[vpn-help] FVS338 tunnel established but can't ping remote IP's/SSH/DNS etc.

David Borges david.borges at skitter.tv
Tue Jan 11 13:19:22 CST 2011


Matthew,

Phase 2 now looks like this:

Transform Algorith: auto
Transform Key Length: auto
HMAC Algorithm: auto
PFS Exchange: Group 2
Compression: disabled

Here is the vpn log output:

2011 Jan 11 14:15:04 [FVS338] [IKE] Remote configuration for identifier
"skitter_client" found_
2011 Jan 11 14:15:04 [FVS338] [IKE] Received request for new phase 1
negotiation: 4.26.57.73[500]<=>76.97.216.191[500]_
2011 Jan 11 14:15:04 [FVS338] [IKE] Beginning Aggressive mode._
2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt_
2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor ID_
                - Last output repeated twice -
2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor ID_
                - Last output repeated 2 times -
2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID: DPD_
2011 Jan 11 14:15:04 [FVS338] [IKE] DPD is Enabled_
2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor ID_
                - Last output repeated 2 times -
2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2011 Jan 11 14:15:04 [FVS338] [IKE] For 76.97.216.191[500], Selected
NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2011 Jan 11 14:15:06 [FVS338] [IKE] Setting DPD Vendor ID_
2011 Jan 11 14:15:06 [FVS338] [IKE] Floating ports for NAT-T with peer
76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not match for
4.26.57.73[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not match for
76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] NAT detected: Local is behind a NAT
device. and alsoPeer is behind a NAT device_
2011 Jan 11 14:15:06 [FVS338] [IKE] Sending Xauth request to
76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] ISAKMP-SA established for
4.26.57.73[4500]-76.97.216.191[4500] with
spi:4646d0e40d5cd138:4ac0ef8a139b655b_
2011 Jan 11 14:15:06 [FVS338] [IKE] purging spi=157580622._
2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REPLY" from 76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] Login succeeded for user "dborges"_
2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REQUEST" from 76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] 10.1.2.150 IP address is assigned to
remote peer 76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] Ignored attribute 5_
2011 Jan 11 14:15:06 [FVS338] [IKE] Cannot open "/etc/motd"_
2011 Jan 11 14:15:07 [FVS338] [IKE] Responding to new phase 2
negotiation: 4.26.57.73[0]<=>76.97.216.191[0]_
2011 Jan 11 14:15:07 [FVS338] [IKE] Using IPsec SA configuration:
10.1.1.0/24<->10.1.2.0/24_
2011 Jan 11 14:15:07 [FVS338] [IKE] No policy found: 10.1.2.150/32[0]
10.1.1.0/24[0] proto=any dir=in_
2011 Jan 11 14:15:07 [FVS338] [IKE] Failed to get proposal for
responder._

Ive been trying to get this working for a month now no luck.  Thanks for
your help :)

Dave

On Tue, 2011-01-11 at 13:10 -0600, Matthew Grooms wrote:
> On 1/11/2011 12:59 PM, David Borges wrote:
> > Kevin,
> >
> > I told shrew to use 10.1.1.0/24.  In the FVS338 here is the ModeConfig
> >
> > Client Pool:
> > Record Name: 	Pool
> > First IP Pool: 	10.1.2.150 - 10.1.2.160
> > Section IP Pool: 	0.0.0.0 - 0.0.0.0
> > Third IP Pool: 	0.0.0.0 - 0.0.0.0
> > Primary WINS Server: 	0.0.0.0
> > Secondary WINS Server: 	0.0.0.0
> > Primary DNS Server: 	8.8.8.8
> > Secondary DNS Server: 	8.8.4.4
> > Traffic Tunnel Security Level:
> > PFS Key Group: 	Group 2 (1024 bit)
> > SA Lifetime: 	3600
> > SA Lifebyte: 	0
> > Encryption Algorithm: 	3DES
> > Integrity Algorithm: 	SHA-1
> > Local IP Address: 	10.1.1.0
> > Local Subnet Mask: 	255.255.255.0
> >
> >
> > My internal network is 10.1.1.0/24.  Am I missing something?
> >
> 
> Have you tried setting your PFS group in the client to group 2 under the 
> phase2 tab?
> 
> -Matthew

-- 
David Borges
Director of Network Administration
3720 Davinci Court, Suite 200
Norcross GA, 30092
www.skitter.tv








More information about the vpn-help mailing list