#1  
Old September 30th, 2010, 01:21 PM
brianm brianm is offline
Junior Member
 
Join Date: Jul 2010
Posts: 8
Default Ipsec VPN issues

I have two issues with two ipsec VPN's.

The first VPN (UTM <--> Billion Biguard S20) connects successfullyand I can connect to deivces from either end and traffic passes ok, however, in the log file I see the message "Attempt of Establishing IKE-SA: failed: xxx.xxx.xxx.xxx_". xxx being the WAN ip address of the Biguard S20. Is this an error given the fact that the connection is up and running?

The second VPN (UTM10 <--> Checkpoint) is shown as established in the monitoring page of the UTM however, the log file shows "phase 2 negotiation failed due to time up waiting for phase1" - I cannot ping devices at either end. No bytes pass between the sites.

ipsec VPN 1

UTM Local Network 192.168.205.0/24

Biguard BillionS20 Local Network 192.168.1.1.0/24

ipsec VPN 2

UTM Local Network 192.168.205.0/24

Check Point Local Network 192.168.1.2.0/24

I have attached the config screens for VPN 2.

Any suggestions?

Regards

Bria
Attached Images
File Type: jpg VPN_config.jpg (97.2 KB, 35 views)
Reply With Quote
  #2  
Old September 30th, 2010, 02:07 PM
adit's Avatar
adit adit is offline
Moderator
 
Join Date: Jan 2009
Location: USA
Posts: 3,020
Default

It is possible to see that first error when the tunnel is being established. It should not continually repeat.

Without copies of logs from both routers, and screenshots from both, it's impossible to guess what the problem is.
Reply With Quote
  #3  
Old September 30th, 2010, 02:49 PM
brianm brianm is offline
Junior Member
 
Join Date: Jul 2010
Posts: 8
Default

Log extract:

2010 Sep 30 20:46:38 [UTM] [IKE] Using IPsec SA configuration: 192.168.205.0/24<->192.168.2.0/24_2010 Sep 30 20:46:38 [UTM] [IKE] Configuration found for 79.141.32.164._
2010 Sep 30 20:46:38 [UTM] [IKE] Initiating new phase 1 negotiation: 79.99.65.222[500]<=>79.141.32.164[500]_
2010 Sep 30 20:46:38 [UTM] [IKE] Beginning Identity Protection mode._
2010 Sep 30 20:46:38 [UTM] [IKE] Attempt of Establishing IKE-SA: failed: 217.155.95.134_
- Last output repeated 6 times -
2010 Sep 30 20:47:09 [UTM] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. ESP 79.141.32.164->79.99.65.222 _
2010 Sep 30 20:47:13 [UTM] [IKE] Phase 2 negotiation failed due to time up. 81d2efba402017a6:8baccdfa812ef2ba:df1856a4_
2010 Sep 30 20:47:13 [UTM] [IKE] an undead schedule has been deleted: 'quick_i1prep'._
2010 Sep 30 20:47:13 [UTM] [IKE] Attempt of Establishing IKE-SA: failed: 217.155.95.134_
- Last output repeated twice -
2010 Sep 30 20:47:22 [UTM] [IKE] Using IPsec SA configuration: 192.168.205.0/24<->192.168.2.0/24_
2010 Sep 30 20:47:22 [UTM] [IKE] Configuration found for 79.141.32.164._
2010 Sep 30 20:47:23 [UTM] [IKE] Attempt of Establishing IKE-SA: failed: 217.155.95.134_
- Last output repeated 2 times -
2010 Sep 30 20:47:38 [UTM] [IKE] Using IPsec SA configuration: 192.168.205.0/24<->192.168.1.0/24_
2010 Sep 30 20:47:38 [UTM] [IKE] remote configuration for identifier "portal.enact-e.com" found_
2010 Sep 30 20:47:38 [UTM] [IKE] Initiating new phase 2 negotiation: 79.99.65.222[0]<=>217.155.95.134[0]_
2010 Sep 30 20:47:38 [UTM] [IKE] Phase 1 negotiation failed due to time up for 79.141.32.164[500]. 7ce82690de5d059b:490b1d3d96d8456e_
2010 Sep 30 20:47:38 [UTM] [IKE] Attempt of Establishing IKE-SA: failed: 217.155.95.134_
- Last output repeated 3 times -
2010 Sep 30 20:47:53 [UTM] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. ESP 79.141.32.164->79.99.65.222 _
2010 Sep 30 20:47:58 [UTM] [IKE] Attempt of Establishing IKE-SA: failed: 217.155.95.134_
2010 Sep 30 20:48:00 [UTM] [IKE] Using IPsec SA configuration: 192.168.205.0/24<->192.168.2.0/24_
2010 Sep 30 20:48:00 [UTM] [IKE] Configuration found for 79.141.32.164._
2010 Sep 30 20:48:00 [UTM] [IKE] Initiating new phase 1 negotiation: 79.99.65.222[500]<=>79.141.32.164[500]_
2010 Sep 30 20:48:00 [UTM] [IKE] Beginning Identity Protection mode._
2010 Sep 30 20:48:03 [UTM] [IKE] Attempt of Establishing IKE-SA: failed: 217.155.95.134_
- Last output repeated 5 times -
2010 Sep 30 20:48:31 [UTM] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. ESP 79.141.32.164->79.99.65.222 _
2010 Sep 30 20:48:33 [UTM] [IKE] Attempt of Establishing IKE-SA: failed: 217.155.95.134_
2010 Sep 30 20:48:38 [UTM] [IKE] Phase 2 negotiation failed due to time up. 81d2efba402017a6:8baccdfa812ef2ba:f2058053_
2010 Sep 30 20:48:38 [UTM] [IKE] an undead schedule has been deleted: 'quick_i1prep'._
2010 Sep 30 20:48:38 [UTM] [IKE] Attempt of Establishing IKE-SA: failed: 217.155.95.134_
2010 Sep 30 20:48:41 [UTM] [IKE] Using IPsec SA configuration: 192.168.205.0/24<->192.168.2.0/24_
2010 Sep 30 20:48:41 [UTM] [IKE] Configuration found for 79.141.32.164._
2010 Sep 30 20:48:43 [UTM] [IKE] Attempt of Establishing IKE-SA: failed: 217.155.95.134_
Reply With Quote
  #4  
Old September 30th, 2010, 03:51 PM
adit's Avatar
adit adit is offline
Moderator
 
