Jonathan Jones
asked on
Edgemax OS VPN, to Barracuda Link Balancer
Hey!
I really need help on this one, I have an EdgeMax Lite with IPEC going to a Barracuda 430 LB with again IPSEC and for the life if me I can not get the too to connect. My last attempts is below:
Peer: ISP STATIC IP FOR REMOTE FIREWALL
Local IP ANY
Encrypt 3DES
Hash MD5
DH Group 1
Pre-Share Key *******
LocalSub 192.168.1.0/24
RemoteSub 10.100.0.0/16
ESP-GROUP Lifetime is 3600 no compression, tunnel, PFS enabled 3des
IKE-GROUP Lifetime is 14400 ikev2-reauth no, key-exchange ikev1, mode none, DH-GROUP 2, 3des, md5
Below is what I am getting from the the Barracuda Link Balancer:
2016-09-10 13:50:56
"EDGEMAX-10.100.0.0-192.16 8.1.0" #274: initiating Main Mode
2016-09-10 13:50:56
added connection description "EDGEMAX-10.100.0.0-192.16 8.1.0"
2016-09-10 13:50:56
loading secrets from "/etc/ipsec.secrets"
2016-09-10 13:50:56
forgetting secrets
2016-09-10 13:50:52
"EDGEMAX-10.100.0.0-192.16 8.1.0": deleting connection
2016-09-10 13:49:41
"EDGEMAX-10.100.0.0-192.16 8.1.0" #273: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:48:31
"EDGEMAX-10.100.0.0-192.16 8.1.0" #273: initiating Main Mode
2016-09-10 13:45:04
"EDGEMAX-10.100.0.0-192.16 8.1.0" #272: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0 -192.168.4 7.0" #155: received and ignored informational message
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0 -192.168.4 7.0" #155: received Delete SA(0x19cb863d) payload: deleting IPSEC State #255
2016-09-10 13:43:54
"EDGEMAX-10.100.0.0-192.16 8.1.0" #272: initiating Main Mode
I have tried AES, SHA1, DES etc etc etc and nothing seems to do the trick, I tripple check each side to make sure they match (which they do) so I am at a loss on this?
Any help would be appreciated!
I really need help on this one, I have an EdgeMax Lite with IPEC going to a Barracuda 430 LB with again IPSEC and for the life if me I can not get the too to connect. My last attempts is below:
Peer: ISP STATIC IP FOR REMOTE FIREWALL
Local IP ANY
Encrypt 3DES
Hash MD5
DH Group 1
Pre-Share Key *******
LocalSub 192.168.1.0/24
RemoteSub 10.100.0.0/16
ESP-GROUP Lifetime is 3600 no compression, tunnel, PFS enabled 3des
IKE-GROUP Lifetime is 14400 ikev2-reauth no, key-exchange ikev1, mode none, DH-GROUP 2, 3des, md5
Below is what I am getting from the the Barracuda Link Balancer:
2016-09-10 13:50:56
"EDGEMAX-10.100.0.0-192.16
2016-09-10 13:50:56
added connection description "EDGEMAX-10.100.0.0-192.16
2016-09-10 13:50:56
loading secrets from "/etc/ipsec.secrets"
2016-09-10 13:50:56
forgetting secrets
2016-09-10 13:50:52
"EDGEMAX-10.100.0.0-192.16
2016-09-10 13:49:41
"EDGEMAX-10.100.0.0-192.16
2016-09-10 13:48:31
"EDGEMAX-10.100.0.0-192.16
2016-09-10 13:45:04
"EDGEMAX-10.100.0.0-192.16
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0
2016-09-10 13:44:43
"EAGLESWOOD-VPN-10.100.0.0
2016-09-10 13:43:54
"EDGEMAX-10.100.0.0-192.16
I have tried AES, SHA1, DES etc etc etc and nothing seems to do the trick, I tripple check each side to make sure they match (which they do) so I am at a loss on this?
Any help would be appreciated!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
one thing was noticed in my quick review: NAT Traversal.
is any of the two VPN gateways behind another NAT firewall?
another thing is "left=%any" at EDGEMAX side, why is it set to "any" instead of a specific address of the remote peer?
is any of the two VPN gateways behind another NAT firewall?
another thing is "left=%any" at EDGEMAX side, why is it set to "any" instead of a specific address of the remote peer?
