Orbi WiFi 7 RBE973
Reply

Gateway VPN SRX5308 to Cisco RV320

jseidensticker
Aspirant

Gateway VPN SRX5308 to Cisco RV320

We are attempting to setup a VPN gateway connection between an SRX5308 (latest firmware) with a Cisco RV320 (also latest firmware) and cannot get them to connect. We believe we have the configuration mirrored between the two, but it fails to connect on the Connection Status page of the NetGear. 

VPN Log shows the following when attempting to connect from the Cisco:

 

Received Malformed packet of payload length 14501 and total length 32.
Tue Apr 18 19:51:39 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 4949 and total length 32.
Tue Apr 18 19:51:38 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Vendor ID: DPD
Tue Apr 18 19:51:38 2017 (GMT +0000): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.
Tue Apr 18 19:51:38 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: 71.41.72.xxx[500]<=>173.9.167.xxx[500]
Tue Apr 18 19:51:38 2017 (GMT +0000): [SRX5308] [IKE] INFO: Configuration found for 173.9.167.xxx[500].
Tue Apr 18 19:51:20 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 46639 and total length 32.
Tue Apr 18 19:51:00 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 46639 and total length 32.
Tue Apr 18 19:50:51 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 49779 and total length 32.
Tue Apr 18 19:50:50 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Vendor ID: DPD
Tue Apr 18 19:50:50 2017 (GMT +0000): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.
Tue Apr 18 19:50:50 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: 71.41.72.xxx[500]<=>173.9.167.xxx[500]
Tue Apr 18 19:50:50 2017 (GMT +0000): [SRX5308] [IKE] INFO: Configuration found for 173.9.167.xxx[500].

Tue Apr 18 19:50:00 2017 (GMT +0000): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 173.9.167.xxx[500]. bb91219dd84ccfd5:1a2465ff21f772fa

 

Config on both sides:

Group 2 - 1,024

MD5

3DES

IKE with passphrase

SA timeout: 28800 sec

 

Any assistance is appreciated.

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 1 of 5

Accepted Solutions
jseidensticker
Aspirant

Re: Gateway VPN SRX5308 to Cisco RV320

We got it working. Seems the Cisco does not accept the same special characters as the NetGear, and that was the SA Protocol error. It is up and running now. Thanks for your help!

View solution in original post

Message 5 of 5

All Replies
train_wreck
Luminary

Re: Gateway VPN SRX5308 to Cisco RV320

Post screens of both sides configs, if you can.

 

According to the logs you posted, phase 1 is not completing. Generally this is an IKE settings mismatch.

Message 2 of 5
jseidensticker
Aspirant

Re: Gateway VPN SRX5308 to Cisco RV320

I cannot post pictures of the config here, but here are the settings from each:

 

SRX5308

Encryption Algorythm: 3DES

Authentication Algorythm: MD5

Pre-Shared Key

DH Group 2 1024 bit

SA Lifetime 28800 sec

Dead Peer - no

Direction - Both

Exchange Mode - Main

 

Cisco RV320

Phase 1 DH Group 1 1024 bit

Phase 1 Encryption: 3DES

Phase 1 Authentication: MD5

SA Lifetime 28800

Perfect Forward Secrecy - Enabled by default, but we tested with and without this setting

Advanced - Exchange mode - Main

Phase 2 settings - same as above

 

Thanks for looking at this. I'm banging my head trying to see something that is different....

 

 

 

Message 3 of 5
jseidensticker
Aspirant

Re: Gateway VPN SRX5308 to Cisco RV320

Latest log file:

 

[SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
Wed Apr 19 14:49:04 2017 (GMT +0000): [SRX5308] [IKE] ERROR: Invalid SA protocol type: 0
Wed Apr 19 14:48:49 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 22172 and total length 32.
Wed Apr 19 14:48:32 2017 (GMT +0000): [SRX5308] [IKE] INFO: Configuration found for 173.9.167.xxx.
Wed Apr 19 14:48:32 2017 (GMT +0000): [SRX5308] [IKE] INFO: Configuration found for 173.9.167.xxx.
Wed Apr 19 14:48:32 2017 (GMT +0000): [SRX5308] [IKE] INFO: accept a request to establish IKE-SA: 173.9.167.xxx

Message 4 of 5
jseidensticker
Aspirant

Re: Gateway VPN SRX5308 to Cisco RV320

We got it working. Seems the Cisco does not accept the same special characters as the NetGear, and that was the SA Protocol error. It is up and running now. Thanks for your help!

Message 5 of 5
Discussion stats
  • 4 replies
  • 4158 views
  • 0 kudos
  • 2 in conversation
Announcements