[vpn-help] FVS338 tunnel established but can't ping remote IP's/SSH/DNS etc.
David Borges
david.borges at skitter.tv
Tue Jan 11 14:22:34 CST 2011
Phase 1 and Phase 2 now match exactly with the FVS338 and Shrew Soft
Client. I'm still only able to ping the internal interface on the VPN
router from the outside.
Here is my new output:
2011 Jan 11 15:16:00 [FVS338] [IKE] Remote configuration for identifier
"skitter_client" found_
2011 Jan 11 15:16:00 [FVS338] [IKE] Received request for new phase 1
negotiation: x.yy.57.73[500]<=>xx.yy.216.191[500]_
2011 Jan 11 15:16:00 [FVS338] [IKE] Beginning Aggressive mode._
2011 Jan 11 15:16:00 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt_
2011 Jan 11 15:16:00 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated twice -
2011 Jan 11 15:16:00 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2011 Jan 11 15:16:00 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2011 Jan 11 15:16:00 [FVS338] [IKE] Received Vendor ID: DPD_
2011 Jan 11 15:16:00 [FVS338] [IKE] DPD is Enabled_
2011 Jan 11 15:16:00 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2011 Jan 11 15:16:00 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2011 Jan 11 15:16:00 [FVS338] [IKE] For xx.yy.216.191[500], Selected
NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2011 Jan 11 15:16:01 [FVS338] [IKE] Setting DPD Vendor ID_
2011 Jan 11 15:16:01 [FVS338] [IKE] Floating ports for NAT-T with peer
xx.yy.216.191[4500]_
2011 Jan 11 15:16:01 [FVS338] [IKE] NAT-D payload does not match for
x.yy.57.73[4500]_
2011 Jan 11 15:16:01 [FVS338] [IKE] NAT-D payload does not match for
xx.yy.216.191[4500]_
2011 Jan 11 15:16:01 [FVS338] [IKE] NAT detected: Local is behind a NAT
device. and alsoPeer is behind a NAT device_
2011 Jan 11 15:16:01 [FVS338] [IKE] Sending Xauth request to
xx.yy.216.191[4500]_
2011 Jan 11 15:16:01 [FVS338] [IKE] ISAKMP-SA established for
x.yy.57.73[4500]-xx.yy.216.191[4500] with
spi:217a4ab6c0de9f2e:090974251797d574_
2011 Jan 11 15:16:01 [FVS338] [IKE] purging spi=147345332._
2011 Jan 11 15:16:01 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REPLY" from xx.yy.216.191[4500]_
2011 Jan 11 15:16:01 [FVS338] [IKE] Login succeeded for user "dborges"_
2011 Jan 11 15:16:01 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REQUEST" from xx.yy.216.191[4500]_
2011 Jan 11 15:16:01 [FVS338] [IKE] 10.1.2.150 IP address is assigned to
remote peer xx.yy.216.191[4500]_
2011 Jan 11 15:16:01 [FVS338] [IKE] Ignored attribute 5_
2011 Jan 11 15:16:01 [FVS338] [IKE] Cannot open "/etc/motd"_
2011 Jan 11 15:16:01 [FVS338] [IKE] Responding to new phase 2
negotiation: x.yy.57.73[0]<=>xx.yy.216.191[0]_
2011 Jan 11 15:16:01 [FVS338] [IKE] Using IPsec SA configuration:
10.1.1.0/24<->10.1.2.0/24_
2011 Jan 11 15:16:01 [FVS338] [IKE] No policy found: 10.1.2.150/32[0]
10.1.1.0/24[0] proto=any dir=in_
2011 Jan 11 15:16:01 [FVS338] [IKE] Failed to get proposal for
responder._
2011 Jan 11 15:16:11 [FVS338] [IKE] Responding to new phase 2
negotiation: x.yy.57.73[0]<=>xx.yy.216.191[0]_
2011 Jan 11 15:16:11 [FVS338] [IKE] Using IPsec SA configuration:
10.1.1.0/24<->10.1.2.0/24_
2011 Jan 11 15:16:12 [FVS338] [IKE] Adjusting peer's encmode
61443(61443)->Tunnel(1)_
2011 Jan 11 15:16:12 [FVS338] [IKE] DPD R-U-THERE sent to
"xx.yy.216.191[4500]"_
2011 Jan 11 15:16:12 [FVS338] [IKE] Failed to get IPsec SA configuration
for: 0.0.0.0/0<->10.1.2.150/32_
2011 Jan 11 15:16:12 [FVS338] [IKE] DPD R-U-THERE-ACK received from
"xx.yy.216.191[4500]"_
2011 Jan 11 15:16:13 [FVS338] [IKE] IPsec-SA established[UDP encap
4500->4500]: ESP/Tunnel xx.yy.216.191->x.yy.57.73 with
spi=76553354(0x4901c8a)_
2011 Jan 11 15:16:13 [FVS338] [IKE] IPsec-SA established[UDP encap
4500->4500]: ESP/Tunnel x.yy.57.73->xx.yy.216.191 with
spi=261804226(0xf9ad0c2)_
2011 Jan 11 15:16:16 [FVS338] [IKE] DPD R-U-THERE received from
"xx.yy.216.191[4500]"_
2011 Jan 11 15:16:16 [FVS338] [IKE] DPD R-U-THERE-ACK sent to
"xx.yy.216.191[4500]"_
2011 Jan 11 15:16:31 [FVS338] [IKE] DPD R-U-THERE received from
"xx.yy.216.191[4500]"_
2011 Jan 11 15:16:31 [FVS338] [IKE] DPD R-U-THERE-ACK sent to
"xx.yy.216.191[4500]"_
On Tue, 2011-01-11 at 20:43 +0100, Michal Wegrzyn wrote:
> For NetGear and ModeConfig add two subnets
> Your LAN and ModeConfig subnet:
> 10.1.1.0/24
> 10.1.2.0/24
>
> On my FVX538 this allow to get access to local LAN / DMZ network.
