VMware Networking Community
Lud97x
Contributor
Contributor
‎11-28-2017 03:33 AM
Jump to solution

VPN IPsec NSX with Stonesoft

Hello,

I am unable to setup a tunnel VPN between a stonesoft and a ESG 6.3.3.

I already have 3 working IPsec VPN with 2 sonicwall and Azure.

It seems the stonesoft couln't recognize the ESG as a valid VPN gateway, it doesn't pass the phase 1.

Please see the log at the Stonesoft side:

"No rule found for IKE peers XX.XX.XX.XX and XX.XX.XX.XX: Peer IP address mismatch"

"Sending error notify, no proposal chosen"

"IKE state start sa negociation R: outgoing ike SA values processing failed: No  proposal Chosen.

The log at the NSX side:

2017-11-28T11:04:20+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] pending Quick Mode with XX.XX.XX.XX "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" took too long -- replacing phase 1

2017-11-28T11:04:20+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: initiating Main Mode to replace #9612

2017-11-28T11:04:20+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000

2017-11-28T11:04:20+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: received and ignored informational message

2017-11-28T11:04:30+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000

2017-11-28T11:04:30+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: received and ignored informational message

2017-11-28T11:04:50+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000

2017-11-28T11:04:50+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: received and ignored informational message

2017-11-28T11:05:30+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000

2017-11-28T11:05:30+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: received and ignored informational message

2017-11-28T11:06:10+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000

2017-11-28T11:06:10+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9613: received and ignored informational message

2017-11-28T11:06:20+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] pending Quick Mode with XX.XX.XX.XX "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" took too long -- replacing phase 1

2017-11-28T11:06:20+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9614: initiating Main Mode to replace #9613

2017-11-28T11:06:20+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9614: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000

2017-11-28T11:06:20+00:00 NSX-edge-2-0 ipsec[22484]: [default]:  [authpriv.warning] "XX.XX.XX.XX_XX.XX.XX.XX/15-XX.XX.XX.XX_XX.XX.XX.XX/15" #9614: received and ignored informational message

Is there a way to have more debug information on the nsg?

Do you have any idea do help me solve this issue?

1 Solution

Accepted Solutions
Lud97x
Contributor
Contributor
‎11-29-2017 09:35 AM
Jump to solution

Indeed, => https://www.websense.com/content/support/library/ngfw/v510/relnote/ngfw_5103_rn_b_en-us.pdf

Thank you.

After couple tests and researchs, the VPN between the 2 products finally works.

View solution in original post

2 Replies
Sateesh_vCloud
Expert
Expert
‎11-28-2017 10:44 AM
Jump to solution

I found this from Stonesoft documentation.

Stonesoft Next Generation Firewall 5.10.3 does not support integration with Intel Security Controller and deployment on VMware NSX.

------------------------------------------------------------------------- Follow me @ www.vmwareguruz.com Please consider marking this answer "correct" or "helpful" if you found it useful T. Sateesh VCIX-NV, VCAP 5-DCA/DCD,VCP 6-NV,VCP 5 DCV/Cloud/DT, ZCP IBM India Pvt. Ltd
Lud97x
Contributor
Contributor
‎11-29-2017 09:35 AM
Jump to solution

Indeed, => https://www.websense.com/content/support/library/ngfw/v510/relnote/ngfw_5103_rn_b_en-us.pdf

Thank you.

After couple tests and researchs, the VPN between the 2 products finally works.