Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Edgemax OS VPN, to Barracuda Link Balancer

Posted on 2016-09-10
7
Medium Priority
?
228 Views
Last Modified: 2016-11-02
Hey!

I really need help on this one, I have an EdgeMax Lite with IPEC going to a Barracuda 430 LB with again IPSEC and for the life if me I can not get the too to connect. My last attempts is below:

Peer: ISP STATIC IP FOR REMOTE FIREWALL

Local IP ANY

Encrypt 3DES

Hash MD5

DH Group 1

Pre-Share Key  *******

LocalSub 192.168.1.0/24

RemoteSub 10.100.0.0/16

ESP-GROUP Lifetime is 3600 no compression, tunnel, PFS enabled 3des

IKE-GROUP Lifetime is 14400 ikev2-reauth no, key-exchange ikev1, mode none, DH-GROUP 2, 3des, md5

Below is what I am getting from the the Barracuda Link Balancer:

2016-09-10 13:50:56
"EDGEMAX-10.100.0.0-192.168.1.0" #274: initiating Main Mode
2016-09-10 13:50:56
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 13:50:56
loading secrets from "/etc/ipsec.secrets"
2016-09-10 13:50:56
forgetting secrets
2016-09-10 13:50:52
"EDGEMAX-10.100.0.0-192.168.1.0": deleting connection
2016-09-10 13:49:41
"EDGEMAX-10.100.0.0-192.168.1.0" #273: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:48:31
"EDGEMAX-10.100.0.0-192.168.1.0" #273: initiating Main Mode
2016-09-10 13:45:04
"EDGEMAX-10.100.0.0-192.168.1.0" #272: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received and ignored informational message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received Delete SA(0x19cb863d) payload: deleting IPSEC State #255
2016-09-10 13:43:54
"EDGEMAX-10.100.0.0-192.168.1.0" #272: initiating Main Mode

I have tried AES, SHA1, DES etc etc etc and nothing seems to do the trick, I tripple check each side to make sure they match (which they do) so I am at a loss on this?

Any help would be appreciated!
0
Comment
Question by:Jonathan Jones
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 2000 total points
ID: 41792818
basically, the both sides should have the SAME or similar configuration for the VPN channel to be established. can you also provide the configuration of the other end?
0
 

Author Comment

by:Jonathan Jones
ID: 41792848
Thanks for the quick response!
Here is the data:

       Primary Local Link  50.0.0.0 /255.255.255.0
       Primary Remote Gateway  172.0.0.0/255.255.255.0
       Enable NAT-Traversal ​No ​      
       Remote NAT-T IP           NONE

       Masquerade IP Address/Range       NONE       

       Local Network      
        IP/Network Address      Netmask
        10.100.0.0      255.255.0.      

       Remote Network      
        IP/Network Address      Netmask      
        192.168.1.0       255.255.255.0
         Enable VPN      Yes      

Security Policies      
       IPsec Keying Mode            
        The mode used for encrypting data.
       Shared Secret      
        ••••••••••••••
        IPsec Key Exchange Policy Phase 1      
       Encryption      3DES

       Authentication      MD5 ​
       DH Group      Group-2
       Lifetime      14400

IPsec Key Exchange Policy Phase 2      

       Encryption 3DES
       Authentication      MD5
       Enable Perfect Forward Secrecy      YES
       DH Group       Group 2.
       Lifetime      3600

EDGEMAX SIDE:

# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn %default
        keyexchange=ikev1

conn peer-50.0.0.0-tunnel-1
        left=%any
        right=172.0.0.0/24
        leftsubnet=192.168.1.0/24
        rightsubnet=10.100.0.0/16
        ike=3des-md5-modp1024!
        keyexchange=ikev1
        ikelifetime=14400s
        esp=3des-md5-modp1024!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-50.0.0.0-tunnel-1
0
 
LVL 37

Expert Comment

by:bbao
ID: 41792875
one thing was noticed in my quick review: NAT Traversal.

is any of the two VPN gateways behind another NAT firewall?

another thing is "left=%any" at EDGEMAX side, why is it set to "any" instead of a specific address of the remote peer?
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 

Author Comment

by:Jonathan Jones
ID: 41792896
Bing,

Thanks! The only NAT is at the firewalls themselves, so no NAT needed there, I changed the "left=%any" to "left-50.0.0.0/24" remote firewall IP, changed the IP on the PEER settings on the EDGEMAX, has those backwards I believe:

Site-to-site peers
Peer
50.0.0.0/24

Remote  Peer
Description PRSDNJ
Local IP 50.0.0.0/24
Pre-shared secret
***************
Local subnet 10.100.0.0/16 (BARRACUDA) internal
Remote subnet 192.168.1.0/24 (EDEMAX) internal


Below is from the Barracuda Side trying to initialize the VPN

2016-09-10 16:21:38
"EDGEMAX-10.100.0.0-192.168.1.0" #319: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:20:28
"EDGEMAX-10.100.0.0-192.168.1.0" #319: initiating Main Mode
2016-09-10 16:17:02
"EDGEMAX-10.100.0.0-192.168.1.0" #318: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:15:52
"EDGEMAX-10.100.0.0-192.168.1.0" #318: initiating Main Mode
2016-09-10 16:14:12
"EDGEMAX-10.100.0.0-192.168.1.0" #317: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:13:02
"EDGEMAX-10.100.0.0-192.168.1.0" #317: initiating Main Mode
2016-09-10 16:13:02
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 16:13:02
loading secrets from "/etc/ipsec.secrets"
0
 
LVL 37

Accepted Solution

by:
bbao earned 2000 total points
ID: 41793598
it looks like the EDGEMAX side always retries duo to no response from the peer. does the Barracuda side work well with sites , if any? is the IP of Barracuda side load balanced?
0
 

Author Comment

by:Jonathan Jones
ID: 41794093
Bing,

Yes the Barracuda is working fine with IPSEC against 2 Cisco VPN Small Business Devices no problems, as for the barracuda, its only using 1 link out , so no balancing going on, our IPS is comcast metro ethernet  500mb up/down
0
 

Author Closing Comment

by:Jonathan Jones
ID: 41870789
Thanks!
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question