1 Reply Latest reply on Apr 13, 2018 3:58 AM by mick

    IPSEC Site to Site with a Ubiquiti XSFP

    jeremy50 New Member

      I am trying to get a VPN to work between a Netvanta 1335 and a Ubiquiti XSFP. I have everything set, but it will not come up. Phase 1 and Phase 2 match, but I get the following in the debug -

       

       

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION peer 24.159.225.222: Received first message of main mode

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION <POLICY: 100> PAYLOADS: SA,PROP,TRANS,VID,VID,VID,VID

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   SA PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     DOI: 1

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     Situation: 1

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     PROPOSAL PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       Proposal No.: 0

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       IANA No. for protocol: ISAKMP (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       Size of the variable SPI field: 0

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       Number of transforms offered: 1

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       TRANSFORM PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION         Transform Number: 1

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION         IANA Transform ID: IKE Key (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  3DES (5)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  MD5 (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  DH Group 5 (5)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  Pre-shared Key (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Type (11)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  Seconds (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Time (12)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:   (28800)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 8

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     09 00 26 89 DF D6 B7 12  ..&.....

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     AF CA D7 13 68 A1 F1 C9  ....h...

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     6B 86 96 FC 77 57 01 00  k...wW..

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     4A 13 1C 81 07 03 58 45  J.....XE

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     5C 57 28 F2 0E 95 45 2F  W(...E/

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     90 CB 80 91 3E BB 69 6E  ....>.in

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     08 63 81 B5 EC 42 7B 1F  .c...B{.

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION Xauth is not Enabled 

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION IKEInVendorIDProcess :: Received Vendor ID not registered with IKE 

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION IkeInVIDProcess :: IKEInVendorIDProcess failed 

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION 100: Sent out second message of main mode

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION <POLICY: 100> PAYLOADS: SA,PROP,TRANS,VID,VID

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   SA PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     DOI: 1

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     Situation: 1

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     PROPOSAL PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       Proposal No.: 0

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       IANA No. for protocol: ISAKMP (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       Size of the variable SPI field: 0

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       Number of transforms offered: 1

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       TRANSFORM PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION         Transform Number: 1

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION         IANA Transform ID: IKE Key (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION         TRANSFORM ATTRIBUTES

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Encryption Algorithm (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  3DES (5)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Algorithm (2)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  MD5 (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Group Description (4)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  DH Group 5 (5)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Authentication Method (3)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  Pre-shared Key (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Type (11)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:  Seconds (1)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION           SA Attrib: Life Time (12)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Length: 2

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION             Value:   (28800)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     90 CB 80 91 3E BB 69 6E  ....>.in

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     08 63 81 B5 EC 42 7B 1F  .c...B{.

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VID PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   Vendor ID Length: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   VENDOR ID HASH IN HEX:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     AF CA D7 13 68 A1 F1 C9  ....h...

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     6B 86 96 FC 77 57 01 00  k...wW..

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION peer 24.159.225.222: Received third message of main mode

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION <POLICY: 100> PAYLOADS: KE,NONCE,NATD,NATD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   KE PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NONCE PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       B0 5F 55 48 48 3B 6C 0F  ._UHH;l.

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       70 F1 1C DD DE 1D 98 A9  p.......

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       11 40 2C A2 00 F6 9A 66  .@,....f

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       1B 95 E0 38 E8 0C AE 7A  ...8...z

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION Intoto_DH_mod_exp :: Entry 

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION Found 1 primary IP addrs w/ crypto map or profile for NAT-T

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION Found 9 other IP addrs for NAT-T

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION <POLICY: 100> PAYLOADS: KE,NONCE,NATD,NATD,NATD,NATD,NATD,NATD,NATD,NATD,NATD,NATD,NATD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   KE PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NONCE PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       11 40 2C A2 00 F6 9A 66  .@,....f

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       1B 95 E0 38 E8 0C AE 7A  ...8...z

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       B0 5F 55 48 48 3B 6C 0F  ._UHH;l.

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       70 F1 1C DD DE 1D 98 A9  p.......

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       F2 2D 41 31 73 AC F6 F1  .-A1s...

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       A5 8B AF FA 15 E3 07 28  .......(

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       4B 2F 92 91 60 6D B9 22  K/..`m.'

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       DF 9F 85 AC CF AE 11 1C  ........

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       F7 1C 76 6B E6 62 F7 BF  ..vk.b..

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       11 C0 FD C7 6A 6A E4 1B  ....jj..

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       EC 29 07 CC B2 13 70 13  .)....p.

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       71 4A 36 85 0B B3 C3 8D  qJ6.....

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       F8 1F 72 F2 C7 22 D8 E9  ..r..'..

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       01 E5 17 B1 AF 1F 41 84  ......A.

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       D4 21 83 13 AC 0F FC 4A  .!.....J

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       B5 E5 83 69 22 87 6E 0A  ...i'.n.

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       42 9A DA 83 9F 7C 07 DB  B....|..

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       AB 35 F3 0B BB 46 AD DB  .5...F..

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       88 52 8D FA 96 FA 85 BD  .R......

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       F4 C0 88 E7 00 C2 B5 C7  ........

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION   NATD PAYLOAD

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Len: 16

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION     HASH Data:

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       EC 3E B5 6B 2F 0C 0E D2  .>.k/...

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION       19 75 08 B1 39 5C 1F 47  .u..9.G

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION 100: Sent fourth message of main mode

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION peer 24.159.225.222: Received informational exchange message

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION IkeInNotifyProcess: NOTIFY TYPE: PAYLOAD MALFORMED (16)

      2018.04.10 09:10:03 CRYPTO_IKE.NEGOTIATION IkeDeleteIsakmpSA :: Deleting any DPDRequests queued in isakmpsa 

       

       

      What is it complaining about? Thanks!

        • Re: IPSEC Site to Site with a Ubiquiti XSFP
          mick Visitor

          Hi jeremy50,

           

          The remote peer should respond with the fifth message containing it's authentication details.  Here it fails to do so, complaining that the data sent to it is not acceptable.  I would take a look at the IP subnets you have configured to be used by the tunnel.  It may be there is a clash between the local and remote subnets.

           

          Hope this helps,

          --

          Regards,

          Mick