[vpn-help] FVS338 tunnel established but can't ping remote IP's/SSH/DNS etc.

Michal Wegrzyn Michal at comfortel.pl
Tue Jan 11 13:43:45 CST 2011


For NetGear and ModeConfig add two subnets
Your LAN and ModeConfig subnet:
10.1.1.0/24
10.1.2.0/24

On my FVX538 this allow to get access to local LAN / DMZ network.
Also set Phase 1 and Phase 2 to the same you have set on your FVX338.

Regards
 Michal Wegrzyn
  ----- Original Message ----- 
  From: David Borges 
  To: Matthew Grooms 
  Cc: vpn-help at lists.shrew.net 
  Sent: Tuesday, January 11, 2011 8:19 PM
  Subject: Re: [vpn-help] FVS338 tunnel established but can't ping remote IP's/SSH/DNS etc.


  Matthew,

  Phase 2 now looks like this:

  Transform Algorith: auto
  Transform Key Length: auto
  HMAC Algorithm: auto
  PFS Exchange: Group 2
  Compression: disabled

  Here is the vpn log output:

  2011 Jan 11 14:15:04 [FVS338] [IKE] Remote configuration for identifier
  "skitter_client" found_
  2011 Jan 11 14:15:04 [FVS338] [IKE] Received request for new phase 1
  negotiation: 4.26.57.73[500]<=>76.97.216.191[500]_
  2011 Jan 11 14:15:04 [FVS338] [IKE] Beginning Aggressive mode._
  2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
  draft-ietf-ipsra-isakmp-xauth-06.txt_
  2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor ID_
                  - Last output repeated twice -
  2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
  draft-ietf-ipsec-nat-t-ike-02__
  2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor ID_
                  - Last output repeated 2 times -
  2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID: DPD_
  2011 Jan 11 14:15:04 [FVS338] [IKE] DPD is Enabled_
  2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor ID_
                  - Last output repeated 2 times -
  2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
  2011 Jan 11 14:15:04 [FVS338] [IKE] For 76.97.216.191[500], Selected
  NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
  2011 Jan 11 14:15:06 [FVS338] [IKE] Setting DPD Vendor ID_
  2011 Jan 11 14:15:06 [FVS338] [IKE] Floating ports for NAT-T with peer
  76.97.216.191[4500]_
  2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not match for
  4.26.57.73[4500]_
  2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not match for
  76.97.216.191[4500]_
  2011 Jan 11 14:15:06 [FVS338] [IKE] NAT detected: Local is behind a NAT
  device. and alsoPeer is behind a NAT device_
  2011 Jan 11 14:15:06 [FVS338] [IKE] Sending Xauth request to
  76.97.216.191[4500]_
  2011 Jan 11 14:15:06 [FVS338] [IKE] ISAKMP-SA established for
  4.26.57.73[4500]-76.97.216.191[4500] with
  spi:4646d0e40d5cd138:4ac0ef8a139b655b_
  2011 Jan 11 14:15:06 [FVS338] [IKE] purging spi=157580622._
  2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
  "ISAKMP_CFG_REPLY" from 76.97.216.191[4500]_
  2011 Jan 11 14:15:06 [FVS338] [IKE] Login succeeded for user "dborges"_
  2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
  "ISAKMP_CFG_REQUEST" from 76.97.216.191[4500]_
  2011 Jan 11 14:15:06 [FVS338] [IKE] 10.1.2.150 IP address is assigned to
  remote peer 76.97.216.191[4500]_
  2011 Jan 11 14:15:06 [FVS338] [IKE] Ignored attribute 5_
  2011 Jan 11 14:15:06 [FVS338] [IKE] Cannot open "/etc/motd"_
  2011 Jan 11 14:15:07 [FVS338] [IKE] Responding to new phase 2
  negotiation: 4.26.57.73[0]<=>76.97.216.191[0]_
  2011 Jan 11 14:15:07 [FVS338] [IKE] Using IPsec SA configuration:
  10.1.1.0/24<->10.1.2.0/24_
  2011 Jan 11 14:15:07 [FVS338] [IKE] No policy found: 10.1.2.150/32[0]
  10.1.1.0/24[0] proto=any dir=in_
  2011 Jan 11 14:15:07 [FVS338] [IKE] Failed to get proposal for
  responder._

  Ive been trying to get this working for a month now no luck.  Thanks for
  your help :)

  Dave

  On Tue, 2011-01-11 at 13:10 -0600, Matthew Grooms wrote:
  > On 1/11/2011 12:59 PM, David Borges wrote:
  > > Kevin,
  > >
  > > I told shrew to use 10.1.1.0/24.  In the FVS338 here is the ModeConfig
  > >
  > > Client Pool:
  > > Record Name: Pool
  > > First IP Pool: 10.1.2.150 - 10.1.2.160
  > > Section IP Pool: 0.0.0.0 - 0.0.0.0
  > > Third IP Pool: 0.0.0.0 - 0.0.0.0
  > > Primary WINS Server: 0.0.0.0
  > > Secondary WINS Server: 0.0.0.0
  > > Primary DNS Server: 8.8.8.8
  > > Secondary DNS Server: 8.8.4.4
  > > Traffic Tunnel Security Level:
  > > PFS Key Group: Group 2 (1024 bit)
  > > SA Lifetime: 3600
  > > SA Lifebyte: 0
  > > Encryption Algorithm: 3DES
  > > Integrity Algorithm: SHA-1
  > > Local IP Address: 10.1.1.0
  > > Local Subnet Mask: 255.255.255.0
  > >
  > >
  > > My internal network is 10.1.1.0/24.  Am I missing something?
  > >
  > 
  > Have you tried setting your PFS group in the client to group 2 under the 
  > phase2 tab?
  > 
  > -Matthew

  -- 
  David Borges
  Director of Network Administration
  3720 Davinci Court, Suite 200
  Norcross GA, 30092
  www.skitter.tv





  _______________________________________________
  vpn-help mailing list
  vpn-help at lists.shrew.net
  http://lists.shrew.net/mailman/listinfo/vpn-help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110111/ae0b33d5/attachment-0002.html>


More information about the vpn-help mailing list