[vpn-help] Netgear SRX5308 configuration?
Gregg Lahti
gregg.lahti at seriousintegrated.com
Thu Apr 21 12:17:53 CDT 2011
Got a new Netgear SRX5308 router to play with. Went through the Shrew Netgear how-to's on configuration and I get the tunnel connection but nothing flows through. I'm at a loss on how to debug this further. Logs from the router are as follows (Note the order of time is backwards on the router log):
2011 Apr 19 21:38:03 [SRX5308] [IKE] DPD R-U-THERE-ACK sent to "68.3.27.46[4500]"_
2011 Apr 19 21:38:03 [SRX5308] [IKE] DPD R-U-THERE received from "68.3.27.46[4500]"_
2011 Apr 19 21:37:33 [SRX5308] [IKE] DPD R-U-THERE-ACK sent to "68.3.27.46[4500]"_
2011 Apr 19 21:37:33 [SRX5308] [IKE] DPD R-U-THERE received from "68.3.27.46[4500]"_
2011 Apr 19 21:37:03 [SRX5308] [IKE] DPD R-U-THERE-ACK sent to "68.3.27.46[4500]"_
2011 Apr 19 21:37:03 [SRX5308] [IKE] DPD R-U-THERE received from "68.3.27.46[4500]"_
2011 Apr 19 21:36:33 [SRX5308] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 98.174.255.150->68.3.27.46 with spi=689412571(0x291799db)_
2011 Apr 19 21:36:33 [SRX5308] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 68.3.27.46->98.174.255.150 with spi=771516(0xbc5bc)_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_
2011 Apr 19 21:36:33 [SRX5308] [IKE] No policy found, generating the policy : 192.168.7.47/32[0] 192.168.42.0/24[0] proto=any dir=in_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Using IPsec SA configuration: 192.168.42.0/24<->0.0.0.0/0 from srx_remote1.com_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Responding to new phase 2 negotiation: 98.174.255.150[0]<=>68.3.27.46[0]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] ISAKMP-SA established for 98.174.255.150[4500]-68.3.27.46[4500] with spi:f4ebdcbb2d407b61:686b01d792931757_
2011 Apr 19 21:36:33 [SRX5308] [IKE] NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device_
2011 Apr 19 21:36:33 [SRX5308] [IKE] NAT-D payload does not match for 68.3.27.46[4500]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] NAT-D payload does not match for 98.174.255.150[4500]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Floating ports for NAT-T with peer 68.3.27.46[4500]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Setting DPD Vendor ID_
2011 Apr 19 21:36:32 [SRX5308] [IKE] For 68.3.27.46[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2011 Apr 19 21:36:32 [SRX5308] [IKE] DPD is Enabled_
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received Vendor ID: DPD_
- Last output repeated twice -
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received unknown Vendor ID_
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received unknown Vendor ID_
2011 Apr 19 21:36:32 [SRX5308] [IKE] Beginning Aggressive mode._
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received request for new phase 1 negotiation: 98.174.255.150[500]<=>68.3.27.46[500]_
2011 Apr 19 21:36:32 [SRX5308] [IKE] Remote configuration for identifier "srx_remote1.com" found_
I'm also sorta sketchy if I got the policy setup, the how-to was a bit unclear how that should be configured. I've got it set as:
Policy generation level: (tried all settings), left it at unique
Maintain persistent SA set
Obtain Topology unset
Added in my internal network (192.168.42.0/255.255.255.0)
Anyone have an idea why it's not connecting or have a working configuration they could submit?
-Thanks
-Gregg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110421/5230124a/attachment-0001.html>
More information about the vpn-help
mailing list