[vpn-help] Trouble opening tunnel to FVS336G

kevin shrew-vpn klmlk at hotmail.com
Mon May 10 08:44:18 CDT 2010 

On Mon, 10 May 2010 08:35:58 -0500
Robert Rolnik <panamania at gmail.com> wrote:

> Folks:
>   I think I've got about 95% of my handshake complete between
> Shrewsoft VPN client and a Cisco FVS336G.  Here is the log on the
> FVS336G:
> 
> 
> 
> -- 2010 May 10 07:44:29 [FVS336G] [IKE] Remote configuration for
> identifier "fvs_remote.com" found_
> 2010 May 10 07:44:29 [FVS336G] [IKE] Received request for new phase 1
> negotiation: 67.76.235.148[500]<=>173.11.130.253[500]_
> 2010 May 10 07:44:29 [FVS336G] [IKE] Beginning Aggressive mode._
> 2010 May 10 07:44:29 [FVS336G] [IKE] Received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt_
> 2010 May 10 07:44:29 [FVS336G] [IKE] Received unknown Vendor ID_
>                 - Last output repeated twice -
> 2010 May 10 07:44:29 [FVS336G] [IKE] Received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02__
> 2010 May 10 07:44:29 [FVS336G] [IKE] Received unknown Vendor ID_
>                 - Last output repeated 6 times -
> 2010 May 10 07:44:29 [FVS336G] [IKE] Received Vendor ID: CISCO-UNITY_
> 2010 May 10 07:44:29 [FVS336G] [IKE] For 173.11.130.253[500],
> Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
> 2010 May 10 07:44:30 [FVS336G] [IKE] Floating ports for NAT-T with
> peer 173.11.130.253[4500]_
> 2010 May 10 07:44:30 [FVS336G] [IKE] NAT-D payload does not match for
> 67.76.235.148[4500]_
> 2010 May 10 07:44:30 [FVS336G] [IKE] NAT-D payload does not match for
> 173.11.130.253[4500]_
> 2010 May 10 07:44:30 [FVS336G] [IKE] NAT detected: Local is behind a
> NAT device. and alsoPeer is behind a NAT device_
> 2010 May 10 07:44:30 [FVS336G] [IKE] 172.20.0.1 IP address is
> assigned to remote peer 173.11.130.253[4500]_
> 2010 May 10 07:44:30 [FVS336G] [IKE] ISAKMP-SA established for
> 67.76.235.148[4500]-173.11.130.253[4500] with
> spi:64b2b83fb57674d7:98e4904d5fc27eff_
> 2010 May 10 07:44:30 [FVS336G] [IKE] Sending Informational Exchange:
> notify payload[INITIAL-CONTACT]_
> 2010 May 10 07:44:30 [FVS336G] [IKE] Purged ISAKMP-SA with
> proto_id=ISAKMP and spi=64b2b83fb57674d7:98e4904d5fc27eff._
> 2010 May 10 07:44:31 [FVS336G] [IKE] ISAKMP-SA deleted for
> 67.76.235.148[4500]-173.11.130.253[4500] with
> spi:64b2b83fb57674d7:98e4904d5fc27eff_
> 2010 May 10 07:44:31 [FVS336G] [IKE] 172.20.0.1 IP address has been
> released by remote peer._
> 2010 May 10 07:44:31 [FVS336G] [IKE] No policy found: 172.20.0.1/32[0]
> 0.0.0.0/0[0] proto=any dir=in_
> 2010 May 10 07:44:31 [FVS336G] [IKE] No policy found: 0.0.0.0/0[0]
> 172.20.0.1/32[0] proto=any dir=out_
> 
> I've tried operating the Trace Utility as administrator.  It opens,
> but the 'Open Log' and 'Trace Log' seem to have no effect.  I'm
> running Shrewsoft on a HP DV5T laptop 64-bit on Vista. Any help/tips
> would be greatly appreciated.  Currently Shrewsoft  seems to hang at
> "Opening Tunnel..."
> 

Hi Robert, I've noticed too that the Trace Utility doesn't seem to work
on Vista 64-bit.  I've not tried it on Vista 32-bit to know if it's a
Vista problem or a 64-bit issue.  If you've got an XP box you could
test from, that might be really helpful.

Regarding your tunnel, the "No policy found" message suggests that you
may not have got the gateway end configured properly.  Basically, there
needs to be a rule that matches the IP/mask of the tunnel subnet
exactly.  If there's a mismatch, I think the negotiation will not
complete.

More information about the vpn-help mailing list