Hello,

I am trying to create a IPSEC tunnel between Astaro firewall and a DFL-210 firewall.

........................................

A Side - DFL-210:

Net: 10.0.2.0/24

Authentication: PSK key (ASCII)

Encryption IPSEC: Blowfish 128
Encryption IKE: Blowfish + MD5

IKE (DH GROUP) 5: 1536BIT
........................................

B Side - Astaro:

Net: 192.168.10.0/24

Authentication: PSK key (ASCII)

Encryption IPSEC: Blowfish 128
Encryption IKE: Blowfish + MD5

IKE (DH GROUP) 5: 1536BIT
........................................

- I belive i have made all changes neccesary but the tunnel will not work/come online on the Astaro.

- It looks great on the DLINK DFL-210 firewall, the tunnel seems to be up there.

- This is the log from the Astaro:

2008:11:14-13:36:23 (none) pluto[30631]: "S_Nacka_C_0" #58: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #57 {using isakmp#4}
2008:11:14-13:36:23 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:36:23 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:36:24 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:36:26 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:36:30 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:36:38 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:36:54 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:37:23 (none) pluto[30631]: "S_Nacka_C_0" #4: ignoring informational payload, type NO_PROPOSAL_CHOSEN
2008:11:14-13:37:23 (none) pluto[30631]: "S_Nacka_C_0" #4: received and ignored informational message
2008:11:14-13:37:33 (none) pluto[30631]: "S_Nacka_C_0" #58: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
2008:11:14-13:37:33 (none) pluto[30631]: "S_Nacka_C_0" #58: starting keying attempt 55 of an unlimited number
2008:11:14-13:37:33 (none) pluto[30631]: "S_Nacka_C_0" #59: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #58 {using isakmp#4}
2008:11:14-13:37:33 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:37:33 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:37:34 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:37:36 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:37:40 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
2008:11:14-13:37:48 (none) pluto[30631]: "S_Nacka_C_0" #4: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client

Strange thing here is that we are not using XAUTH? why is that showing up here in this log?

Could be this that is causing the trouble ?

But we did not find any setting within the Astaro were we could disable this.

- Thanks for all help!

Best regards,
Johan

Attached Images

	IPSec-Skarmdump-1.jpg (83.8 KB, 6 views)
	policies-inst-1.jpg (71.3 KB, 6 views)

There appears to be a conflict in the Astaro documentation.

In the config guide for the Astaro Secure Client, it is explicitly stated that the "ASG does not support XAUTH." However, in V7.3 'Remote Access >> IPSec', there is an 'Enable XAUTH' check box when you 'add IPSec remote access rule'.

Perhaps one of our Astaro friends can enlighten the rest of us.

Thanks - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

- Thanks for reply!

- My thought was that the XAUTH is causing the trouble on the ASTARO since this is not used.

Will try to diable that and test, any other ideas thoughts on what the problem could be?

- Thanks for any help on this, its quite urgent that i get this fixed.

- Attaching debug log - screenshost.

Best regards,
Johan

Attached Images

	1-debug-log.jpg (98.1 KB, 2 views)
	2-debug-log.jpg (98.8 KB, 2 views)
	3-debug-log.jpg (96.9 KB, 3 views)
	4-debug-log.jpg (97.4 KB, 1 views)
	5-debug-log.jpg (99.4 KB, 3 views)

XAUTH support was added in the 7.300 release, our documentation may not have caught up yet.

__________________
Are you Linkedin to Astaro? http://www.linkedin.com/e/gis/139679/189D6C60EC64

Random Rants from an InfoSec Curmudgeon, UnCommon Sense Security Blog http://blog.uncommonsensesecurity.com

Yes, Jack, but XAUTH is only supported under 'Remote Access' and not under 'Site-to-Site'. Is that a design issue?

If so, then might Johan try to resolve his problem by configuring a 'Respond only' tunnel under 'Remote Access' instead of as he's doing above?

Or, do the logs indicate another problem?

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!