Jump to content
Welcome to our new Citrix community!

Site to site IPsec VPN


Patrick Jonsson

Recommended Posts

Hi,
 
I need to configure a site to site IPsec VPN between a Netscaler VPX 11.0 and a router of brand X. GRE with IPsec is not supported on the router.
 
I've configured an IPsec profile (IKE phase 1), an IP tunnel (IKE phase 2) and Policy-based routing (according to the guide at https://www.citrix.com/blogs/2015/09/04/how-to-connect-one-datacenter-to-another-with-netscaler-cloudbridge-connector/). The IP tunnel binding to the IPsec profile is in place and the policy-based routing settings are applied. Here is what cat /tmp/iked.debug gave me:
 


2015-12-17 11:33:54 [iNFO]: ikev1.c:913:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]

2015-12-17 11:33:54 [iNFO]: ikev1.c:918:isakmp_ph1begin_i(): begin Identity Protection mode.
2015-12-17 11:33:54 [iNFO]: ikev1.c:1629:ikev1_post_acquire(): IPsec-SA request for 2.2.2.2 queued since no phase1 found
2015-12-17 11:33:58 [PROTO_ERR]: ikev1.c:1294:isakmp_ph1resend(): 1.1.1.1[500] <=> 2.2.2.2[500] : phase1 negotiation failed due to time up (index aa8b51a5d5366d3c:0000000000000000).
2015-12-17 11:33:58 [iNFO]: ikev1.c:1442:ikev1_rekey(): Initiating rekey: 1.1.1.1[500]<=>2.2.2.2[500]
2015-12-17 11:33:58 [iNFO]: ikev1.c:1637:ikev1_post_acquire(): request for establishing IPsec-SA was queued since phase1 is not mature
2015-12-17 11:34:25 [iNTERNAL_ERR]: ikev1.c:1675:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 2.2.2.2[500]->1.1.1.1[500]
2015-12-17 11:34:25 [iNFO]: ikev1.c:1680:isakmp_chkph1there(): delete phase 2 handler.
2015-12-17 11:34:29 [iNTERNAL_ERR]: ikev1.c:1675:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 2.2.2.2[500]->1.1.1.1[500]
2015-12-17 11:34:29 [iNFO]: ikev1.c:1680:isakmp_chkph1there(): delete phase 2 handler.

 

I've replaced the Netscaler site with 1.1.1.1 and the router at the remote site with 2.2.2.2.

 

It seems to be a IKE phase 1 problem, but the output from the /tmp/iked.debug doesn't give me much of a hint of what paramaters may mismatch.

 

Parameters that are double checked for IKE phase 1 are: encryption, hashing, IKE version 1 and PSK.

 

But then there are some parameters that not seem to be configurable. Does Netscaler default to main mode or aggresive mode (we've choosen IKEv1)? Which DH group does the Netscaler default to?

 

A later question would be the IKE phase 2 settings where almost nothing seem to be configurable. What are the defaults?

Link to comment
Share on other sites

  • 2 years later...
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...