[NEBULA] Non-Nebula Peer and NSG200 IPSec disconnects constantly

LukaszLukasz Member Posts: 8
edited June 2, 2020 4:25PM in Nebula Security Gateway

Hi,

My typology:

NSG200 as a VPN HUB, WAN IP 87.204.6.145


Non-Nebula Peer - Cyberoam CR10iNG, WAN IP 89.174.29.30

On the Cyberoam side I have the same settings:

The problem is that the IPSec tunnel establishes and disconnects constantly.

Based on logs it looks like NSG200 requests to delete Phase 2 after it is established successfully.

"packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 733"

I was trying many different settings combinations with no positive results.


NSG200 log:

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Send:[HASH]

2020-03-31 22:29:34vpn89.174.29.3087.204.6.145Recv:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Send:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:29:34vpn89.174.29.3087.204.6.145Recv:[HASH][DEL]

2020-03-31 22:29:34vpn89.174.29.3087.204.6.145The cookie pair is : 0x77760d390a63455f / 0x3f398bf0ca51ef3a [count=2]

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Send:[HASH][DEL] [count=3]

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x08862f3a] is disconnected

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30The cookie pair is : 0x3f398bf0ca51ef3a / 0x77760d390a63455f [count=10]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x45112ed4] built successfully

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30[ESP aes-cbc|hmac-sha256-128][SPI 0x8c3556db|0x45112ed4][PFS:DH2][Lifetime 79200]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30[Policy: ipv4(200.126.100.0-200.126.100.255)-ipv4(192.168.105.0-192.168.105.255)]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30[Initiator:87.204.6.145][Responder:89.174.29.30]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Send:[HASH]

2020-03-31 22:30:04vpn89.174.29.3087.204.6.145Recv:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Send:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:30:04vpn89.174.29.3087.204.6.145Recv:[HASH][DEL]

2020-03-31 22:30:04vpn89.174.29.3087.204.6.145The cookie pair is : 0x77760d390a63455f / 0x3f398bf0ca51ef3a [count=2]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Send:[HASH][DEL] [count=3]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x5e3e39eb] is disconnected

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30The cookie pair is : 0x3f398bf0ca51ef3a / 0x77760d390a63455f [count=10]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x6e03fedb] built successfully

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30[ESP aes-cbc|hmac-sha256-128][SPI 0xe69fafbe|0x6e03fedb][PFS:DH2][Lifetime 73440]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30[Policy: ipv4(200.126.100.0-200.126.100.255)-ipv4(192.168.105.0-192.168.105.255)]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30[Initiator:87.204.6.145][Responder:89.174.29.30]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Send:[HASH]

2020-03-31 22:30:34vpn89.174.29.3087.204.6.145Recv:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Send:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:30:34vpn89.174.29.3087.204.6.145Recv:[HASH][DEL]

2020-03-31 22:30:34vpn89.174.29.3087.204.6.145The cookie pair is : 0x77760d390a63455f / 0x3f398bf0ca51ef3a [count=2]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Send:[HASH][DEL] [count=3]


Cyberoam log:

2020-03-31 22:31:03

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:31:03

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 737

17879

2020-03-31 22:30:34

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:30:34

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 001fc8b2

17867

2020-03-31 22:30:33

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:30:33

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 736

17879

2020-03-31 22:30:04

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:30:04

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 9aa54957

17867

2020-03-31 22:30:03

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:30:03

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 735

17879

2020-03-31 22:29:34

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:29:34

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 532a03d6

17867

2020-03-31 22:29:33

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:29:33

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 734

17879

2020-03-31 22:29:04

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:29:04

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 711b1f87

17867

2020-03-31 22:29:03

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:29:03

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 733

17879

2020-03-31 22:28:34

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:28:34

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 0666b0d4

17867

Comments

  • Nebula_JonasNebula_Jonas Zyxel Official Agent Posts: 91  mod

    Hi @Lukasz,

    Thanks for the screenshots and information.

