[vpn-help] FVS338 tunnel established but can't ping remote IP's/SSH/DNS etc.

David Borges david.borges at skitter.tv
Tue Jan 11 09:57:03 CST 2011 

Shrew Soft Version 2.1.5
Netgear FVS338
Ubuntu 11.04

Below is my shrew soft client config:
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:0
n:client-dns-used:1
n:client-dns-auto:0
b:auth-mutual-psk:bmVvbm5lb24=
n:phase1-dhgroup:2
n:phase1-keylen:0
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:0
n:phase2-pfsgroup:-1
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:x.yy.57.73
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:0.0.0.0
s:client-dns-suffix:
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-client-data:skitter_client
s:ident-server-type:address
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
s:policy-list-include:10.1.1.0 / 255.255.255.0


Netgear FVS338 VPN Log
2011 Jan 11 10:00:07 [FVS338] [IKE] Remote configuration for identifier
"skitter_client" found_
2011 Jan 11 10:00:07 [FVS338] [IKE] Received request for new phase 1
negotiation: x.yy.57.73[500]<=>xx.yy.216.191[500]_
2011 Jan 11 10:00:07 [FVS338] [IKE] Beginning Aggressive mode._
2011 Jan 11 10:00:07 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt_
2011 Jan 11 10:00:07 [FVS338] [IKE] Received unknown Vendor ID_
                - Last output repeated twice -
2011 Jan 11 10:00:07 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2011 Jan 11 10:00:07 [FVS338] [IKE] Received unknown Vendor ID_
                - Last output repeated 2 times -
2011 Jan 11 10:00:08 [FVS338] [IKE] Received Vendor ID: DPD_
2011 Jan 11 10:00:08 [FVS338] [IKE] DPD is Enabled_
2011 Jan 11 10:00:08 [FVS338] [IKE] Received unknown Vendor ID_
                - Last output repeated 2 times -
2011 Jan 11 10:00:08 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2011 Jan 11 10:00:08 [FVS338] [IKE] For xx.yy.216.191[500], Selected
NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2011 Jan 11 10:00:08 [FVS338] [IKE] Setting DPD Vendor ID_
2011 Jan 11 10:00:08 [FVS338] [IKE] Floating ports for NAT-T with peer
xx.yy.216.191[4500]_
2011 Jan 11 10:00:08 [FVS338] [IKE] NAT-D payload does not match for
x.yy.57.73[4500]_
2011 Jan 11 10:00:08 [FVS338] [IKE] NAT-D payload does not match for
xx.yy.216.191[4500]_
2011 Jan 11 10:00:08 [FVS338] [IKE] NAT detected: Local is behind a NAT
device. and alsoPeer is behind a NAT device_
2011 Jan 11 10:00:08 [FVS338] [IKE] Sending Xauth request to
xx.yy.216.191[4500]_
2011 Jan 11 10:00:08 [FVS338] [IKE] ISAKMP-SA established for
x.yy.57.73[4500]-xx.yy.216.191[4500] with
spi:6076295800bcaf11:9244c5bc2385d0c9_
2011 Jan 11 10:00:08 [FVS338] [IKE] purging spi=182570758._
2011 Jan 11 10:00:08 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REPLY" from xx.yy.216.191[4500]_
2011 Jan 11 10:00:08 [FVS338] [IKE] Login succeeded for user "dborges"_
2011 Jan 11 10:00:08 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REQUEST" from xx.yy.216.191[4500]_
2011 Jan 11 10:00:08 [FVS338] [IKE] 10.1.2.150 IP address is assigned to
remote peer xx.yy.216.191[4500]_
2011 Jan 11 10:00:09 [FVS338] [IKE] Ignored attribute 5_
2011 Jan 11 10:00:09 [FVS338] [IKE] Responding to new phase 2
negotiation: x.yy.57.73[0]<=>xx.yy.216.191[0]_
2011 Jan 11 10:00:09 [FVS338] [IKE] Using IPsec SA configuration:
10.1.1.0/24<->10.1.2.0/24_
2011 Jan 11 10:00:09 [FVS338] [IKE] No policy found: 10.1.2.150/32[0]
10.1.1.0/24[0] proto=any dir=in_
2011 Jan 11 10:00:09 [FVS338] [IKE] Failed to get proposal for
responder._


In the FVS338 VPN Conection Status it shows I'm connected and the tunnel
is up and enabled.  I can ONLY ping 10.1.1.2 which is the VPN LAN IP.
When connected I can't access the web or ANY remote resources.

Shrew Soft VPN Client Configuration:

config loaded for site 'New VPN'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled

ifconfig:

tap0      Link encap:Ethernet  HWaddr 9a:4b:88:ac:2b:62  
          inet addr:10.1.2.150  Bcast:10.1.2.255  Mask:255.255.255.0
          inet6 addr: fe80::984b:88ff:feac:2b62/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1380  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:21:6b:9a:59:0c  
          inet addr:192.168.1.101  Bcast:192.168.1.255
Mask:255.255.255.0
          inet6 addr: fe80::221:6bff:fe9a:590c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23584 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15750 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7831355 (7.8 MB)  TX bytes:2967757 (2.9 MB)


dborges at dborges-ThinkPad-R400:/etc$ ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_req=1 ttl=64 time=19.6 ms
64 bytes from 10.1.1.2: icmp_req=2 ttl=64 time=20.6 ms
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 19.647/20.149/20.651/0.502 ms

dborges at dborges-ThinkPad-R400:/etc$ ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
^C
--- 10.1.1.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms

I followed this guide to setup the FVS338 & Shrew Soft VPN Client:
http://www.shrew.net/support/wiki/HowtoNetgear
  
I also followed this FAQ 
"The Shrew Soft Client on Linux connects but doesn't pass traffic. 

Most communications issues are related to site configuration errors.
However, the default system settings for Linux distribution will vary.
This following link describes how to work around a common problem which
will cause valid IPsec packets to be dropped by the Linux kernel. 
http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html"

After following this link I was able to ping the local IP of the VPN bot
nothing more.

I have searched the Internet and mailing lists and am unable to move
forward.  Any help would be greatly appreciated.

Thank you,

Dave

More information about the vpn-help mailing list