[vpn-help] Netgear SRX5308 issue
Alexis La Goutte
alexis.lagoutte at gmail.com
Sat Mar 18 09:41:17 CDT 2017
Hi John,
What do you use in Policy Tab for generation level ?
Cheers
On Sat, Mar 18, 2017 at 3:05 PM, John Ellin <john at 4ccompany.com> wrote:
> Hi,
>
> I am attempting to connect an OpenSUSE 42.1 client to my SRX5308.
>
> Followed the instructions here: https://www.shrew.net/support/
> Howto_Netgear with the following exceptions:
> NAS:
> Mode config:
> IP Pool Address range: 192.168.128.1 - 192.168.128.16
> Local IP Address: 192.168.0.0/255.255.252.0
>
> IKE Policy:
> XAuth Authentication Type: Radius - PAP
>
> Shrew:
> Policy:
> include 192.168.0.0/255.255.252.0
>
> When I attempt to connect, the VPN client states that the tunnel
> established, however, the NAS states that the IPSec SA is NOT established.
>
> Assuming:
> remote.client.com = FQDN of remote client
> USER = user id of XAuth authenticating user
> XXX.XXX.XXX.XXX = external address of remote client
> YYY.YYY.YYY.YYY = external IP address of SRX5308
>
> The logs from the NAS are as follows (first entry at bottom):
>
> Fri Mar 17 14:41:38 2017 (GMT -0400): [SRX5308] [IKE] INFO: 192.168.128.1
> IP address has been released by remote peer.
> Fri Mar 17 14:41:37 2017 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA
> deleted for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with
> spi:8ae7e3cde8560bbb:bb87af718d22be29
> Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO: XAuthUser
> USER Logged Out from IP Address XXX.XXX.XXX.XXX
> Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO: Purged
> ISAKMP-SA with proto_id=ISAKMP and spi=8ae7e3cde8560bbb:bb87af718d22be29.
>
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored
> attribute 28680
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored
> attribute 28677
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Cannot open
> "/etc/motd"
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored
> attribute 28674
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] WARNING: Ignored
> attribute 5
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: 192.168.128.1
> IP address is assigned to remote peer XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> attribute type "ISAKMP_CFG_REQUEST" from XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: XAuthUser
> USER Logged In from IP Address XXX.XXX.XXX.XXX
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Login
> succeeded for user "USER"
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Contacting
> RADIUS for authenticating user "USER" using PAP
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> attribute type "ISAKMP_CFG_REPLY" from XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA
> established for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with
> spi:8ae7e3cde8560bbb:bb87af718d22be29
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Sending Xauth
> request to XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT detected:
> Local is behind a NAT device. and alsoPeer is behind a NAT device
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT-D payload
> does not match for XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT-D payload
> does not match for YYY.YYY.YYY.YYY[4500]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: For
> XXX.XXX.XXX.XXX[63293], Selected NAT-T version: RFC 3947Fri Mar 17 14:40:46
> 2017 (GMT -0400): [SRX5308] [IKE] INFO: Floating ports for NAT-T with peer
> XXX.XXX.XXX.XXX[34224]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> Vendor ID: DPD
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> Vendor ID: DPD
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> Vendor ID: RFC 3947
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> Vendor ID: draft-ietf-ipsec-nat-t-ike-02
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> unknown Vendor ID
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Beginning
> Aggressive mode.
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received
> request for new phase 1 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.
> XXX.XXX.XXX[63293]
> Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Remote
> configuration for identifier "remote.client.com" found
>
> Additionally, the routing table on the client contains an entry for the
> external IP address of the NAS (which I was not expecting) but contains no
> entry for 192.168.0.0/22.
>
> Any help would be greatly appreciated.
>
> --
>
> /jona.
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20170318/995e8ea1/attachment.html>
More information about the vpn-help
mailing list