[vpn-help] Netgear SRX5308 configuration?

Gregg Lahti gregg.lahti at seriousintegrated.com
Thu Apr 21 12:17:53 CDT 2011 

Got a new Netgear SRX5308 router to play with.  Went through the Shrew Netgear how-to's on configuration and I get the tunnel connection but nothing flows through.  I'm at a loss on how to debug this further.  Logs from the router are as follows (Note the order of time is backwards on the router log):

2011 Apr 19 21:38:03 [SRX5308] [IKE] DPD R-U-THERE-ACK sent to "68.3.27.46[4500]"_
2011 Apr 19 21:38:03 [SRX5308] [IKE] DPD R-U-THERE received from "68.3.27.46[4500]"_
2011 Apr 19 21:37:33 [SRX5308] [IKE] DPD R-U-THERE-ACK sent to "68.3.27.46[4500]"_
2011 Apr 19 21:37:33 [SRX5308] [IKE] DPD R-U-THERE received from "68.3.27.46[4500]"_
2011 Apr 19 21:37:03 [SRX5308] [IKE] DPD R-U-THERE-ACK sent to "68.3.27.46[4500]"_
2011 Apr 19 21:37:03 [SRX5308] [IKE] DPD R-U-THERE received from "68.3.27.46[4500]"_
2011 Apr 19 21:36:33 [SRX5308] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 98.174.255.150->68.3.27.46 with spi=689412571(0x291799db)_
2011 Apr 19 21:36:33 [SRX5308] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 68.3.27.46->98.174.255.150 with spi=771516(0xbc5bc)_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_
2011 Apr 19 21:36:33 [SRX5308] [IKE] No policy found, generating the policy : 192.168.7.47/32[0] 192.168.42.0/24[0] proto=any dir=in_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Using IPsec SA configuration: 192.168.42.0/24<->0.0.0.0/0 from srx_remote1.com_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Responding to new phase 2 negotiation: 98.174.255.150[0]<=>68.3.27.46[0]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] ISAKMP-SA established for 98.174.255.150[4500]-68.3.27.46[4500] with spi:f4ebdcbb2d407b61:686b01d792931757_
2011 Apr 19 21:36:33 [SRX5308] [IKE] NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device_
2011 Apr 19 21:36:33 [SRX5308] [IKE] NAT-D payload does not match for 68.3.27.46[4500]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] NAT-D payload does not match for 98.174.255.150[4500]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Floating ports for NAT-T with peer 68.3.27.46[4500]_
2011 Apr 19 21:36:33 [SRX5308] [IKE] Setting DPD Vendor ID_
2011 Apr 19 21:36:32 [SRX5308] [IKE] For 68.3.27.46[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2011 Apr 19 21:36:32 [SRX5308] [IKE] DPD is Enabled_
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received Vendor ID: DPD_
                - Last output repeated twice -
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received unknown Vendor ID_
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received unknown Vendor ID_
2011 Apr 19 21:36:32 [SRX5308] [IKE] Beginning Aggressive mode._
2011 Apr 19 21:36:32 [SRX5308] [IKE] Received request for new phase 1 negotiation: 98.174.255.150[500]<=>68.3.27.46[500]_
2011 Apr 19 21:36:32 [SRX5308] [IKE] Remote configuration for identifier "srx_remote1.com" found_

I'm also sorta sketchy if I got the policy setup, the how-to was a bit unclear how that should be configured.  I've got it set as:

                Policy generation level:  (tried all settings), left it at unique
                Maintain persistent SA set
                Obtain Topology unset
                Added in my internal network (192.168.42.0/255.255.255.0)

Anyone have an idea why it's not connecting or have a working configuration they could submit?

-Thanks
-Gregg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110421/5230124a/attachment-0001.html>

More information about the vpn-help mailing list