Edgemax OS VPN, to Barracuda Link Balancer

Posted on 2016-09-10
Last Modified: 2016-11-02

I really need help on this one, I have an EdgeMax Lite with IPEC going to a Barracuda 430 LB with again IPSEC and for the life if me I can not get the too to connect. My last attempts is below:


Local IP ANY

Encrypt 3DES

Hash MD5

DH Group 1

Pre-Share Key  *******



ESP-GROUP Lifetime is 3600 no compression, tunnel, PFS enabled 3des

IKE-GROUP Lifetime is 14400 ikev2-reauth no, key-exchange ikev1, mode none, DH-GROUP 2, 3des, md5

Below is what I am getting from the the Barracuda Link Balancer:

2016-09-10 13:50:56
"EDGEMAX-" #274: initiating Main Mode
2016-09-10 13:50:56
added connection description "EDGEMAX-"
2016-09-10 13:50:56
loading secrets from "/etc/ipsec.secrets"
2016-09-10 13:50:56
forgetting secrets
2016-09-10 13:50:52
"EDGEMAX-": deleting connection
2016-09-10 13:49:41
"EDGEMAX-" #273: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:48:31
"EDGEMAX-" #273: initiating Main Mode
2016-09-10 13:45:04
"EDGEMAX-" #272: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-" #155: received and ignored informational message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-" #155: received Delete SA(0x19cb863d) payload: deleting IPSEC State #255
2016-09-10 13:43:54
"EDGEMAX-" #272: initiating Main Mode

I have tried AES, SHA1, DES etc etc etc and nothing seems to do the trick, I tripple check each side to make sure they match (which they do) so I am at a loss on this?

Any help would be appreciated!
Question by:Jonathan Jones
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 37

Assisted Solution

bbao earned 500 total points
ID: 41792818
basically, the both sides should have the SAME or similar configuration for the VPN channel to be established. can you also provide the configuration of the other end?

Author Comment

by:Jonathan Jones
ID: 41792848
Thanks for the quick response!
Here is the data:

       Primary Local Link /
       Primary Remote Gateway
       Enable NAT-Traversal ​No ​      
       Remote NAT-T IP           NONE

       Masquerade IP Address/Range       NONE       

       Local Network      
        IP/Network Address      Netmask      255.255.0.      

       Remote Network      
        IP/Network Address      Netmask     
         Enable VPN      Yes      

Security Policies      
       IPsec Keying Mode            
        The mode used for encrypting data.
       Shared Secret      
        IPsec Key Exchange Policy Phase 1      
       Encryption      3DES

       Authentication      MD5 ​
       DH Group      Group-2
       Lifetime      14400

IPsec Key Exchange Policy Phase 2      

       Encryption 3DES
       Authentication      MD5
       Enable Perfect Forward Secrecy      YES
       DH Group       Group 2.
       Lifetime      3600


# generated by /opt/vyatta/sbin/

config setup

conn %default

conn peer-
#conn peer-
LVL 37

Expert Comment

ID: 41792875
one thing was noticed in my quick review: NAT Traversal.

is any of the two VPN gateways behind another NAT firewall?

another thing is "left=%any" at EDGEMAX side, why is it set to "any" instead of a specific address of the remote peer?
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.


Author Comment

by:Jonathan Jones
ID: 41792896

Thanks! The only NAT is at the firewalls themselves, so no NAT needed there, I changed the "left=%any" to "left-" remote firewall IP, changed the IP on the PEER settings on the EDGEMAX, has those backwards I believe:

Site-to-site peers

Remote  Peer
Description PRSDNJ
Local IP
Pre-shared secret
Local subnet (BARRACUDA) internal
Remote subnet (EDEMAX) internal

Below is from the Barracuda Side trying to initialize the VPN

2016-09-10 16:21:38
"EDGEMAX-" #319: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:20:28
"EDGEMAX-" #319: initiating Main Mode
2016-09-10 16:17:02
"EDGEMAX-" #318: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:15:52
"EDGEMAX-" #318: initiating Main Mode
2016-09-10 16:14:12
"EDGEMAX-" #317: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:13:02
"EDGEMAX-" #317: initiating Main Mode
2016-09-10 16:13:02
added connection description "EDGEMAX-"
2016-09-10 16:13:02
loading secrets from "/etc/ipsec.secrets"
LVL 37

Accepted Solution

bbao earned 500 total points
ID: 41793598
it looks like the EDGEMAX side always retries duo to no response from the peer. does the Barracuda side work well with sites , if any? is the IP of Barracuda side load balanced?

Author Comment

by:Jonathan Jones
ID: 41794093

Yes the Barracuda is working fine with IPSEC against 2 Cisco VPN Small Business Devices no problems, as for the barracuda, its only using 1 link out , so no balancing going on, our IPS is comcast metro ethernet  500mb up/down

Author Closing Comment

by:Jonathan Jones
ID: 41870789

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question