[vpn-help] negotiation timeout

Kevin VPN kvpn at live.com
Thu Jul 26 20:59:58 CDT 2012 

On 07/26/2012 03:26 AM, Steven Lam wrote:
> I also turned off the firewall and see if that makes a difference..
> and it didn't either.  I looked up what is udp 16611 is and it is a
> undocumented port.  Should I definite a firewall rule that anything
> coming in with 16611 to pass thru?

On 07/26/2012 03:21 AM, Steven Lam wrote:
> Ok, I looked at my log and I get this:
>
> Connection Refused - Policy violation	   UDP
> xxx.xx.151.23:16611->xxx.xx.194.82:31075 on ixp1
>
> There is no defined rule on the firewall.  Or is it something else?
>
> Thanks!
>
>
> -----Original Message----- From: vpn-help-bounces at lists.shrew.net
> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Kevin VPN
> Sent: July-25-12 7:32 PM To: vpn-help at lists.shrew.net Subject: Re:
> [vpn-help] negotiation timeout
>
> On 07/24/2012 02:29 AM, Steven Lam wrote:
>> Hi, here is the log:
>>
> <snip>
>> 12/07/23 23:19:51 -> : send IKE packet 10.0.1.102:500 ->
>> xxx.xxx.xxx.xxx:500 ( 620 bytes ) 12/07/23 23:19:51 DB : phase1
>> resend event scheduled ( ref count = 2 ) 12/07/23 23:19:56 -> :
>> resend 1 phase1 packet(s) 10.0.1.102:500 -> xxx.xxx.xxx.xxx:500
>> 12/07/23 23:20:01 -> : resend 1 phase1 packet(s) 10.0.1.102:500 ->
>>  xxx.xxx.xxx.xxx:500 12/07/23 23:20:06 -> : resend 1 phase1
>> packet(s) 10.0.1.102:500 -> xxx.xxx.xxx.xxx:500 12/07/23 23:20:11
>> ii : resend limit exceeded for phase1 exchange 12/07/23 23:20:11
>> ii : phase1 removal before expire time 12/07/23 23:20:11 DB :
>> phase1 deleted ( obj count = 0 ) 12/07/23 23:20:11 DB : policy not
>> found 12/07/23 23:20:11 DB : policy not found 12/07/23 23:20:11 DB
>> : policy not found 12/07/23 23:20:11 DB : policy not found
> <snip>
>>
>>
>> I don't see any problem until the policy not found error.
>>
>> -----Original Message----- From: vpn-help-bounces at lists.shrew.net
>> [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Kevin VPN
>> Sent: July-22-12 9:38 AM To: vpn-help at lists.shrew.net Subject: Re:
>> [vpn-help] negotiation timeout
>>
>> On 07/19/2012 02:26 AM, Steven Lam wrote:
>>> Hi, I'm using shrew 2.1.7 connecting to rv082.  I haven't been
>>> able to connect so far.  I am having connection timeout error.
>>> Shrew will say it is bringing up tunnel but it will eventually
>>> get a "negotiation
>> timeout"
>>> message.  When I consult the vpn log on the rv082, I see a lot of
>>> "ignoring vendor id payload" message.  The payload id is
>>> different each time.  Any idea what it is?  Thanks!
>>>
>>
>> Hi Steven,
>>
>> I'm not sure the vendor id payload is a big problem.  During
>> negotiation, I think Shrew provides a list of the vendor ids it
> supports/emulates.
>>
>> I would generate a log file from Shrew to see if it gives us more
>> information, I would guess there is something else wrong, perhaps a
>> configuration mismatch.
>>
>> Instructions on how to generate a log file are here:
>> http://www.shrew.net/support/wiki/BugReportVpnWindows
>>
>
> Hi Steven,
>
> The problem is actually before the "policy not found," it's here:
>
>> 12/07/23 23:19:51 -> : send IKE packet 10.0.1.102:500 ->
> xxx.xxx.xxx.xxx:500 (
>> 620 bytes ) 12/07/23 23:19:51 DB : phase1 resend event scheduled (
>> ref count = 2 )  >
> 12/07/23 23:19:56 -> : resend 1 phase1 packet(s) 10.0.1.102:500 ->
>> xxx.xxx.xxx.xxx:500  > 12/07/23 23:20:01 -> : resend 1 phase1
> packet(s) 10.0.1.102:500 ->  > xxx.xxx.xxx.xxx:500  > 12/07/23
> 23:20:06 -> : resend 1 phase1 packet(s) 10.0.1.102:500 ->  >
> xxx.xxx.xxx.xxx:500  > 12/07/23 23:20:11 ii : resend limit exceeded
> for phase1 exchange
>
> These messages mean that Shrew tried to contact the gateway but
> received no response.  At this point, you'll need to get the gateway
> logs to see if it is receiving the packets from Shrew and if so, why
> it is not responding.
>
> My guess is that it will be something related to the settings on the
>  Authentication tab of the Shrew Site Configuration.  Look to
> synchronize those with the settings on the gateway.
> _______________________________________________ vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>

Hi Steven,

Don't worry about port 16611, that's just a random source port for the 
traffic.

For the Policy error, it may not be a rule per say that's required.  If 
the remote client (Shrew) doesn't identify itself properly or request 
the right network resources when it connects, the gateway will reject 
the traffic.  When setting up the VPN, you have to make sure that Shrew 
and the gateway (rv082) identification pieces match up.

Check to see if this Howto helps:
http://www.shrew.net/support/wiki/HowtoLinksys

More information about the vpn-help mailing list