Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
726
Views
0
Helpful
1
Replies

Cisco 1921 to WatchGuard T20 Unable to find active Phase 2 SA

WizJ
Level 1
Level 1

‎10-24-2022 03:36 PM - edited ‎10-25-2022 02:40 PM

Just FYI networking is not my strong suit. I do software development, so I apologize if i do not know terminology or ask a stupid question. So i am trying to use this Cisco as a test for a Site to Site Vpn tunnel for a real time HL7 project i am coding. From all the posts here i was able to get it functioning with a static ip address and working as a DHCP server. When i run a diagnostic on the VPN from the WatchGuard T20 i get the error:

Unable to find any active Phase 2 Security Associations (SAs) for tunnel route (10.0.1.0/24<->192.168.1.0/24).
Recommendation: Confirm whether either side is currently sending traffic through the tunnel.

Cisco Configuration:

Current configuration : 3120 bytes
!
! Last configuration change at 19:19:52 UTC Tue Oct 25 2022
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoConVpn
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 **********
!
no aaa new-model

!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool CondorDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 71.10.216.1 71.10.216.2 4.4.4.4 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username ******** privilege 15 secret 5
!
redundancy
!
crypto ikev2 proposal Wg
encryption aes-cbc-128
integrity sha256
group 14
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 14
!
!
crypto ikev2 keyring Wg
peer Wg
address XX.XXX.XXX.XXX <--- WatchGuard Static IP
pre-shared-key local test
pre-shared-key remote test
!
!
!
crypto ikev2 profile Wg
match address local interface GigabitEthernet0/0
match identity remote address XX.XXX.XXX.XXX <--- WatchGuard Static IP 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local Wg
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key test address XX.XXX.XXX.XXX <--- Cisco Static IP
crypto isakmp key test address XX.XXX.XXX.XXX <--- WatchGuard Static IP
crypto isakmp profile 1
! This profile is incomplete (no match identity statement)
crypto isakmp profile toWg
! This profile is incomplete (no match identity statement)
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile 1
set transform-set MYSET
set pfs group14
set isakmp-profile 1
!
crypto ipsec profile Wg
set transform-set MYSET
set pfs group14
set ikev2-profile Wg
!
!
!
crypto map MYMAP 1 ipsec-isakmp
set peer XX.XXX.XXX.XXX <--- WatchGuard Static IP
set transform-set MYSET
set pfs group14
match address 100
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address XX.XXX.XXX.XXX <--- Cisco Static IP 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map MYMAP
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 XX.XXX.XXX.XXX <--- Modem Gateway
!
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.0.0.0 0.255.255.255 10.0.1.0 0.0.0.255
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input none
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
!
end

I was having an Issue finishing Phase 1 now i am stuck on Phase 2.

WatchGuard Diagnostics showing:


*** WG Diagnostic Report for Gateway "toCisco" ***
Created On: Tue Oct 25 14:29:35 2022

[Conclusion]
Tunnel Name: CiscoTunnel
tunnel route#1(10.0.1.0/24<->192.168.1.0/24) - Not established
Unable to find any active Phase 2 Security Associations (SAs) for tunnel route (10.0.1.0/24<->192.168.1.0/24).
Recommendation: Confirm whether either side is currently sending traffic through the tunnel.

[Gateway Summary]
Gateway "toCisco" contains "1" gateway endpoint(s). IKE Version is IKEv2.
Gateway Endpoint #1 (name "toCisco") Enabled
PFS: Disabled AlwaysUp: Disabled
DPD: Disabled Keepalive: Enabled
Local ID<->Remote ID: {IP_ADDR(XX.XXX.XXX.XXX <--- WatchGuard Static IP) <-> IP_ADDR(XX.XXX.XXX.XXX <--- Cisco Static IP)}
Local GW_IP<->Remote GW_IP: {XX.XXX.XXX.XXX <--- WatchGuard Static IP <-> XX.XXX.XXX.XXX <--- Cisco Static IP}
Outgoing Interface: eth0 (ifIndex=4)
ifMark=0x10000
linkStatus=2 (0:unknown, 1:down, 2:up)


