VPN not connecting since ISP migration

[RandomJohn]

Since both ISP connections at either end of my VPN have been migrated the VPN will not connect.

The original working setup comprised of a SX5308 bridged to comtrend BE router at two sites.

When site1 was migrated from BE to Sky (site2 still on BE ISP at this point) the comtrend router config had to be changed from bridged mode to ppoa to connect. NAT was configured on the comtrend router to forward IPSEC port 500 traffic to the WAN interface on the SX5308 (WAN int ip 192.168.1.1).
This re-enabled the VPN and all was working.

Site2 just got migrated from BE to Sky. The same changes were made to the comtrend router to allow connection to the internet and NAT setup to forward IPSEC to the WAN interface on the SX5308 at this site (WAN int ip 192.168.1.4)

The VPN will not connect, there have been no changes made to the VPN config at either end, so I am thinking there may be something else that needs to be modified on the comtrend router? I can see "malformed cookie received or the initiator's cookies collide" in the VPN log, again is the comtrend router changing the packets?

Copy of VPN log below (some info changed to hide static IPs).



2014 Apr 9 20:31:26 [SRX5308] [IKE] Received request for new phase 1 negotiation: 192.168.1.4[500]<=>"Site1 IP"[500]_
2014 Apr 9 20:31:26 [SRX5308] [IKE] remote configuration for identifier "vpn.site1.com" found_
2014 Apr 9 20:31:24 [SRX5308] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. _
2014 Apr 9 20:31:24 [SRX5308] [IKE] Invalid SA protocol type: 0_
- Last output repeated twice -
2014 Apr 9 20:31:06 [SRX5308] [IKE] malformed cookie received or the initiator's cookies collide._
2014 Apr 9 20:30:58 [SRX5308] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. ESP

"Site1 AP"->192.168.1.4 _
2014 Apr 9 20:30:56 [SRX5308] [IKE] malformed cookie received or the initiator's cookies collide._
2014 Apr 9 20:30:53 [SRX5308] [IKE] remote configuration for identifier "vpn.site1.com" found_
- Last output repeated 2 times -
2014 Apr 9 20:30:10 [SRX5308] [IKE] malformed cookie received or the initiator's cookies collide._
2014 Apr 9 20:30:10 [SRX5308] [IKE] Setting DPD Vendor ID_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:183]: XXX: setting vendorid: 9_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:183]: XXX: setting vendorid: 8_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:183]: XXX: setting vendorid: 4_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:179]: XXX: NUMNATTVENDORIDS: 3_
2014 Apr 9 20:30:10 [SRX5308] [IKE] Beginning Identity Protection mode._
2014 Apr 9 20:30:10 [SRX5308] [IKE] Initiating new phase 1 negotiation: 192.168.1.4[500]<=>"site1 IP"[500]_
2014 Apr 9 20:30:10 [SRX5308] [IKE] remote configuration for identifier "vpn.Site1.com" found_
2014 Apr 9 20:30:10 [SRX5308] [IKE] Using IPsec SA configuration: 10.34.10.0/24<->10.34.89.0/24_
2014 Apr 9 20:30:08 [SRX5308] [IKE] accept a request to establish IKE-SA: vpn.Site1.com_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IPSec configuration with identifier "ROAMING_VPN_ACCESS1"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IPSec configuration with identifier "ROAMING_VPN_ACCESS0"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IPSec configuration with identifier "VPN_SITE2"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IKE configuration with identifer "OTHER_VPN"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IKE configuration with identifer "VPN_SITE2"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding ModeCfg configuration with identifier "ROAMING_VPN_ACCESS"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] IKE started_



I also see this in the log could the comtrend router be amending the packets?
2014 Apr 9 20:32:57 [SRX5308] [IKE] NAT-D payload does not match for 192.168.1.4[500]_

Thanks for any info
JOhn

 

[theonlyski]

Have you enabled IP protocol 50 (ESP) forwarding to the appliances?

You also may need to enable IP protocol 51 (AH) forwarding for the appliances.

Also, did you enable NAT-Traversal? May need to allow UDP 4500 as well.

 

[RandomJohn]

Hi Theonlyski,

When the first site was migrated to sky I only set forwarding for IPSEC on the internet facing router and the VPN came back up.
I can checkout what protocols are enabled on the comtrend internet facing routers.

Thanks
John

Have you enabled IP protocol 50 (ESP) forwarding to the appliances?

You also may need to enable IP protocol 51 (AH) forwarding for the appliances.

Also, did you enable NAT-Traversal? May need to allow UDP 4500 as well.

 

[theonlyski]

I think if you went from being bridged with your VPN devices having the static IP assigned to them, to them going behind the NAT, that there is a simple port forwarding or NAT-T issue going on.

ETA: it was probably still working because the side that was then behind the NAT was initiating the connection. Once you put both behind NATs, it was unable to get to all of the ports it needed.

 

[RandomJohn]

The Comtrend router has no mention of Nat T.
Full core Nat can be enabled for the WAN connection.

I will test be enabling Fullcore Nat at either side and adding a forward for UDP 4500.


Thanks
John

 

[theonlyski]

The Comtrend router has no mention of Nat T.
Full core Nat can be enabled for the WAN connection.

I will test be enabling Fullcore Nat at either side and adding a forward for UDP 4500.


Thanks
John

The VPN systems would have the NAT-T setting in them, it's part of the IKE Phase 1

 

[RandomJohn]

Thanks theonlyski,

Nat forwarding configured for port 4500 on the internet facing routers. VPN now active.

I had a read through the IPSec VPN whitepapers, this also helped to understand the steps involved and see that port 4500 may also be required.

 

[theonlyski]

Good to hear!