RandomJohn
New Around Here
Since both ISP connections at either end of my VPN have been migrated the VPN will not connect.
The original working setup comprised of a SX5308 bridged to comtrend BE router at two sites.
When site1 was migrated from BE to Sky (site2 still on BE ISP at this point) the comtrend router config had to be changed from bridged mode to ppoa to connect. NAT was configured on the comtrend router to forward IPSEC port 500 traffic to the WAN interface on the SX5308 (WAN int ip 192.168.1.1).
This re-enabled the VPN and all was working.
Site2 just got migrated from BE to Sky. The same changes were made to the comtrend router to allow connection to the internet and NAT setup to forward IPSEC to the WAN interface on the SX5308 at this site (WAN int ip 192.168.1.4)
The VPN will not connect, there have been no changes made to the VPN config at either end, so I am thinking there may be something else that needs to be modified on the comtrend router? I can see "malformed cookie received or the initiator's cookies collide" in the VPN log, again is the comtrend router changing the packets?
Copy of VPN log below (some info changed to hide static IPs).
2014 Apr 9 20:31:26 [SRX5308] [IKE] Received request for new phase 1 negotiation: 192.168.1.4[500]<=>"Site1 IP"[500]_
2014 Apr 9 20:31:26 [SRX5308] [IKE] remote configuration for identifier "vpn.site1.com" found_
2014 Apr 9 20:31:24 [SRX5308] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. _
2014 Apr 9 20:31:24 [SRX5308] [IKE] Invalid SA protocol type: 0_
- Last output repeated twice -
2014 Apr 9 20:31:06 [SRX5308] [IKE] malformed cookie received or the initiator's cookies collide._
2014 Apr 9 20:30:58 [SRX5308] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. ESP
"Site1 AP"->192.168.1.4 _
2014 Apr 9 20:30:56 [SRX5308] [IKE] malformed cookie received or the initiator's cookies collide._
2014 Apr 9 20:30:53 [SRX5308] [IKE] remote configuration for identifier "vpn.site1.com" found_
- Last output repeated 2 times -
2014 Apr 9 20:30:10 [SRX5308] [IKE] malformed cookie received or the initiator's cookies collide._
2014 Apr 9 20:30:10 [SRX5308] [IKE] Setting DPD Vendor ID_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:183]: XXX: setting vendorid: 9_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:183]: XXX: setting vendorid: 8_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:183]: XXX: setting vendorid: 4_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:179]: XXX: NUMNATTVENDORIDS: 3_
2014 Apr 9 20:30:10 [SRX5308] [IKE] Beginning Identity Protection mode._
2014 Apr 9 20:30:10 [SRX5308] [IKE] Initiating new phase 1 negotiation: 192.168.1.4[500]<=>"site1 IP"[500]_
2014 Apr 9 20:30:10 [SRX5308] [IKE] remote configuration for identifier "vpn.Site1.com" found_
2014 Apr 9 20:30:10 [SRX5308] [IKE] Using IPsec SA configuration: 10.34.10.0/24<->10.34.89.0/24_
2014 Apr 9 20:30:08 [SRX5308] [IKE] accept a request to establish IKE-SA: vpn.Site1.com_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IPSec configuration with identifier "ROAMING_VPN_ACCESS1"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IPSec configuration with identifier "ROAMING_VPN_ACCESS0"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IPSec configuration with identifier "VPN_SITE2"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IKE configuration with identifer "OTHER_VPN"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IKE configuration with identifer "VPN_SITE2"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding ModeCfg configuration with identifier "ROAMING_VPN_ACCESS"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] IKE started_
I also see this in the log could the comtrend router be amending the packets?
2014 Apr 9 20:32:57 [SRX5308] [IKE] NAT-D payload does not match for 192.168.1.4[500]_
Thanks for any info
JOhn
The original working setup comprised of a SX5308 bridged to comtrend BE router at two sites.
When site1 was migrated from BE to Sky (site2 still on BE ISP at this point) the comtrend router config had to be changed from bridged mode to ppoa to connect. NAT was configured on the comtrend router to forward IPSEC port 500 traffic to the WAN interface on the SX5308 (WAN int ip 192.168.1.1).
This re-enabled the VPN and all was working.
Site2 just got migrated from BE to Sky. The same changes were made to the comtrend router to allow connection to the internet and NAT setup to forward IPSEC to the WAN interface on the SX5308 at this site (WAN int ip 192.168.1.4)
The VPN will not connect, there have been no changes made to the VPN config at either end, so I am thinking there may be something else that needs to be modified on the comtrend router? I can see "malformed cookie received or the initiator's cookies collide" in the VPN log, again is the comtrend router changing the packets?
Copy of VPN log below (some info changed to hide static IPs).
2014 Apr 9 20:31:26 [SRX5308] [IKE] Received request for new phase 1 negotiation: 192.168.1.4[500]<=>"Site1 IP"[500]_
2014 Apr 9 20:31:26 [SRX5308] [IKE] remote configuration for identifier "vpn.site1.com" found_
2014 Apr 9 20:31:24 [SRX5308] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. _
2014 Apr 9 20:31:24 [SRX5308] [IKE] Invalid SA protocol type: 0_
- Last output repeated twice -
2014 Apr 9 20:31:06 [SRX5308] [IKE] malformed cookie received or the initiator's cookies collide._
2014 Apr 9 20:30:58 [SRX5308] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. ESP
"Site1 AP"->192.168.1.4 _
2014 Apr 9 20:30:56 [SRX5308] [IKE] malformed cookie received or the initiator's cookies collide._
2014 Apr 9 20:30:53 [SRX5308] [IKE] remote configuration for identifier "vpn.site1.com" found_
- Last output repeated 2 times -
2014 Apr 9 20:30:10 [SRX5308] [IKE] malformed cookie received or the initiator's cookies collide._
2014 Apr 9 20:30:10 [SRX5308] [IKE] Setting DPD Vendor ID_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:183]: XXX: setting vendorid: 9_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:183]: XXX: setting vendorid: 8_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:183]: XXX: setting vendorid: 4_
2014 Apr 9 20:30:10 [SRX5308] [IKE] [ident_i1send:179]: XXX: NUMNATTVENDORIDS: 3_
2014 Apr 9 20:30:10 [SRX5308] [IKE] Beginning Identity Protection mode._
2014 Apr 9 20:30:10 [SRX5308] [IKE] Initiating new phase 1 negotiation: 192.168.1.4[500]<=>"site1 IP"[500]_
2014 Apr 9 20:30:10 [SRX5308] [IKE] remote configuration for identifier "vpn.Site1.com" found_
2014 Apr 9 20:30:10 [SRX5308] [IKE] Using IPsec SA configuration: 10.34.10.0/24<->10.34.89.0/24_
2014 Apr 9 20:30:08 [SRX5308] [IKE] accept a request to establish IKE-SA: vpn.Site1.com_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IPSec configuration with identifier "ROAMING_VPN_ACCESS1"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IPSec configuration with identifier "ROAMING_VPN_ACCESS0"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IPSec configuration with identifier "VPN_SITE2"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IKE configuration with identifer "OTHER_VPN"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding IKE configuration with identifer "VPN_SITE2"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] Adding ModeCfg configuration with identifier "ROAMING_VPN_ACCESS"_
2014 Apr 9 20:30:08 [SRX5308] [IKE] IKE started_
I also see this in the log could the comtrend router be amending the packets?
2014 Apr 9 20:32:57 [SRX5308] [IKE] NAT-D payload does not match for 192.168.1.4[500]_
Thanks for any info
JOhn