[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway

Name: "CiscoTunnel" Enabled
PFS: "Enabled" DH-Group: "14"
Number of Proposals: "1"
Proposal "ESP-AES-SHA1"
ESP:
EncryptAlgo: "AES" KeyLen: "32(bytes)"
AuthAlgo: "SHA"
LifeTime: "28800(seconds)" LifeByte: "0(kbytes)"
Number of Tunnel Routes: "1"
#1
Direction: "BOTH"
"10.0.1.0/24<->192.168.1.0/24"


[Run-time Info (gateway IKE_SA)]
Name: "toCisco" (IfStatus: 0x80000002)
IKE SAID: "0x7d6481eb" State: "MATURE"
Created: Tue Oct 25 12:27:16 2022
My Address: XX.XXX.XXX.XXX <--- WatchGuard Static IP:500 Peer Address: XX.XXX.XXX.XXX <--- Cisco Static IP:500
InitCookie: "f40c1dd9f710d1b8" RespCookie: "f049a6c5eb494869"
LifeTime: "86400(seconds)" LifeByte: "0(kbtyes)" DPD: "Enabled"
Serial Number: 63
msgIdSend: 248 msgIdRecv: 0


[Run-time Info (tunnel IPSEC_SA)]
"0" IPSEC SA(s) are found under tunnel "CiscoTunnel"

[Run-time Info (tunnel IPSEC_SP)]
"1" IPSEC SP(s) are found under tunnel "CiscoTunnel"
#1
Tunnel Endpoint: "XX.XXX.XXX.XXX <--- WatchGuard Static IP->XX.XXX.XXX.XXX <--- Cisco Static IP"
Tunnel Selector: 10.0.1.0/24 -> 192.168.1.0/24 Proto: ANY
Created On: Tue Oct 25 13:27:05 2022
Gateway Name: "toCisco"
Tunnel Name: "CiscoTunnel"

[Address Pairs in Firewalld]
Address Pairs for tunnel "CiscoTunnel"
Direction: BOTH
10.0.1.0/24 <-> 192.168.1.0/24

[Policy checker result]
Tunnel name: CiscoTunnel
#1 tunnel route 10.0.1.0/24<->192.168.1.0/24
No policy checker results for this tunnel(no P2SA found or some other error)

[Related Logs]
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)'DPD request' message created successfully. length:76
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Sent out DPD request message (msgId=247) from XX.XXX.XXX.XXX <--- WatchGuard Static IP:500 to XX.XXX.XXX.XXX <--- Cisco Static IP:500 for 'toCisco' gateway endpoint successfully.
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)ikeSA(0x146412f8)'s msgIdSend is updated: 247 -> 248
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)******** RECV an IKE packet at XX.XXX.XXX.XXX <--- WatchGuard Static IP:500(socket=14 ifIndex=4) from Peer XX.XXX.XXX.XXX <--- Cisco Static IP:500 ********
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Received IKEv2 "INFO response" message with message-ID:247 length:76 SPI[i=f40c1dd9f710d1b8 r=f049a6c5eb494869]
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)"INFO response" message has 1 payloads [ ENCR(sz=48)]
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Got IKE policy 'toCisco' from ikeSA(0x146412f8)
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)"INFO response" message has 0 payloads []
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)IKEv2 "INFO response"'s decrypted message contains 0 payloads []
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)dispatch the received INFO response message - IkeSA(0x146412f8)'s state=MATURE
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Received the DPD response from XX.XXX.XXX.XXX <--- Cisco Static IP:500 for gateway(toCisco), msgId=247
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)ike2_P1StatusChange: notify ikePcy(toCisco ver#2)'s status becomes "UP" (ikeSA=0x146412f8)
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)stop the retry object(0x146434e8) for the previous request message(name=DPD request, msgId=247)

Been stuck on this for a couple hours now. Any help would be greatly appreciated.

 

Labels:
0 Helpful
1 Reply 1
Customers Also Viewed These Support Documents