[vpn-help] Netgear SRX5308 issue

Sat Mar 18 09:41:17 CDT 2017

Hi John,

What do you use in Policy Tab for generation level ?

Cheers

On Sat, Mar 18, 2017 at 3:05 PM, John Ellin <john at 4ccompany.com> wrote:

> Hi,
>
> I am attempting to connect an OpenSUSE 42.1 client to my SRX5308.
>
> Followed the instructions here: https://www.shrew.net/support/
> Howto_Netgear with the following exceptions:
> NAS:
>   Mode config:
>     IP Pool Address range: 192.168.128.1 - 192.168.128.16
>     Local IP Address: 192.168.0.0/255.255.252.0
>
>   IKE Policy:
>     XAuth Authentication Type: Radius - PAP
>
> Shrew:
>   Policy:
>     include 192.168.0.0/255.255.252.0
>
> When I attempt to connect, the VPN client states that the tunnel
> established, however, the NAS states that the IPSec SA is NOT established.
>
> Assuming:
>   remote.client.com = FQDN of remote client
>   USER = user id of XAuth authenticating user
>   XXX.XXX.XXX.XXX = external address of remote client
>   YYY.YYY.YYY.YYY = external IP address of SRX5308
>
> The logs from the NAS are as follows (first entry at bottom):
>
> Fri Mar 17 14:41:38 2017 (GMT -0400): [SRX5308] [IKE] INFO:  192.168.128.1
> IP address has been released by remote peer.
> Fri Mar 17 14:41:37 2017 (GMT -0400): [SRX5308] [IKE] INFO:  ISAKMP-SA
> deleted for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with
> spi:8ae7e3cde8560bbb:bb87af718d22be29
> Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO:  XAuthUser
> USER Logged Out from IP Address XXX.XXX.XXX.XXX
> Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Purged
> ISAKMP-SA with proto_id=ISAKMP and spi=8ae7e3cde8560bbb:bb87af718d22be29.
>
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR:  Ignored
> attribute 28680
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR:  Ignored
> attribute 28677
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR:  Cannot open
> "/etc/motd"
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR:  Ignored
> attribute 28674
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] WARNING:  Ignored
> attribute 5
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  192.168.128.1
> IP address is assigned to remote peer XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> attribute type "ISAKMP_CFG_REQUEST" from XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  XAuthUser
> USER Logged In from IP Address XXX.XXX.XXX.XXX
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Login
> succeeded for user  "USER"
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Contacting
> RADIUS for authenticating user "USER" using PAP
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> attribute type "ISAKMP_CFG_REPLY" from XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  ISAKMP-SA
> established for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with
> spi:8ae7e3cde8560bbb:bb87af718d22be29
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Sending Xauth
> request to XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  NAT detected:
> Local is behind a NAT device. and alsoPeer is behind a NAT device
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  NAT-D payload
> does not match for XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  NAT-D payload
> does not match for YYY.YYY.YYY.YYY[4500]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  For
> XXX.XXX.XXX.XXX[63293], Selected NAT-T version: RFC 3947Fri Mar 17 14:40:46
> 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Floating ports for NAT-T with peer
> XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> Vendor ID: DPD
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> Vendor ID: DPD
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> Vendor ID: RFC 3947
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> Vendor ID: draft-ietf-ipsec-nat-t-ike-02
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Beginning
> Aggressive mode.
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Received
> request for new phase 1 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.
> XXX.XXX.XXX[63293]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO:  Remote
> configuration for identifier "remote.client.com" found
>
> Additionally, the routing table on the client contains an entry for the
> external IP address of the NAS (which I was not expecting) but contains no
> entry for 192.168.0.0/22.
>
> Any help would be greatly appreciated.
>
> --
>
>     /jona.
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20170318/995e8ea1/attachment.html>