取消
显示结果 
搜索替代 
您的意思是: 
cancel
773
查看次数
1
有帮助
1
回复

Hi all, I'm having some serious technical issues with establishin

Hi all, 

 

I'm having some serious technical issues with establishing a site-to-site VPN to Symantec's Web Security Service (WSS). Getting technical support to help is also really really painful. After three months of pulling my hair out I finally had a WebEX troubleshooting session, but unfortunately it was unsuccessful and we didn't get anywhere. 

 

This is my setup 

                                            Customer FW              NAT - Edge FW                                                              ep.threatpulse.net

{Multiple DMZ s / LANS}-----(>|) ASA FW ---------- (FGT-FW)-----------(Internet)---------(Symantec WSS)---(Proxy)

 

 

 

The customer firewall is the  ASAv Firewall 

The Fortigate is a perimeter firewall for all customers and NATs the outside interface of the ASA firewall  to a Public IP address and in terms of security policy its wide open (any any). The ASA is more restrictive. 

 

I followed the following KB from Symantec (or Broadcom as they are currently known as) but with some tweaks. I will explain: 

 

KB: https://knowledge.broadcom.com/external/article/174263/web-security-service-legacy-ipsec-connec.html

> Note: in other articles they have variations in config which i had to follow such as 

NAT-T when used, you need to change the IKE ID to the public IP address that the upstreat fw is natting the ASAs outside IP to. I had to do this on the ASA via ASDM, but it can be done on the CLI as 

crypto isakmp identity key-id <Public IP Address> 

 

 

I also didn't follow their advise on 'any' local encryption domain and 'any' remote encryption domain - I caused an outage whilst the firewall tried to bring up the tunnel. instead i used the classless RFC 1918 address as my local encryption domain and ep.threatpulse.net (ip address used) as the remote, i.e. the symantec proxy ip address. 

I have other VPN tunnels setup on this firewall and even if my local encryption domain was set to 'any' it would have overlapped with the other tunnels - the firewall did grumble at this!

 

I did NAT exempt for traffic headed for the proxy ip address for http and https. 

 

I used the same phase 1 and phase 2 settings and whats interesting is that Symantec in Phase 1 tries to negotiate 3DES / SHA DFH grp5.... strange.... The ASA didnt like.. 

 

I went through the setup with Symantec over the WebEx and they said it looked ok, however they didnt see any errors or messages that would indicate that phase 1 was unsuccessful. At my end though all i ever got when running show crypto ikev1 sa was the message telling me it was waiting for a response from symantec:

 

State : MM_WAIT_MSG6

 

Even if i change the phase 1 params to 3des sha DFH group 5 it still doesn't come up. 

 

Its not successfully negotiating phase 1

 

Anyone else experiencing this issue and the lack of support from Symant

1 条回复1

share below

1-capture CAP interface OUT match ip host <peer IP> any 

2- debug crypto ikev1 127 


MHM

 

快捷链接