    May you provide the organization/site name and activate the Zyxel Support (located at HELP - Support request), so I could have the privilege to check the current status.

    Thanks,

    Jonas

    Jonas,
  • LukaszLukasz Member Posts: 8

    Hi Jonas,


    APCOA_PL/WAW_CONTROL_ROOM

    The Zyxel Support is active now.


    Lukasz

  • Nebula_JonasNebula_Jonas Zyxel Official Agent Posts: 91  mod

    Hi @Lukasz ,

    Appreciate for the privilege, as I've checked the VPN for Non-Nebula Peer - Cyberoam CR10iNG, WAN IP 89.174.29.30 was disabled, is it convenient to enable the VPN connection, so I could check more detail information?

    Jonas,

    Jonas,
  • LukaszLukasz Member Posts: 8

    Hi Jonas,


    Both sites are now enabled.

    Lukasz

  • Nebula_JonasNebula_Jonas Zyxel Official Agent Posts: 91  mod
    edited April 10, 2020 5:27PM

    Hi @Lukasz ,

    Thanks for the support.

    Firstly, I would like to inform that NSG has a connectivity-check mechanism every 30 seconds by default which use ping to verify if the peer is reachable.

    Based on the logs, I've found out that Site: POZ-Lawica always disconnecting every 30 seconds, and then I've made a test by deactivating our connectivity-check via CLI (SSH) and the VPN connection to POZ-Lawica becomes stable.

    Please help to verify if the allowed ping is activated on site POZ-Lawica. If not, please activate allow ping and verify the VPN connection.


    Jonas~

    Jonas,
  • LukaszLukasz Member Posts: 8

    Jonas,

    There is no icmp blockade on site POZ-Lawica, either on LAN and WAN interface.

    Also in case the tunnel is established for 30 sec I should be able to ping from POZ-Lawica to NSG within this time window, shouldn't I ?

    Lukasz

  • Nebula_JonasNebula_Jonas Zyxel Official Agent Posts: 91  mod
    edited April 13, 2020 4:15PM

    Hi @Lukasz ,

    Thanks for the information, it's more clear now.

    Also in case the tunnel is established for 30 sec I should be able to ping from POZ-Lawica to NSG within this time window, shouldn't I ?

    In general, yes, but based on the current status, the VPN connection can be established but you won't be able to ping, because I assume that the problem is related to routing.

    Please help to verify if there is a policy route configured on non-nebula device POZ-Lawica, destination 200.126.100.1 to tunnel. Because 200.126.100.1 (NSG lan2) is doing the connectivity check, so it must create a policy route to established connection successfully.

    Note: NSG doesn't need to configure policy route, because NSG itself will automatically create policy route to tunnel.


    Jonas

    Jonas,
  • LukaszLukasz Member Posts: 8
    Jonas,

    It was verified, there is no ICMP block, the policy route is configured. Unfortunatelly the tunnel was not stable. But we just close the site POZ-Lawica for now.

    But I have the same issue with a next nonNebula peer (ELEKTR_POWISLE). Exacty the same symptoms.

    I wondering if I can switch off the connectivity-mechanizm constantly for the tunnels with the same issue?


  • Nebula_JonasNebula_Jonas Zyxel Official Agent Posts: 91  mod
    Hi @Lukasz,

    Thanks for the update about the VPN status from site POZ-Lawica.
    For the site ELEKTR_POWISLE, please help to access to the NSG via SSH and input the command <show sa monitor> as figure below.
    You may observe the UpTime, if the connection didn't exceed more than 30 seconds, it means that the non-nebula peer is not reachable, you may verify if there is ICMP block and policy route rule configured in the non-nebula peer.
    Reminder: Switching off the connectivity-check mechanism, doesn't mean the VPN connection could be established.



    Jonas,
    Jonas,
Sign In to comment.