[vpn-help] Netgear SRX5308 issue

John Ellin john at 4ccompany.com
Sat Mar 18 09:05:24 CDT 2017 

Hi,

I am attempting to connect an OpenSUSE 42.1 client to my SRX5308.

Followed the instructions here: https://www.shrew.net/support/Howto_Netgear with the following exceptions:
NAS:
  Mode config:
    IP Pool Address range: 192.168.128.1 - 192.168.128.16
    Local IP Address: 192.168.0.0/255.255.252.0

  IKE Policy:
    XAuth Authentication Type: Radius - PAP

Shrew:
  Policy:
    include 192.168.0.0/255.255.252.0

When I attempt to connect, the VPN client states that the tunnel established, however, the NAS states that the IPSec SA is NOT established.

Assuming:
  remote.client.com = FQDN of remote client
  USER = user id of XAuth authenticating user
  XXX.XXX.XXX.XXX = external address of remote client
  YYY.YYY.YYY.YYY = external IP address of SRX5308

The logs from the NAS are as follows (first entry at bottom):

Fri Mar 17 14:41:38 2017 (GMT -0400): [SRX5308] [IKE] INFO:  192.168.128.1 IP address has been released by remote peer.
Fri Mar 17 14:41:37 2017 (GMT -0400): [SRX5308] [IKE] INFO:  ISAKMP-SA deleted for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with spi:8ae7e3cde8560bbb:bb87af718d22be29
Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO:  XAuthUser USER Logged Out from IP Address XXX.XXX.XXX.XXX 
Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=8ae7e3cde8560bbb:bb87af718d22be29.

Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR:  Ignored attribute 28680
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR:  Ignored attribute 28677
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR:  Cannot open "/etc/motd"
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR:  Ignored attribute 28674
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] WARNING:  Ignored attribute 5
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  192.168.128.1 IP address is assigned to remote peer XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received attribute type "ISAKMP_CFG_REQUEST" from XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  XAuthUser USER Logged In from IP Address XXX.XXX.XXX.XXX 
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Login succeeded for user  "USER"
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Contacting RADIUS for authenticating user "USER" using PAP
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received attribute type "ISAKMP_CFG_REPLY" from XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  ISAKMP-SA established for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with spi:8ae7e3cde8560bbb:bb87af718d22be29
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Sending Xauth request to XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  NAT-D payload does not match for XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  NAT-D payload does not match for YYY.YYY.YYY.YYY[4500]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  For XXX.XXX.XXX.XXX[63293], Selected NAT-T version: RFC 3947Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Floating ports for NAT-T with peer XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received Vendor ID: DPD
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received Vendor ID: DPD
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received Vendor ID: RFC 3947
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Beginning Aggressive mode.
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received request for new phase 1 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[63293]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Remote configuration for identifier "remote.client.com" found

Additionally, the routing table on the client contains an entry for the external IP address of the NAS (which I was not expecting) but contains no entry for 192.168.0.0/22.

Any help would be greatly appreciated.

--

    /jona.

More information about the vpn-help mailing list