Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1201
Views
0
Helpful
3
Replies

VPN Between Cisco ASA 5520 and OpenBSD

Greg01456
Level 1
Level 1

‎03-09-2011 04:13 PM

We use an appliance called the Calyptix Access Enforcer. The appliance basically does it all including managing VPN tunnel's. The Access Enforcer runs on OpenBSD. I've been migrating 12 existing VPN tunnel's off of our PIX 515 and was successful until the other day. The VPN in question used basic settings and at first we thought it was up but later found that our side could not bring up the tunnel. The Cisco side had no problem bringing up the tunnel. I have already established several VPN tunnel's with the Access Enforcer to Cisco ASA 5520 and ASA 5540 devices so I have no idea why this tunnel will not function properly. I do not have access to the detailed OpenBSD logs but can see this error: "transport_send_messages: giving up on exchange from-XX.XX.X.XXX-to-XX.XXX.XXX.XXX, no response from peer XX.XXX.XXX.XXX:4500". We have tore this tunnel down and rebuilt from scratch with no luck. I don't have much info from the Cisco side but apparantly Phase 2 is not coming up when we initiate traffic.We have verified we are using the correct settings over and over. Again, the Cisco side has no issue bringing up the tunnel. Has anyone seen this before? Any idea's? 

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-09-2011 04:29 PM

From the one line error message, it seems that the IPSec tunnel is going through a NAT/PAT device, hence NAT-T has been invoked (UDP/4500).

This seems like an issue with the Calyptix Access Enforcer server as you advised that there is no problem bringing the tunnel from the ASA end. Possibly incompatibility of the way they initiate the NAT-T (this is just a guess).

Would probably best to check with Calyptix Access Enforcer support or post this on their forum.

0 Helpful

Greg01456
Level 1
Level 1
In response to Jennifer Halim

‎03-09-2011 04:50 PM

I have been working with the Calyptix support team as well. They state that the Cisco side is blocking port 4500 (NAT-T as you said) but the Cisco side states they are not. And again what is extremely weird is I have 2 other tunnel's using these exact settings with Cisco ASA devices.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Greg01456

‎03-09-2011 05:18 PM

Seems to be possibly incompatible NAT-T packet that Cisco might not understand.

My suggestion is to open a TAC case so yourself, Calyptix support and Cisco support can look into the issue together, and this might require further engineering help. Most probably a bug from what it sounds.

0 Helpful
Customers Also Viewed These Support Documents