ASKER
Bing,
Thanks! The only NAT is at the firewalls themselves, so no NAT needed there, I changed the "left=%any" to "left-50.0.0.0/24" remote firewall IP, changed the IP on the PEER settings on the EDGEMAX, has those backwards I believe:
Site-to-site peers
Peer
50.0.0.0/24
Remote Peer
Description PRSDNJ
Local IP 50.0.0.0/24
Pre-shared secret
***************
Local subnet 10.100.0.0/16 (BARRACUDA) internal
Remote subnet 192.168.1.0/24 (EDEMAX) internal
Below is from the Barracuda Side trying to initialize the VPN
2016-09-10 16:21:38
"EDGEMAX-10.100.0.0-192.16 8.1.0" #319: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:20:28
"EDGEMAX-10.100.0.0-192.16 8.1.0" #319: initiating Main Mode
2016-09-10 16:17:02
"EDGEMAX-10.100.0.0-192.16 8.1.0" #318: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:15:52
"EDGEMAX-10.100.0.0-192.16 8.1.0" #318: initiating Main Mode
2016-09-10 16:14:12
"EDGEMAX-10.100.0.0-192.16 8.1.0" #317: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
2016-09-10 16:13:02
"EDGEMAX-10.100.0.0-192.16 8.1.0" #317: initiating Main Mode
2016-09-10 16:13:02
added connection description "EDGEMAX-10.100.0.0-192.16 8.1.0"
2016-09-10 16:13:02
loading secrets from "/etc/ipsec.secrets"
Thanks! The only NAT is at the firewalls themselves, so no NAT needed there, I changed the "left=%any" to "left-50.0.0.0/24" remote firewall IP, changed the IP on the PEER settings on the EDGEMAX, has those backwards I believe:
Site-to-site peers
Peer
50.0.0.0/24
Remote Peer
Description PRSDNJ
Local IP 50.0.0.0/24
Pre-shared secret
***************
Local subnet 10.100.0.0/16 (BARRACUDA) internal
Remote subnet 192.168.1.0/24 (EDEMAX) internal
Below is from the Barracuda Side trying to initialize the VPN
2016-09-10 16:21:38
"EDGEMAX-10.100.0.0-192.16
2016-09-10 16:20:28
"EDGEMAX-10.100.0.0-192.16
2016-09-10 16:17:02
"EDGEMAX-10.100.0.0-192.16
2016-09-10 16:15:52
"EDGEMAX-10.100.0.0-192.16
2016-09-10 16:14:12
"EDGEMAX-10.100.0.0-192.16
2016-09-10 16:13:02
"EDGEMAX-10.100.0.0-192.16
2016-09-10 16:13:02
added connection description "EDGEMAX-10.100.0.0-192.16
2016-09-10 16:13:02
loading secrets from "/etc/ipsec.secrets"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Bing,
Yes the Barracuda is working fine with IPSEC against 2 Cisco VPN Small Business Devices no problems, as for the barracuda, its only using 1 link out , so no balancing going on, our IPS is comcast metro ethernet 500mb up/down
Yes the Barracuda is working fine with IPSEC against 2 Cisco VPN Small Business Devices no problems, as for the barracuda, its only using 1 link out , so no balancing going on, our IPS is comcast metro ethernet 500mb up/down
ASKER
Thanks!
ASKER
Here is the data:
Primary Local Link 50.0.0.0 /255.255.255.0
Primary Remote Gateway 172.0.0.0/255.255.255.0
Enable NAT-Traversal No
Remote NAT-T IP NONE
Masquerade IP Address/Range NONE
Local Network
IP/Network Address Netmask
10.100.0.0 255.255.0.
Remote Network
IP/Network Address Netmask
192.168.1.0 255.255.255.0
Enable VPN Yes
Security Policies
IPsec Keying Mode
The mode used for encrypting data.
Shared Secret
••••••••••••••
IPsec Key Exchange Policy Phase 1
Encryption 3DES
Authentication MD5
DH Group Group-2
Lifetime 14400
IPsec Key Exchange Policy Phase 2
Encryption 3DES
Authentication MD5
Enable Perfect Forward Secrecy YES
DH Group Group 2.
Lifetime 3600
EDGEMAX SIDE:
# generated by /opt/vyatta/sbin/vpn-confi
config setup
conn %default
keyexchange=ikev1
conn peer-50.0.0.0-tunnel-1
left=%any
right=172.0.0.0/24
leftsubnet=192.168.1.0/24
rightsubnet=10.100.0.0/16
ike=3des-md5-modp1024!
keyexchange=ikev1
ikelifetime=14400s
esp=3des-md5-modp1024!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=route
keyingtries=%forever
#conn peer-50.0.0.0-tunnel-1