[vpn-help] FVS338 tunnel established but can't ping remote IP's/SSH/DNS etc.

David Borges david.borges at skitter.tv
Wed Jan 12 09:50:39 CST 2011


Kevin,

I have not enabled the firewall.  Default policy is allowing all for
right now.  

Here is my new vpn log output:

2011 Jan 12 10:42:28 [FVS338] [IKE] Remote configuration for identifier
"skitter_client" found_
2011 Jan 12 10:42:28 [FVS338] [IKE] Received request for new phase 1
negotiation: x.yy.57.73[500]<=>xx.yy.216.191[500]_
2011 Jan 12 10:42:28 [FVS338] [IKE] Beginning Aggressive mode._
2011 Jan 12 10:42:28 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt_
2011 Jan 12 10:42:28 [FVS338] [IKE] Received unknown Vendor ID_
                - Last output repeated twice -
2011 Jan 12 10:42:28 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2011 Jan 12 10:42:28 [FVS338] [IKE] Received unknown Vendor ID_
                - Last output repeated 2 times -
2011 Jan 12 10:42:28 [FVS338] [IKE] Received Vendor ID: DPD_
2011 Jan 12 10:42:28 [FVS338] [IKE] DPD is Enabled_
2011 Jan 12 10:42:28 [FVS338] [IKE] Received unknown Vendor ID_
                - Last output repeated 2 times -
2011 Jan 12 10:42:28 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2011 Jan 12 10:42:28 [FVS338] [IKE] For xx.yy.216.191[500], Selected
NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2011 Jan 12 10:42:29 [FVS338] [IKE] Setting DPD Vendor ID_
2011 Jan 12 10:42:29 [FVS338] [IKE] Floating ports for NAT-T with peer
xx.yy.216.191[4500]_
2011 Jan 12 10:42:29 [FVS338] [IKE] NAT-D payload does not match for
x.yy.57.73[4500]_
2011 Jan 12 10:42:29 [FVS338] [IKE] NAT-D payload does not match for
xx.yy.216.191[4500]_
2011 Jan 12 10:42:29 [FVS338] [IKE] NAT detected: Local is behind a NAT
device. and alsoPeer is behind a NAT device_
2011 Jan 12 10:42:29 [FVS338] [IKE] Sending Xauth request to
xx.yy.216.191[4500]_
2011 Jan 12 10:42:29 [FVS338] [IKE] ISAKMP-SA established for
x.yy.57.73[4500]-xx.yy.216.191[4500] with
spi:4ec9624b7f02af2d:94d30ad1943309f7_
2011 Jan 12 10:42:29 [FVS338] [IKE] purging spi=151191843._
2011 Jan 12 10:42:29 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REPLY" from xx.yy.216.191[4500]_
2011 Jan 12 10:42:29 [FVS338] [IKE] Login succeeded for user "dborges"_
2011 Jan 12 10:42:29 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REQUEST" from xx.yy.216.191[4500]_
2011 Jan 12 10:42:29 [FVS338] [IKE] 10.1.2.150 IP address is assigned to
remote peer xx.yy.216.191[4500]_
2011 Jan 12 10:42:29 [FVS338] [IKE] Ignored attribute 5_
2011 Jan 12 10:42:29 [FVS338] [IKE] Cannot open "/etc/motd"_
2011 Jan 12 10:42:29 [FVS338] [IKE] Responding to new phase 2
negotiation: x.yy.57.73[0]<=>xx.yy.216.191[0]_
2011 Jan 12 10:42:30 [FVS338] [IKE] Using IPsec SA configuration:
10.1.1.0/24<->10.1.2.0/24_
2011 Jan 12 10:42:30 [FVS338] [IKE] No policy found: 10.1.2.150/32[0]
10.1.1.0/24[0] proto=any dir=in_
2011 Jan 12 10:42:30 [FVS338] [IKE] Failed to get proposal for
responder._
2011 Jan 12 10:42:39 [FVS338] [IKE] DPD R-U-THERE sent to
"xx.yy.216.191[4500]"_
2011 Jan 12 10:42:39 [FVS338] [IKE] DPD R-U-THERE-ACK received from
"xx.yy.216.191[4500]"_
2011 Jan 12 10:42:39 [FVS338] [IKE] Responding to new phase 2
negotiation: x.yy.57.73[0]<=>xx.yy.216.191[0]_
2011 Jan 12 10:42:39 [FVS338] [IKE] Using IPsec SA configuration:
10.1.1.0/24<->10.1.2.0/24_
2011 Jan 12 10:42:40 [FVS338] [IKE] Adjusting peer's encmode
61443(61443)->Tunnel(1)_
2011 Jan 12 10:42:41 [FVS338] [IKE] IPsec-SA established[UDP encap
4500->4500]: ESP/Tunnel xx.yy.216.191->x.yy.57.73 with
spi=236260712(0xe150d68)_
2011 Jan 12 10:42:41 [FVS338] [IKE] IPsec-SA established[UDP encap
4500->4500]: ESP/Tunnel x.yy.57.73->xx.yy.216.191 with
spi=179647494(0xab53406)_
2011 Jan 12 10:42:44 [FVS338] [IKE] DPD R-U-THERE received from
"xx.yy.216.191[4500]"_
2011 Jan 12 10:42:44 [FVS338] [IKE] DPD R-U-THERE-ACK sent to
"xx.yy.216.191[4500]"_
2011 Jan 12 10:42:49 [FVS338] [IKE] DPD R-U-THERE sent to
"xx.yy.216.191[4500]"_
2011 Jan 12 10:42:49 [FVS338] [IKE] DPD R-U-THERE-ACK received from
"xx.yy.216.191[4500]"_
2011 Jan 12 10:42:59 [FVS338] [IKE] DPD R-U-THERE received from
"xx.yy.216.191[4500]"_
2011 Jan 12 10:42:59 [FVS338] [IKE] DPD R-U-THERE-ACK sent to
"xx.yy.216.191[4500]"_
2011 Jan 12 10:42:59 [FVS338] [IKE] DPD R-U-THERE sent to
"xx.yy.216.191[4500]"_
2011 Jan 12 10:42:59 [FVS338] [IKE] DPD R-U-THERE-ACK received from
"xx.yy.216.191[4500]"_

On Tue, 2011-01-11 at 21:25 -0500, kevin vpn wrote:
> might seem like a silly question, but do you also have a firewall rule
> that allows traffic from 10.1.2.0/24 to pass to 10.1.1.0/24?
-- 
David Borges
Director of Network Administration
3720 Davinci Court, Suite 200
Norcross GA, 30092
www.skitter.tv








More information about the vpn-help mailing list