[vpn-help] FVS338 tunnel established but can't ping remote IP's/SSH/DNS etc.
Michal Wegrzyn
Michal at comfortel.pl
Tue Jan 11 13:43:45 CST 2011
For NetGear and ModeConfig add two subnets
Your LAN and ModeConfig subnet:
10.1.1.0/24
10.1.2.0/24
On my FVX538 this allow to get access to local LAN / DMZ network.
Also set Phase 1 and Phase 2 to the same you have set on your FVX338.
Regards
Michal Wegrzyn
----- Original Message -----
From: David Borges
To: Matthew Grooms
Cc: vpn-help at lists.shrew.net
Sent: Tuesday, January 11, 2011 8:19 PM
Subject: Re: [vpn-help] FVS338 tunnel established but can't ping remote IP's/SSH/DNS etc.
Matthew,
Phase 2 now looks like this:
Transform Algorith: auto
Transform Key Length: auto
HMAC Algorithm: auto
PFS Exchange: Group 2
Compression: disabled
Here is the vpn log output:
2011 Jan 11 14:15:04 [FVS338] [IKE] Remote configuration for identifier
"skitter_client" found_
2011 Jan 11 14:15:04 [FVS338] [IKE] Received request for new phase 1
negotiation: 4.26.57.73[500]<=>76.97.216.191[500]_
2011 Jan 11 14:15:04 [FVS338] [IKE] Beginning Aggressive mode._
2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt_
2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated twice -
2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID: DPD_
2011 Jan 11 14:15:04 [FVS338] [IKE] DPD is Enabled_
2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2011 Jan 11 14:15:04 [FVS338] [IKE] For 76.97.216.191[500], Selected
NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2011 Jan 11 14:15:06 [FVS338] [IKE] Setting DPD Vendor ID_
2011 Jan 11 14:15:06 [FVS338] [IKE] Floating ports for NAT-T with peer
76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not match for
4.26.57.73[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not match for
76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] NAT detected: Local is behind a NAT
device. and alsoPeer is behind a NAT device_
2011 Jan 11 14:15:06 [FVS338] [IKE] Sending Xauth request to
76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] ISAKMP-SA established for
4.26.57.73[4500]-76.97.216.191[4500] with
spi:4646d0e40d5cd138:4ac0ef8a139b655b_
2011 Jan 11 14:15:06 [FVS338] [IKE] purging spi=157580622._
2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REPLY" from 76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] Login succeeded for user "dborges"_
2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REQUEST" from 76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] 10.1.2.150 IP address is assigned to
remote peer 76.97.216.191[4500]_
2011 Jan 11 14:15:06 [FVS338] [IKE] Ignored attribute 5_
2011 Jan 11 14:15:06 [FVS338] [IKE] Cannot open "/etc/motd"_
2011 Jan 11 14:15:07 [FVS338] [IKE] Responding to new phase 2
negotiation: 4.26.57.73[0]<=>76.97.216.191[0]_
2011 Jan 11 14:15:07 [FVS338] [IKE] Using IPsec SA configuration:
10.1.1.0/24<->10.1.2.0/24_
2011 Jan 11 14:15:07 [FVS338] [IKE] No policy found: 10.1.2.150/32[0]
10.1.1.0/24[0] proto=any dir=in_
2011 Jan 11 14:15:07 [FVS338] [IKE] Failed to get proposal for
responder._
Ive been trying to get this working for a month now no luck. Thanks for
your help :)
Dave
On Tue, 2011-01-11 at 13:10 -0600, Matthew Grooms wrote:
> On 1/11/2011 12:59 PM, David Borges wrote:
> > Kevin,
> >
> > I told shrew to use 10.1.1.0/24. In the FVS338 here is the ModeConfig
> >
> > Client Pool:
> > Record Name: Pool
> > First IP Pool: 10.1.2.150 - 10.1.2.160
> > Section IP Pool: 0.0.0.0 - 0.0.0.0
> > Third IP Pool: 0.0.0.0 - 0.0.0.0
> > Primary WINS Server: 0.0.0.0
> > Secondary WINS Server: 0.0.0.0
> > Primary DNS Server: 8.8.8.8
> > Secondary DNS Server: 8.8.4.4
> > Traffic Tunnel Security Level:
> > PFS Key Group: Group 2 (1024 bit)
> > SA Lifetime: 3600
> > SA Lifebyte: 0
> > Encryption Algorithm: 3DES
> > Integrity Algorithm: SHA-1
> > Local IP Address: 10.1.1.0
> > Local Subnet Mask: 255.255.255.0
> >
> >
> > My internal network is 10.1.1.0/24. Am I missing something?
> >
>
> Have you tried setting your PFS group in the client to group 2 under the
> phase2 tab?
>
> -Matthew
--
David Borges
Director of Network Administration
3720 Davinci Court, Suite 200
Norcross GA, 30092
www.skitter.tv
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110111/ae0b33d5/attachment-0002.html>
More information about the vpn-help
mailing list