> Also set Phase 1 and Phase 2 to the same you have set on your FVX338.
>
> Regards
> Michal Wegrzyn
> ----- Original Message -----
> From: David Borges
> To: Matthew Grooms
> Cc: vpn-help at lists.shrew.net
> Sent: Tuesday, January 11, 2011 8:19 PM
> Subject: Re: [vpn-help] FVS338 tunnel established but can't
> ping remote IP's/SSH/DNS etc.
>
>
> Matthew,
>
> Phase 2 now looks like this:
>
> Transform Algorith: auto
> Transform Key Length: auto
> HMAC Algorithm: auto
> PFS Exchange: Group 2
> Compression: disabled
>
> Here is the vpn log output:
>
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Remote configuration for
> identifier
> "skitter_client" found_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received request for new
> phase 1
> negotiation: 4.26.57.73[500]<=>76.97.216.191[500]_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Beginning Aggressive
> mode._
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor
> ID_
> - Last output repeated twice -
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02__
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor
> ID_
> - Last output repeated 2 times -
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID: DPD_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] DPD is Enabled_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor
> ID_
> - Last output repeated 2 times -
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
> CISCO-UNITY_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] For 76.97.216.191[500],
> Selected
> NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Setting DPD Vendor ID_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Floating ports for NAT-T
> with peer
> 76.97.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not
> match for
> 4.26.57.73[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not
> match for
> 76.97.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] NAT detected: Local is
> behind a NAT
> device. and alsoPeer is behind a NAT device_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Sending Xauth request to
> 76.97.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] ISAKMP-SA established for
> 4.26.57.73[4500]-76.97.216.191[4500] with
> spi:4646d0e40d5cd138:4ac0ef8a139b655b_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] purging spi=157580622._
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
> "ISAKMP_CFG_REPLY" from 76.97.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Login succeeded for user
> "dborges"_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
> "ISAKMP_CFG_REQUEST" from 76.97.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] 10.1.2.150 IP address is
> assigned to
> remote peer 76.97.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Ignored attribute 5_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Cannot open "/etc/motd"_
> 2011 Jan 11 14:15:07 [FVS338] [IKE] Responding to new phase 2
> negotiation: 4.26.57.73[0]<=>76.97.216.191[0]_
> 2011 Jan 11 14:15:07 [FVS338] [IKE] Using IPsec SA
> configuration:
> 10.1.1.0/24<->10.1.2.0/24_
> 2011 Jan 11 14:15:07 [FVS338] [IKE] No policy found:
> 10.1.2.150/32[0]
> 10.1.1.0/24[0] proto=any dir=in_
> 2011 Jan 11 14:15:07 [FVS338] [IKE] Failed to get proposal for
> responder._
>
> Ive been trying to get this working for a month now no luck.
> Thanks for
> your help :)
>
> Dave
>
> On Tue, 2011-01-11 at 13:10 -0600, Matthew Grooms wrote:
> > On 1/11/2011 12:59 PM, David Borges wrote:
> > > Kevin,
> > >
> > > I told shrew to use 10.1.1.0/24. In the FVS338 here is
> the ModeConfig
> > >
> > > Client Pool:
> > > Record Name: Pool
> > > First IP Pool: 10.1.2.150 - 10.1.2.160
> > > Section IP Pool: 0.0.0.0 - 0.0.0.0
> > > Third IP Pool: 0.0.0.0 - 0.0.0.0
> > > Primary WINS Server: 0.0.0.0
> > > Secondary WINS Server: 0.0.0.0
> > > Primary DNS Server: 8.8.8.8
> > > Secondary DNS Server: 8.8.4.4
> > > Traffic Tunnel Security Level:
> > > PFS Key Group: Group 2 (1024 bit)
> > > SA Lifetime: 3600
> > > SA Lifebyte: 0
> > > Encryption Algorithm: 3DES
> > > Integrity Algorithm: SHA-1
> > > Local IP Address: 10.1.1.0
> > > Local Subnet Mask: 255.255.255.0
> > >
> > >
> > > My internal network is 10.1.1.0/24. Am I missing
> something?
> > >
> >
> > Have you tried setting your PFS group in the client to group
> 2 under the
> > phase2 tab?
> >
> > -Matthew
>
> --
> David Borges
> Director of Network Administration
> 3720 Davinci Court, Suite 200
> Norcross GA, 30092
> www.skitter.tv
>
>
>
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
--
David Borges
Director of Network Administration
3720 Davinci Court, Suite 200
Norcross GA, 30092
www.skitter.tv
More information about the vpn-help
mailing list