[vpn-help] FVS338 tunnel established but can't ping remote IP's/SSH/DNS etc.
David Borges
david.borges at skitter.tv
Wed Jan 12 11:36:39 CST 2011
Michal,
I must be missing something. This is what my Mode Config looks like
below:
Client Pool:
Record Name: Pool
First IP Pool: 10.1.2.150 - 10.1.2.160
Section IP Pool: 0.0.0.0 - 0.0.0.0
Third IP Pool: 0.0.0.0 - 0.0.0.0
Primary WINS Server: 0.0.0.0
Secondary WINS Server: 0.0.0.0
Primary DNS Server: 8.8.8.8
Secondary DNS Server: 8.8.4.4
Traffic Tunnel Security Level:
PFS Key Group: Group 2 (1024 bit)
SA Lifetime: 3600
SA Lifebyte: 0
Encryption Algorithm: 3DES
Integrity Algorithm: SHA-1
Local IP Address: 10.1.1.0
Local Subnet Mask: 255.255.255.0
As you can I'm trying to get 10.1.2.150 - 10.1.2.160 as an address
assigned to my VPN client. This is successful. The IP address of my
remote network is 10.1.1.0/24, that's why I put 10.1.1.0 in the Local IP
address field.
Here is my latest VPN log below:
2011 Jan 12 12:28:11 [FVS338] [IKE] Remote configuration for identifier
"skitter_client" found_
2011 Jan 12 12:28:11 [FVS338] [IKE] Received request for new phase 1
negotiation: x.yy.57.73[500]<=>xx.yy.216.191[500]_
2011 Jan 12 12:28:11 [FVS338] [IKE] Beginning Aggressive mode._
2011 Jan 12 12:28:11 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt_
2011 Jan 12 12:28:11 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated twice -
2011 Jan 12 12:28:11 [FVS338] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2011 Jan 12 12:28:11 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2011 Jan 12 12:28:11 [FVS338] [IKE] Received Vendor ID: DPD_
2011 Jan 12 12:28:11 [FVS338] [IKE] DPD is Enabled_
2011 Jan 12 12:28:11 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2011 Jan 12 12:28:11 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2011 Jan 12 12:28:11 [FVS338] [IKE] For xx.yy.216.191[500], Selected
NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2011 Jan 12 12:28:11 [FVS338] [IKE] Setting DPD Vendor ID_
2011 Jan 12 12:28:12 [FVS338] [IKE] Floating ports for NAT-T with peer
xx.yy.216.191[4500]_
2011 Jan 12 12:28:12 [FVS338] [IKE] NAT-D payload does not match for
x.yy.57.73[4500]_
2011 Jan 12 12:28:12 [FVS338] [IKE] NAT-D payload does not match for
xx.yy.216.191[4500]_
2011 Jan 12 12:28:12 [FVS338] [IKE] NAT detected: Local is behind a NAT
device. and alsoPeer is behind a NAT device_
2011 Jan 12 12:28:12 [FVS338] [IKE] Sending Xauth request to
xx.yy.216.191[4500]_
2011 Jan 12 12:28:12 [FVS338] [IKE] ISAKMP-SA established for
x.yy.57.73[4500]-xx.yy.216.191[4500] with
spi:0222cd8e6f858b7e:ecbdfe6423eb92ec_
2011 Jan 12 12:28:12 [FVS338] [IKE] purging spi=18037941._
2011 Jan 12 12:28:12 [FVS338] [IKE] purging spi=44651433._
2011 Jan 12 12:28:12 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REPLY" from xx.yy.216.191[4500]_
2011 Jan 12 12:28:12 [FVS338] [IKE] Login succeeded for user "dborges"_
2011 Jan 12 12:28:12 [FVS338] [IKE] Received attribute type
"ISAKMP_CFG_REQUEST" from xx.yy.216.191[4500]_
2011 Jan 12 12:28:12 [FVS338] [IKE] 10.1.2.150 IP address is assigned to
remote peer xx.yy.216.191[4500]_
2011 Jan 12 12:28:12 [FVS338] [IKE] Ignored attribute 5_
2011 Jan 12 12:28:12 [FVS338] [IKE] Cannot open "/etc/motd"_
2011 Jan 12 12:28:12 [FVS338] [IKE] Responding to new phase 2
negotiation: x.yy.57.73[0]<=>xx.yy.216.191[0]_
2011 Jan 12 12:28:12 [FVS338] [IKE] Using IPsec SA configuration:
10.1.1.0/24<->10.1.2.0/24_
2011 Jan 12 12:28:12 [FVS338] [IKE] No policy found: 10.1.2.150/32[0]
10.1.1.0/24[0] proto=any dir=in_
2011 Jan 12 12:28:12 [FVS338] [IKE] Failed to get proposal for
responder._
2011 Jan 12 12:28:22 [FVS338] [IKE] Responding to new phase 2
negotiation: x.yy.57.73[0]<=>xx.yy.216.191[0]_
2011 Jan 12 12:28:22 [FVS338] [IKE] Using IPsec SA configuration:
10.1.1.0/24<->10.1.2.0/24_
2011 Jan 12 12:28:22 [FVS338] [IKE] Adjusting peer's encmode
61443(61443)->Tunnel(1)_
2011 Jan 12 12:28:23 [FVS338] [IKE] DPD R-U-THERE sent to
"xx.yy.216.191[4500]"_
2011 Jan 12 12:28:23 [FVS338] [IKE] DPD R-U-THERE-ACK received from
"xx.yy.216.191[4500]"_
2011 Jan 12 12:28:24 [FVS338] [IKE] IPsec-SA established[UDP encap
4500->4500]: ESP/Tunnel xx.yy.216.191->x.yy.57.73 with
spi=194786311(0xb9c3407)_
2011 Jan 12 12:28:24 [FVS338] [IKE] IPsec-SA established[UDP encap
4500->4500]: ESP/Tunnel x.yy.57.73->xx.yy.216.191 with
spi=106321152(0x6565500)_
2011 Jan 12 12:28:27 [FVS338] [IKE] DPD R-U-THERE received from
"xx.yy.216.191[4500]"_
2011 Jan 12 12:28:27 [FVS338] [IKE] DPD R-U-THERE-ACK sent to
"xx.yy.216.191[4500]"_
On Tue, 2011-01-11 at 20:43 +0100, Michal Wegrzyn wrote:
> For NetGear and ModeConfig add two subnets
> Your LAN and ModeConfig subnet:
> 10.1.1.0/24
> 10.1.2.0/24
>
> On my FVX538 this allow to get access to local LAN / DMZ network.
