VPN between Firebox and Fritz!Box

Stusi_14Stusi_14
in Firebox - VPN Branch Office

Hello,

I'm currently trying to establish a VPN connection between Firebox T-80 and Fritz!Box 7530 AX. Unfortunately there is no connection. Here the logs from our Firebox.

[Related Logs]
<158>Mar 12 09:31:32 iked[2718]: (1.1.1.1<->2.2.2.2)Resending phase-1 message to 2.2.2.2. Gateway-Endpoint:GW Waldbad p1saId:0x0
<158>Mar 12 09:31:36 iked[2718]: (1.1.1.1<->2.2.2.2)Resending phase-1 message to 2.2.2.2. Gateway-Endpoint:GW Waldbad p1saId:0x0
<158>Mar 12 09:31:41 iked[2718]: (1.1.1.1<->2.2.2.2)Resending phase-1 message to 2.2.2.2. Gateway-Endpoint:GW Waldbad p1saId:0x0
<155>Mar 12 09:31:45 iked[2718]: msg_id="0203-0015" (1.1.1.1<->2.2.2.2)IKE phase-1 negotiation from 1.1.1.1:500 to 2.2.2.2 failed. Gateway-Endpoint='GW Waldbad' Reason=Message retry timeout. Check the connection between local and remote gateway endpoints.
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)ike_p1_status_chg: ikePcyName=GW Waldbad, status=DOWN
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)MWAN-Failover notify ikePcy=0x63ece58(GW Waldbad ver#1), mwanFlags:0x00000000 p1said=0x0 DOWN continuous-fails:5
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)IkeDeleteIsakmpSA: try to delete Isakmp SA 0x662d38 for Gateway GW Waldbad. State:4
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)Totally 0 Pending P2 SA Requests Got Dropped.
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)IkeDeleteIsakmpSA: Stop Phase One Retry and Life Timer
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)IkeDeleteIsakmpSA: Stop Phase One DPD Retry timer
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)ikeSADeleteFromCookieHashTable: IKE SA event: Delete IsakmpSA(0x662d38) in IkeIsakmpSATable[99],pPrev((nil)) pNext((nil)) ikePcy(GW Waldbad) Cookies(i=685e19b5ce803847 r=0000000000000000)
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)IkeDeleteIsakmpSA: reclaim isakmpSA(0x662d38)'s memory and mark it as "FREED"
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)alwaysUpTimerCb trigger autoStart for ikePcy(GW Waldbad) ipsecPcy(Waldbad)
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)AUTOSTART: RECV ipecPcy(Waldbad), ikePcy(GW Waldbad), ifIndex(27), tunnel_src=1.1.1.1, tunnel_dst=2.2.2.2
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)do the ACQUIRE action for the tunnel route [src:192.168.1.0/24 <-> dst:192.168.179.0/24], ike_ver=1, peer_udp_port=0
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)ikeSAInsertToCookieHashTable: IKE SA event: Added IsakmpSA(0x668198) in IkeIsakmpSATable[102],pPrev((nil)) pNext((nil)) ikePcy(GW Waldbad) Cookies(i=f4aa34993c7390b9 r=0000000000000000)
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 183034262(Isakmp SA 0x668198)
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)AggrMode: Start (Ct=16802) pcy [GW Waldbad]
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Mar 12 09:31:45 iked[2718]: (1.1.1.1<->2.2.2.2)Starting phase 1 negotiation using [GW Waldbad] to 2.2.2.2 aggressive mode

Can someone explain the error to me?

Comments

  • Bruce_BriggsBruce_Briggs

    From an early log message. The other end is not responding to the connection attempt from the Firebox.
    Most likely the Phase 1 settings on each end do not match or the ISP device at the Fritz box end is blocking IPSec.

    retry timeout. Check the connection between local and remote gateway endpoints.

  • Stusi_14Stusi_14

    Many thanks for the support. It was actually due to the ipsec ports, the Fritzbox had still blocked them.

Sign In to comment.