[vpn-help] VPN Tunnel connection Established, but no traffic passthrough

Alexis La Goutte alexis.lagoutte at gmail.com
Mon Mar 12 10:47:15 CDT 2012


Hi Henry,

I'm no sure but the Pool Address don't the same with LAN (use a other Pool
)

Regards,

On Thu, Mar 8, 2012 at 1:34 PM, Henry <henrysoo at gmail.com> wrote:

> Hi guys,
>
> I just set up Netgear FVS318G as gateway-to-client with Shrew VPN
> Client. My problem is, the VPN tunnel connection established, but the
> PING does not work when ping the local devices reside on the LAN side
> of FVS318G. I cannot see any LAN resource as no traffic passing
> through the VPN Tunnel.
>
> My configurations are:
>
> My PC (LAN IP: 192.168.2.10) with Shrew VPN client Installed --> The
> Internet --> BiPAC 7700N [(LAN IP: 10.1.1.1/24, DMZ set to FVS318G
> (WAN IP: 10.1.1.2, LAN IP: 192.168.1.1/24, First Pool: starting
> 192.168.1.190 Ending IP: 192.168.1.199)]
>
> The Shrew VPN client configuration was set up by using the guide
> www.shrew.net/support/wiki/HowtoNetgear. Under Topology Entry, Type:
> Include, Address 192.168.1.0, Netmask: 255.255.255.0 were configured.
>
> I know the BiPAC 7700N does not allow VPN. But as I set the FVS318G in
> DMZ (the DMZ works as I could vpn to FVS318G by Shrew VPN client),
> would that be possible the BiPAC 7700N drop the VPN traffic still? I
> also changed different IP Schemes in First Pool under Mode Config.But
> it did the same, the VPN Tunnel established, but cannot ping the VPN
> gateway and cannot access local resources behind the gateway.
>
> Do you guys have any ideas? I would much appreciate for any input.
>
> Kind regards,
> Henry
>
>
> The FVS318G VPN logs are as below:
>
> 2012 Mar  8 11:56:54 [FVS318g] [IKE] IPsec-SA established[UDP encap
> 4500->55126]: ESP/Tunnel 10.1.1.2->14.200.16.xxx with
> spi=2454962505(0x9253c149)_
> 2012 Mar  8 11:56:54 [FVS318g] [IKE] IPsec-SA established[UDP encap
> 55126->4500]: ESP/Tunnel 14.200.16.xxx->10.1.1.2 with
> spi=240506340(0xe55d5e4)_
> 2012 Mar  8 11:56:53 [FVS318g] [IKE] Adjusting peer's encmode
> 61443(61443)->Tunnel(1)_
> 2012 Mar  8 11:56:51 [FVS318g] [IKE] No policy found, generating the
> policy : 192.168.1.191/32[0] 192.168.1.0/24[0] proto=any dir=in_
> 2012 Mar  8 11:56:51 [FVS318g] [IKE] Using IPsec SA configuration:
> 192.168.1.0/24<->192.168.1.0/24_
> 2012 Mar  8 11:56:51 [FVS318g] [IKE] Responding to new phase 2
> negotiation: 10.1.1.2[0]<=>14.200.16.xxx[0]_
> 2012 Mar  8 11:56:51 [FVS318g] [IKE] 192.168.1.190 IP address is
> assigned to remote peer 14.200.16.xxx[55126]_
> 2012 Mar  8 11:56:51 [FVS318g] [IKE] Cannot open "/etc/motd"_
> 2012 Mar  8 11:56:51 [FVS318g] [IKE] Received attribute type
> "ISAKMP_CFG_REQUEST" from 14.200.16.xxx[55126]_
> 2012 Mar  8 11:56:51 [FVS318g] [IKE] Login succeeded for user "abc"_
> 2012 Mar  8 11:56:50 [FVS318g] [IKE] Received attribute type
> "ISAKMP_CFG_REPLY" from 14.200.16.xxx[55126]_
> 2012 Mar  8 11:56:50 [FVS318g] [IKE] purging spi=162673254._
> 2012 Mar  8 11:56:50 [FVS318g] [IKE] ISAKMP-SA established for
> 10.1.1.2[4500]-14.200.16.xxx[55126] with
> spi:6cced634bc69f38f:1838b1314f37cdd1_
> 2012 Mar  8 11:56:50 [FVS318g] [IKE] Sending Xauth request to
> 14.200.16.xxx[55126]_
> 2012 Mar  8 11:56:50 [FVS318g] [IKE] NAT detected: Local is behind a
> NAT device. and alsoPeer is behind a NAT device_
> 2012 Mar  8 11:56:50 [FVS318g] [IKE] NAT-D payload does not match for
> 14.200.16.xxx[55126]_
> 2012 Mar  8 11:56:50 [FVS318g] [IKE] NAT-D payload does not match for
> 10.1.1.2[4500]_
> 2012 Mar  8 11:56:50 [FVS318g] [IKE] Floating ports for NAT-T with
> peer 14.200.16.xxx[55126]_
> 2012 Mar  8 11:56:50 [FVS318g] [IKE] Setting DPD Vendor ID_
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] For 14.200.16.xxx[55028],
> Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Received Vendor ID: CISCO-UNITY_
>                - Last output repeated 2 times -
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Received unknown Vendor ID_
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] DPD is Enabled_
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Received Vendor ID: DPD_
>                - Last output repeated 2 times -
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Received unknown Vendor ID_
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02__
>                - Last output repeated twice -
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Received unknown Vendor ID_
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt_
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Beginning Aggressive mode._
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Received request for new phase 1
> negotiation: 10.1.1.2[500]<=>14.200.16.xxx[55028]_
> 2012 Mar  8 11:56:49 [FVS318g] [IKE] Remote configuration for
> identifier "client.domain.com" found_
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20120312/b2519518/attachment-0001.html>


More information about the vpn-help mailing list