<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Got a new Netgear SRX5308 router to play with. Went through the Shrew Netgear how-to’s on configuration and I get the tunnel connection but nothing flows through. I’m at a loss on how to debug this further. Logs from the router are as follows (Note the order of time is backwards on the router log):<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>2011 Apr 19 21:38:03 [SRX5308] [IKE] DPD R-U-THERE-ACK sent to "68.3.27.46[4500]"_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:38:03 [SRX5308] [IKE] DPD R-U-THERE received from "68.3.27.46[4500]"_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:37:33 [SRX5308] [IKE] DPD R-U-THERE-ACK sent to "68.3.27.46[4500]"_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:37:33 [SRX5308] [IKE] DPD R-U-THERE received from "68.3.27.46[4500]"_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:37:03 [SRX5308] [IKE] DPD R-U-THERE-ACK sent to "68.3.27.46[4500]"_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:37:03 [SRX5308] [IKE] DPD R-U-THERE received from "68.3.27.46[4500]"_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 98.174.255.150->68.3.27.46 with spi=689412571(0x291799db)_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 68.3.27.46->98.174.255.150 with spi=771516(0xbc5bc)_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] No policy found, generating the policy : 192.168.7.47/32[0] 192.168.42.0/24[0] proto=any dir=in_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] Using IPsec SA configuration: 192.168.42.0/24<->0.0.0.0/0 from srx_remote1.com_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] Responding to new phase 2 negotiation: 98.174.255.150[0]<=>68.3.27.46[0]_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] ISAKMP-SA established for 98.174.255.150[4500]-68.3.27.46[4500] with spi:f4ebdcbb2d407b61:686b01d792931757_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] NAT-D payload does not match for 68.3.27.46[4500]_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] NAT-D payload does not match for 98.174.255.150[4500]_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] Floating ports for NAT-T with peer 68.3.27.46[4500]_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:33 [SRX5308] [IKE] Setting DPD Vendor ID_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:32 [SRX5308] [IKE] For 68.3.27.46[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:32 [SRX5308] [IKE] DPD is Enabled_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:32 [SRX5308] [IKE] Received Vendor ID: DPD_<o:p></o:p></p><p class=MsoNormal> - Last output repeated twice -<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:32 [SRX5308] [IKE] Received unknown Vendor ID_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:32 [SRX5308] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:32 [SRX5308] [IKE] Received unknown Vendor ID_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:32 [SRX5308] [IKE] Beginning Aggressive mode._<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:32 [SRX5308] [IKE] Received request for new phase 1 negotiation: 98.174.255.150[500]<=>68.3.27.46[500]_<o:p></o:p></p><p class=MsoNormal>2011 Apr 19 21:36:32 [SRX5308] [IKE] Remote configuration for identifier "srx_remote1.com" found_<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’m also sorta sketchy if I got the policy setup, the how-to was a bit unclear how that should be configured. I’ve got it set as:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> Policy generation level: (tried all settings), left it at unique<o:p></o:p></p><p class=MsoNormal> Maintain persistent SA set<o:p></o:p></p><p class=MsoNormal> Obtain Topology unset<o:p></o:p></p><p class=MsoNormal> Added in my internal network (192.168.42.0/255.255.255.0)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Anyone have an idea why it’s not connecting or have a working configuration they could submit? <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Thanks<o:p></o:p></p><p class=MsoNormal>-Gregg<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>