> Also set Phase 1 and Phase 2 to the same you have set on your FVX338.
>
> Regards
> Michal Wegrzyn
> ----- Original Message -----
> From: David Borges
> To: Matthew Grooms
> Cc: vpn-help at lists.shrew.net
> Sent: Tuesday, January 11, 2011 8:19 PM
> Subject: Re: [vpn-help] FVS338 tunnel established but can't
> ping remote IP's/SSH/DNS etc.
>
>
> Matthew,
>
> Phase 2 now looks like this:
>
> Transform Algorith: auto
> Transform Key Length: auto
> HMAC Algorithm: auto
> PFS Exchange: Group 2
> Compression: disabled
>
> Here is the vpn log output:
>
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Remote configuration for
> identifier
> "skitter_client" found_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received request for new
> phase 1
> negotiation: x.yy.57.73[500]<=>xx.yy.216.191[500]_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Beginning Aggressive
> mode._
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor
> ID_
> - Last output repeated twice -
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02__
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor
> ID_
> - Last output repeated 2 times -
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID: DPD_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] DPD is Enabled_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor
> ID_
> - Last output repeated 2 times -
> 2011 Jan 11 14:15:04 [FVS338] [IKE] Received Vendor ID:
> CISCO-UNITY_
> 2011 Jan 11 14:15:04 [FVS338] [IKE] For xx.yy.216.191[500],
> Selected
> NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Setting DPD Vendor ID_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Floating ports for NAT-T
> with peer
> xx.yy.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not
> match for
> x.yy.57.73[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D payload does not
> match for
> xx.yy.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] NAT detected: Local is
> behind a NAT
> device. and alsoPeer is behind a NAT device_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Sending Xauth request to
> xx.yy.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] ISAKMP-SA established for
> x.yy.57.73[4500]-xx.yy.216.191[4500] with
> spi:4646d0e40d5cd138:4ac0ef8a139b655b_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] purging spi=157580622._
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
> "ISAKMP_CFG_REPLY" from xx.yy.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Login succeeded for user
> "dborges"_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute type
> "ISAKMP_CFG_REQUEST" from xx.yy.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] 10.1.2.150 IP address is
> assigned to
> remote peer xx.yy.216.191[4500]_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Ignored attribute 5_
> 2011 Jan 11 14:15:06 [FVS338] [IKE] Cannot open "/etc/motd"_
> 2011 Jan 11 14:15:07 [FVS338] [IKE] Responding to new phase 2
> negotiation: x.yy.57.73[0]<=>xx.yy.216.191[0]_
> 2011 Jan 11 14:15:07 [FVS338] [IKE] Using IPsec SA
> configuration:
> 10.1.1.0/24<->10.1.2.0/24_
> 2011 Jan 11 14:15:07 [FVS338] [IKE] No policy found:
> 10.1.2.150/32[0]
> 10.1.1.0/24[0] proto=any dir=in_
> 2011 Jan 11 14:15:07 [FVS338] [IKE] Failed to get proposal for
> responder._
>
> Ive been trying to get this working for a month now no luck.
> Thanks for
> your help :)
>
> Dave
>
> On Tue, 2011-01-11 at 13:10 -0600, Matthew Grooms wrote:
> > On 1/11/2011 12:59 PM, David Borges wrote:
> > > Kevin,
> > >
> > > I told shrew to use 10.1.1.0/24. In the FVS338 here is
> the ModeConfig
> > >
> > > Client Pool:
> > > Record Name: Pool
> > > First IP Pool: 10.1.2.150 - 10.1.2.160
> > > Section IP Pool: 0.0.0.0 - 0.0.0.0
> > > Third IP Pool: 0.0.0.0 - 0.0.0.0
> > > Primary WINS Server: 0.0.0.0
> > > Secondary WINS Server: 0.0.0.0
> > > Primary DNS Server: 8.8.8.8
> > > Secondary DNS Server: 8.8.4.4
> > > Traffic Tunnel Security Level:
> > > PFS Key Group: Group 2 (1024 bit)
> > > SA Lifetime: 3600
> > > SA Lifebyte: 0
> > > Encryption Algorithm: 3DES
> > > Integrity Algorithm: SHA-1
> > > Local IP Address: 10.1.1.0
> > > Local Subnet Mask: 255.255.255.0
> > >
> > >
> > > My internal network is 10.1.1.0/24. Am I missing
> something?
> > >
> >
> > Have you tried setting your PFS group in the client to group
> 2 under the
> > phase2 tab?
> >
> > -Matthew
>
> --
> David Borges
> Director of Network Administration
> 3720 Davinci Court, Suite 200
> Norcross GA, 30092
> www.skitter.tv
>
>
>
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
--
David Borges
Director of Network Administration
3720 Davinci Court, Suite 200
Norcross GA, 30092
www.skitter.tv
More information about the vpn-help
mailing list