Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
0
Helpful
1
Replies

IPSec VPN issue between Cloud based CSR1000V router and Watchguard XTM505

prasuksgd@gmail.com
Level 1
Level 1

‎08-28-2017 10:17 PM - edited ‎03-12-2019 04:30 AM

I am not able to establish site to site VPN between Cloud based CSR1000V router and Watchguard XTM505. We have checked all the Phase 1 & Phase 2 parameters but still site to site VPN is not coming up. Can anyone help to resolve this issue

 

crypto isakmp policy 1
 encr aes 256
 hash sha
 lifetime 86400
 authentication pre-share
 group 2


crypto isakmp key ******* address X.X.X.X
crypto isakmp keepalive 20 5
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set Test-Bed esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
 set peer 223.196.115.53
 set transform-set MY-SET
set security-association lifetime seconds 3600
 match address VPN-TRAFFIC

1 person had this problem
Labels:
0 Helpful
1 Reply 1

prasuksgd@gmail.com
Level 1
Level 1

‎08-28-2017 10:26 PM

I am getting " Aug 28 09:37:36 2017 ERROR  0x0203000c Received invalid main mode ID payload. Check VPN IKE diagnostic log messages for more information" in the Watchguard firewall &

 

CSR 1000V logs as below

 

 

*Aug 28 08:28:19.259: ISAKMP: (63831):Sending an IKE IPv4 Packet.

*Aug 28 08:28:19.260: ISAKMP: (63831):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Aug 28 08:28:19.260: ISAKMP: (63831):Old State = IKE_R_MM3  New State = IKE_R_MM4

 

*Aug 28 08:28:19.576: ISAKMP-PAK: (63831):received packet from x.x.x.50 dport 4500 sport 4500 Global (R) MM_KEY_EXCH

*Aug 28 08:28:19.576: crypto_engine: Decrypt IKE packet

*Aug 28 08:28:19.576: ISAKMP-PAK-ERROR: (63831):reserved not zero on ID payload!

*Aug 28 08:28:19.576: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.50 failed its sanity check or is malformed

*Aug 28 08:28:19.576: ISAKMP: (63831):: incrementing error counter on sa, attempt 1 of 5: reset_retransmission

*Aug 28 08:28:20.577: ISAKMP: (63831):retransmitting phase 1 MM_KEY_EXCH...

*Aug 28 08:28:20.577: ISAKMP: (63831):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Aug 28 08:28:20.577: ISAKMP: (63831):retransmitting phase 1 MM_KEY_EXCH

*Aug 28 08:28:20.577: ISAKMP-PAK: (63831):sending packet to x.x.x.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Aug 28 08:28:20.577: ISAKMP: (63831):Sending an IKE IPv4 Packet.

*Aug 28 08:28:22.876: ISAKMP-PAK: (63831):received packet from x.x.x.50 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Aug 28 08:28:22.876: ISAKMP: (63831):phase 1 packet is a duplicate of a previous packet.

*Aug 28 08:28:22.876: ISAKMP: (63831):retransmitting due to retransmit phase 1

*Aug 28 08:28:23.377: ISAKMP: (63831):retransmitting phase 1 MM_KEY_EXCH...

*Aug 28 08:28:23.377: ISAKMP: (63831):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Aug 28 08:28:23.377: ISAKMP: (63831):retransmitting phase 1 MM_KEY_EXCH

*Aug 28 08:28:23.377: ISAKMP-PAK: (63831):sending packet to x.x.x.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Aug 28 08:28:23.377: ISAKMP: (63831):Sending an IKE IPv4 Packet.

*Aug 28 08:28:26.409: ISAKMP-PAK: (63831):received packet from x.x.x.50 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Aug 28 08:28:26.409: ISAKMP: (63831):phase 1 packet is a duplicate of a previous packet.

*Aug 28 08:28:26.409: ISAKMP: (63831):retransmitting due to retransmit phase 1

*Aug 28 08:28:26.910: ISAKMP: (63831):retransmitting phase 1 MM_KEY_EXCH...

*Aug 28 08:28:26.910: ISAKMP: (63831):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Aug 28 08:28:26.910: ISAKMP: (63831):retransmitting phase 1 MM_KEY_EXCH

*Aug 28 08:28:26.910: ISAKMP-PAK: (63831):sending packet to x.x.x.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Aug 28 08:28:26.910: ISAKMP: (63831):Sending an IKE IPv4 Packet.

*Aug 28 08:28:29.153: ISAKMP: (63829):purging SA., sa=7F2371E9B730, delme=7F2371E9B730

*Aug 28 08:28:31.071: ISAKMP-PAK: (63831):received packet from x.x.x.50 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Aug 28 08:28:31.071: ISAKMP: (63831):phase 1 packet is a duplicate of a previous packet.

*Aug 28 08:28:31.071: ISAKMP: (63831):retransmitting due to retransmit phase 1

*Aug 28 08:28:31.571: ISAKMP: (63831):retransmitting phase 1 MM_KEY_EXCH...

*Aug 28 08:28:31.571: ISAKMP: (63831):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Aug 28 08:28:31.571: ISAKMP: (63831):retransmitting phase 1 MM_KEY_EXCH

*Aug 28 08:28:31.571: ISAKMP-PAK: (63831):sending packet to x.x.x.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Aug 28 08:28:31.571: ISAKMP: (63831):Sending an IKE IPv4 Packet.

*Aug 28 08:28:34.402: ISAKMP: (0):Sending an IKE IPv4 Packet.

*Aug 28 08:28:41.572: ISAKMP: (63831):retransmitting phase 1 MM_KEY_EXCH...

*Aug 28 08:28:41.572: ISAKMP: (63831):peer does not do paranoid keepalives.

0 Helpful
Customers Also Viewed These Support Documents