[vpn-help] Netgear SRX5308 issue
John Ellin
john at 4ccompany.com
Sat Mar 18 09:05:24 CDT 2017
Hi,
I am attempting to connect an OpenSUSE 42.1 client to my SRX5308.
Followed the instructions here: https://www.shrew.net/support/Howto_Netgear with the following exceptions:
NAS:
Mode config:
IP Pool Address range: 192.168.128.1 - 192.168.128.16
Local IP Address: 192.168.0.0/255.255.252.0
IKE Policy:
XAuth Authentication Type: Radius - PAP
Shrew:
Policy:
include 192.168.0.0/255.255.252.0
When I attempt to connect, the VPN client states that the tunnel established, however, the NAS states that the IPSec SA is NOT established.
Assuming:
remote.client.com = FQDN of remote client
USER = user id of XAuth authenticating user
XXX.XXX.XXX.XXX = external address of remote client
YYY.YYY.YYY.YYY = external IP address of SRX5308
The logs from the NAS are as follows (first entry at bottom):
Fri Mar 17 14:41:38 2017 (GMT -0400): [SRX5308] [IKE] INFO: 192.168.128.1 IP address has been released by remote peer.
Fri Mar 17 14:41:37 2017 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA deleted for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with spi:8ae7e3cde8560bbb:bb87af718d22be29
Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO: XAuthUser USER Logged Out from IP Address XXX.XXX.XXX.XXX
Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=8ae7e3cde8560bbb:bb87af718d22be29.
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored attribute 28680
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored attribute 28677
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Cannot open "/etc/motd"
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored attribute 28674
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] WARNING: Ignored attribute 5
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: 192.168.128.1 IP address is assigned to remote peer XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: XAuthUser USER Logged In from IP Address XXX.XXX.XXX.XXX
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Login succeeded for user "USER"
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Contacting RADIUS for authenticating user "USER" using PAP
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA established for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with spi:8ae7e3cde8560bbb:bb87af718d22be29
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Sending Xauth request to XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT-D payload does not match for XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT-D payload does not match for YYY.YYY.YYY.YYY[4500]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: For XXX.XXX.XXX.XXX[63293], Selected NAT-T version: RFC 3947Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Floating ports for NAT-T with peer XXX.XXX.XXX.XXX[34224]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: DPD
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: DPD
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: RFC 3947
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Beginning Aggressive mode.
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[63293]
Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Remote configuration for identifier "remote.client.com" found
Additionally, the routing table on the client contains an entry for the external IP address of the NAS (which I was not expecting) but contains no entry for 192.168.0.0/22.
Any help would be greatly appreciated.
--
/jona.
More information about the vpn-help
mailing list