[vpn-help] VPN Tunnel connection Established, but no traffic passthrough

Henry henrysoo at gmail.com
Thu Mar 8 06:34:33 CST 2012


Hi guys,

I just set up Netgear FVS318G as gateway-to-client with Shrew VPN
Client. My problem is, the VPN tunnel connection established, but the
PING does not work when ping the local devices reside on the LAN side
of FVS318G. I cannot see any LAN resource as no traffic passing
through the VPN Tunnel.

My configurations are:

My PC (LAN IP: 192.168.2.10) with Shrew VPN client Installed --> The
Internet --> BiPAC 7700N [(LAN IP: 10.1.1.1/24, DMZ set to FVS318G
(WAN IP: 10.1.1.2, LAN IP: 192.168.1.1/24, First Pool: starting
192.168.1.190 Ending IP: 192.168.1.199)]

The Shrew VPN client configuration was set up by using the guide
www.shrew.net/support/wiki/HowtoNetgear. Under Topology Entry, Type:
Include, Address 192.168.1.0, Netmask: 255.255.255.0 were configured.

I know the BiPAC 7700N does not allow VPN. But as I set the FVS318G in
DMZ (the DMZ works as I could vpn to FVS318G by Shrew VPN client),
would that be possible the BiPAC 7700N drop the VPN traffic still? I
also changed different IP Schemes in First Pool under Mode Config.But
it did the same, the VPN Tunnel established, but cannot ping the VPN
gateway and cannot access local resources behind the gateway.

Do you guys have any ideas? I would much appreciate for any input.

Kind regards,
Henry


The FVS318G VPN logs are as below:

2012 Mar  8 11:56:54 [FVS318g] [IKE] IPsec-SA established[UDP encap
4500->55126]: ESP/Tunnel 10.1.1.2->14.200.16.xxx with
spi=2454962505(0x9253c149)_
2012 Mar  8 11:56:54 [FVS318g] [IKE] IPsec-SA established[UDP encap
55126->4500]: ESP/Tunnel 14.200.16.xxx->10.1.1.2 with
spi=240506340(0xe55d5e4)_
2012 Mar  8 11:56:53 [FVS318g] [IKE] Adjusting peer's encmode
61443(61443)->Tunnel(1)_
2012 Mar  8 11:56:51 [FVS318g] [IKE] No policy found, generating the
policy : 192.168.1.191/32[0] 192.168.1.0/24[0] proto=any dir=in_
2012 Mar  8 11:56:51 [FVS318g] [IKE] Using IPsec SA configuration:
192.168.1.0/24<->192.168.1.0/24_
2012 Mar  8 11:56:51 [FVS318g] [IKE] Responding to new phase 2
negotiation: 10.1.1.2[0]<=>14.200.16.xxx[0]_
2012 Mar  8 11:56:51 [FVS318g] [IKE] 192.168.1.190 IP address is
assigned to remote peer 14.200.16.xxx[55126]_
2012 Mar  8 11:56:51 [FVS318g] [IKE] Cannot open "/etc/motd"_
2012 Mar  8 11:56:51 [FVS318g] [IKE] Received attribute type
"ISAKMP_CFG_REQUEST" from 14.200.16.xxx[55126]_
2012 Mar  8 11:56:51 [FVS318g] [IKE] Login succeeded for user "abc"_
2012 Mar  8 11:56:50 [FVS318g] [IKE] Received attribute type
"ISAKMP_CFG_REPLY" from 14.200.16.xxx[55126]_
2012 Mar  8 11:56:50 [FVS318g] [IKE] purging spi=162673254._
2012 Mar  8 11:56:50 [FVS318g] [IKE] ISAKMP-SA established for
10.1.1.2[4500]-14.200.16.xxx[55126] with
spi:6cced634bc69f38f:1838b1314f37cdd1_
2012 Mar  8 11:56:50 [FVS318g] [IKE] Sending Xauth request to
14.200.16.xxx[55126]_
2012 Mar  8 11:56:50 [FVS318g] [IKE] NAT detected: Local is behind a
NAT device. and alsoPeer is behind a NAT device_
2012 Mar  8 11:56:50 [FVS318g] [IKE] NAT-D payload does not match for
14.200.16.xxx[55126]_
2012 Mar  8 11:56:50 [FVS318g] [IKE] NAT-D payload does not match for
10.1.1.2[4500]_
2012 Mar  8 11:56:50 [FVS318g] [IKE] Floating ports for NAT-T with
peer 14.200.16.xxx[55126]_
2012 Mar  8 11:56:50 [FVS318g] [IKE] Setting DPD Vendor ID_
2012 Mar  8 11:56:49 [FVS318g] [IKE] For 14.200.16.xxx[55028],
Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2012 Mar  8 11:56:49 [FVS318g] [IKE] Received Vendor ID: CISCO-UNITY_
                - Last output repeated 2 times -
2012 Mar  8 11:56:49 [FVS318g] [IKE] Received unknown Vendor ID_
2012 Mar  8 11:56:49 [FVS318g] [IKE] DPD is Enabled_
2012 Mar  8 11:56:49 [FVS318g] [IKE] Received Vendor ID: DPD_
                - Last output repeated 2 times -
2012 Mar  8 11:56:49 [FVS318g] [IKE] Received unknown Vendor ID_
2012 Mar  8 11:56:49 [FVS318g] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
                - Last output repeated twice -
2012 Mar  8 11:56:49 [FVS318g] [IKE] Received unknown Vendor ID_
2012 Mar  8 11:56:49 [FVS318g] [IKE] Received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt_
2012 Mar  8 11:56:49 [FVS318g] [IKE] Beginning Aggressive mode._
2012 Mar  8 11:56:49 [FVS318g] [IKE] Received request for new phase 1
negotiation: 10.1.1.2[500]<=>14.200.16.xxx[55028]_
2012 Mar  8 11:56:49 [FVS318g] [IKE] Remote configuration for
identifier "client.domain.com" found_



More information about the vpn-help mailing list