[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Edgemax OS VPN, to Barracuda Link Balancer

Posted on 2016-09-10
7
Medium Priority
?
239 Views
Last Modified: 2016-11-02
Hey!

I really need help on this one, I have an EdgeMax Lite with IPEC going to a Barracuda 430 LB with again IPSEC and for the life if me I can not get the too to connect. My last attempts is below:

Peer: ISP STATIC IP FOR REMOTE FIREWALL

Local IP ANY

Encrypt 3DES

Hash MD5

DH Group 1

Pre-Share Key  *******

LocalSub 192.168.1.0/24

RemoteSub 10.100.0.0/16

ESP-GROUP Lifetime is 3600 no compression, tunnel, PFS enabled 3des

IKE-GROUP Lifetime is 14400 ikev2-reauth no, key-exchange ikev1, mode none, DH-GROUP 2, 3des, md5

Below is what I am getting from the the Barracuda Link Balancer:

2016-09-10 13:50:56
"EDGEMAX-10.100.0.0-192.168.1.0" #274: initiating Main Mode
2016-09-10 13:50:56
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 13:50:56
loading secrets from "/etc/ipsec.secrets"
2016-09-10 13:50:56
forgetting secrets
2016-09-10 13:50:52
"EDGEMAX-10.100.0.0-192.168.1.0": deleting connection
2016-09-10 13:49:41
"EDGEMAX-10.100.0.0-192.168.1.0" #273: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:48:31
"EDGEMAX-10.100.0.0-192.168.1.0" #273: initiating Main Mode
2016-09-10 13:45:04
"EDGEMAX-10.100.0.0-192.168.1.0" #272: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received and ignored informational message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0-192.168.47.0" #155: received Delete SA(0x19cb863d) payload: deleting IPSEC State #255
2016-09-10 13:43:54
"EDGEMAX-10.100.0.0-192.168.1.0" #272: initiating Main Mode

I have tried AES, SHA1, DES etc etc etc and nothing seems to do the trick, I tripple check each side to make sure they match (which they do) so I am at a loss on this?

Any help would be appreciated!
0
Comment
Question by:Jonathan Jones
  • 4
  • 3
7 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 2000 total points
ID: 41792818
basically, the both sides should have the SAME or similar configuration for the VPN channel to be established. can you also provide the configuration of the other end?
0
 

Author Comment

by:Jonathan Jones
ID: 41792848
Thanks for the quick response!
Here is the data:

       Primary Local Link  50.0.0.0 /255.255.255.0
       Primary Remote Gateway  172.0.0.0/255.255.255.0
       Enable NAT-Traversal ​No ​      
       Remote NAT-T IP           NONE

       Masquerade IP Address/Range       NONE       

       Local Network      
        IP/Network Address      Netmask
        10.100.0.0      255.255.0.      

       Remote Network      
        IP/Network Address      Netmask      
        192.168.1.0       255.255.255.0
         Enable VPN      Yes      

Security Policies      
       IPsec Keying Mode            
        The mode used for encrypting data.
       Shared Secret      
        ••••••••••••••
        IPsec Key Exchange Policy Phase 1      
       Encryption      3DES

       Authentication      MD5 ​
       DH Group      Group-2
       Lifetime      14400

IPsec Key Exchange Policy Phase 2      

       Encryption 3DES
       Authentication      MD5
       Enable Perfect Forward Secrecy      YES
       DH Group       Group 2.
       Lifetime      3600

EDGEMAX SIDE:

# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn %default
        keyexchange=ikev1

conn peer-50.0.0.0-tunnel-1
        left=%any
        right=172.0.0.0/24
        leftsubnet=192.168.1.0/24
        rightsubnet=10.100.0.0/16
        ike=3des-md5-modp1024!
        keyexchange=ikev1
        ikelifetime=14400s
        esp=3des-md5-modp1024!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-50.0.0.0-tunnel-1
0
 
LVL 37

Expert Comment

by:bbao
ID: 41792875
one thing was noticed in my quick review: NAT Traversal.

is any of the two VPN gateways behind another NAT firewall?

another thing is "left=%any" at EDGEMAX side, why is it set to "any" instead of a specific address of the remote peer?
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 

Author Comment

by:Jonathan Jones
ID: 41792896
Bing,

Thanks! The only NAT is at the firewalls themselves, so no NAT needed there, I changed the "left=%any" to "left-50.0.0.0/24" remote firewall IP, changed the IP on the PEER settings on the EDGEMAX, has those backwards I believe:

Site-to-site peers
Peer
50.0.0.0/24

Remote  Peer
Description PRSDNJ
Local IP 50.0.0.0/24
Pre-shared secret
***************
Local subnet 10.100.0.0/16 (BARRACUDA) internal
Remote subnet 192.168.1.0/24 (EDEMAX) internal


Below is from the Barracuda Side trying to initialize the VPN

2016-09-10 16:21:38
"EDGEMAX-10.100.0.0-192.168.1.0" #319: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:20:28
"EDGEMAX-10.100.0.0-192.168.1.0" #319: initiating Main Mode
2016-09-10 16:17:02
"EDGEMAX-10.100.0.0-192.168.1.0" #318: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:15:52
"EDGEMAX-10.100.0.0-192.168.1.0" #318: initiating Main Mode
2016-09-10 16:14:12
"EDGEMAX-10.100.0.0-192.168.1.0" #317: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:13:02
"EDGEMAX-10.100.0.0-192.168.1.0" #317: initiating Main Mode
2016-09-10 16:13:02
added connection description "EDGEMAX-10.100.0.0-192.168.1.0"
2016-09-10 16:13:02
loading secrets from "/etc/ipsec.secrets"
0
 
LVL 37

Accepted Solution

by:
bbao earned 2000 total points
ID: 41793598
it looks like the EDGEMAX side always retries duo to no response from the peer. does the Barracuda side work well with sites , if any? is the IP of Barracuda side load balanced?
0
 

Author Comment

by:Jonathan Jones
ID: 41794093
Bing,

Yes the Barracuda is working fine with IPSEC against 2 Cisco VPN Small Business Devices no problems, as for the barracuda, its only using 1 link out , so no balancing going on, our IPS is comcast metro ethernet  500mb up/down
0
 

Author Closing Comment

by:Jonathan Jones
ID: 41870789
Thanks!
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question