Join Date: Jan 2009
Location: USA
Posts: 3,020
Default

Make sure both PFS DH settings are Group 2.

Use Main Mode/Both Directions.
Reply With Quote
  #5  
Old September 30th, 2010, 05:30 PM
brianm brianm is offline
Junior Member
 
Join Date: Jul 2010
Posts: 8
Default

For VPN 1 these settings (Main and PFS DH 2) are set on both devices (UTM & Biguard S20)

For VPN 2 the mode is MAIN and PFS is NOT enabled.
Reply With Quote
  #6  
Old September 30th, 2010, 05:41 PM
adit's Avatar
adit adit is offline
Moderator
 
Join Date: Jan 2009
Location: USA
Posts: 3,020
Default

Enable it on VPN2, both ends. You should use AES-256 instead of 3DES.
Reply With Quote
  #7  
Old September 30th, 2010, 05:53 PM
brianm brianm is offline
Junior Member
 
Join Date: Jul 2010
Posts: 8
Default

OK will do. I will have to wait for my colleague to get into the office and I get the changes implemented. I will get screen captures of the Checkpoint config to you. Also, just for my own knowledge, why AES 256 rather than 3DES?

Thanks for your help

Brian
Reply With Quote
  #8  
Old September 30th, 2010, 05:57 PM
brianm brianm is offline
Junior Member
 
Join Date: Jul 2010
Posts: 8
Default

Also, do you want AES256 applied to both the IKE and VPN policies?
Reply With Quote
  #9  
Old September 30th, 2010, 06:19 PM
brianm brianm is offline
Junior Member
 
Join Date: Jul 2010
Posts: 8
Default

I've applied the changes to both policies for VPN1 and all seems ok. Thanks!

I've done the reading and can see that AES256 is more secure than 3DES.

I'll get back to you once the Checkpoint guy is in the office.

Brian
Reply With Quote
  #10  
Old September 30th, 2010, 06:19 PM
adit's Avatar
adit adit is offline
Moderator
 
Join Date: Jan 2009
Location: USA
Posts: 3,020
Default

AES-256 has higher throughput in the tests we've run on other Netgear routers, plus it is more secure. Tunnel setup is quicker as well.

This is old but still applicable. There are DES accelerator chips in good VPN routers (such as the FVX538) today, but AES is still faster/better. http://www.networkworld.com/research...0730feat2.html
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 01:11 PM.