleting IPSEC State #255
2016-09-10 13:43:54
"EDGEMAX-10.100.0.0-192.168.1.0" #272: initiating Main Mode

I have tried AES, SHA1, DES etc etc etc and nothing seems to do the trick, I tripple check each side to make sure they match (which they do) so I am at a loss on this?

Any help would be appreciated!
0
Jonathan Jones
Asked:
Jonathan Jones
  • 4
  • 3
2 Solutions
 
bbaoIT ConsultantCommented:
basically, the both sides should have the SAME or similar configuration for the VPN channel to be established. can you also provide the configuration of the other end?
0
 
Jonathan JonesNetwork AdministratorAuthor Commented:
Thanks for the quick response!
Here is the data:

       Primary Local Link  50.0.0.0 /255.255.255.0
       Primary Remote Gateway  172.0.0.0/255.255.255.0
       Enable NAT-Traversal ​No ​      
       Remote NAT-T IP           NONE

       Masquerade IP Address/Range       NONE       

       Local Network      
        IP/Network Address      Netmask
        10.100.0.0      255.255.0.      

       Remote Network      
        IP/Network Address      Netmask      
        192.168.1.0       255.255.255.0
         Enable VPN      Yes      

Security Policies      
       IPsec Keying Mode            
        The mode used for encrypting data.
       Shared Secret      
        ••••••••••••••
        IPsec Key Exchange Policy Phase 1      
       Encryption      3DES

       Authentication      MD5 ​
       DH Group      Group-2
       Lifetime      14400

IPsec Key Exchange Policy Phase 2      

       Encryption 3DES
       Authentication      MD5
       Enable Perfect Forward Secrecy      YES
       DH Group       Group 2.
       Lifetime      3600

EDGEMAX SIDE:

# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn %default
        keyexchange=ikev1

conn peer-50.0.0.0-tunnel-1
        left=%any
        right=172.0.0.0/24
        leftsubnet=192.168.1.0/24
        rightsubnet=10.100.0.0/16
        ike=3des-md5-modp1024!
        keyexchange=ikev1
        ikelifetime=14400s
        esp=3des-md5-modp1024!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-50.0.0.0-tunnel-1
0
 
bbaoIT ConsultantCommented:
one thing was noticed in my quick review: NAT Traversal.

is any of the two VPN gateways behind another NAT firewall?

another thing is "left=%any" at EDGEMAX side, why is it set to "any" instead of a specific address of the remote peer?
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
Jonathan JonesNetwork AdministratorAuthor Commented:
Bing,

Thanks! The only NAT is at the firewalls themselves, so no NAT needed there, I changed the "left=%any" to "left-50.0.0.0/24" remote firewall IP, changed the IP on the PEER settings on the EDGEMAX, has those backwards I believe:

Site-to-site peers
Peer
50.0.0.0/24

Remote  Peer
Description PRSDNJ
Local IP 50.0.0.0/24
Pre-shared secret
***************
Local subnet 10.100.0.0/16 (BARRACUDA) internal
Remote subnet 192.168.1.0/24 (EDEMAX) internal


Below is from the Barracuda Side trying to initialize the VPN

2016-09-10 16:21:38
"EDGEMAX-10.100.0.0-192.168.1.0" #319: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:20:28
"EDGEMAX-10.100.0.0-192.168.1.0" #319: initiating Main Mode
2016-09-10 16:17:02
"EDGEMAX-10.100.0.0-192.168.1.0" #318: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:15:52
"EDGEMAX-10.100.0.0-192.168.1.0" #318: initiating Main Mode
2016-09-10 16:14:12
"EDGEMAX-10.100.0.0-192.168.1.0" #317: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:13:02
"EDGEMAX-10.100.0.0-192.168.1.0" #317: initiating Main Mode
2016-09-10 16:13:02
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 16:13:02
loading secrets from "/etc/ipsec.secrets"
0
 
bbaoIT ConsultantCommented:
it looks like the EDGEMAX side always retries duo to no response from the peer. does the Barracuda side work well with sites , if any? is the IP of Barracuda side load balanced?
0
 
Jonathan JonesNetwork AdministratorAuthor Commented:
Bing,

Yes the Barracuda is working fine with IPSEC against 2 Cisco VPN Small Business Devices no problems, as for the barracuda, its only using 1 link out , so no balancing going on, our IPS is comcast metro ethernet  500mb up/down
0
 
Jonathan JonesNetwork AdministratorAuthor Commented:
Thanks!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now