[timma]

Hi

A VPN noob question (plead for help

I'm going mad trying to configure a VPN between a remote PC using Prosafe vpn software and and the network belonging to the company I'm working for. The latter uses a Netgear FVX538 router. The connection is trying to be made over a 1mb adsl link using static IP addr's.

Modem is a 3com dg series (forgot the model num ...will update when next in office... not wireless) ... I have disabled all firewall functions on the modem and allowed vpn passthrough.

I've tried many configs but cant get passed the IKE phase 2 (as prosafe vpn client software reports).

Here's my last log...

4-28: 23:22:39.093
4-28: 23:22:39.093 My Connections\<NAME> - Initiating IKE Phase 1 (IP ADDR=(my host IP))
4-28: 23:22:39.359 My Connections\<NAME>- SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
4-28: 23:22:39.453 My Connections\<NAME>- RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, NAT-D 2x, VID 2x)
4-28: 23:22:39.453 My Connections\<NAME>- Peer is NAT-T draft-02 capable
4-28: 23:22:39.453 My Connections\<NAME>- Peer supports Dead Peer Detection Version 1.0
4-28: 23:22:39.453 My Connections\<NAME>- Dead Peer Detection enabled
4-28: 23:22:39.609 My Connections\<NAME>- SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
4-28: 23:22:39.609 My Connections\<NAME>- <b>Established IKE SA</b>
4-28: 23:22:39.609 MY COOKIE e9 a8 46 1f 20 e1 ee 1f
4-28: 23:22:39.609 HIS COOKIE a5 97 c6 9 ef 4d 5f 35
4-28: 23:22:39.687
4-28: 23:22:39.687 My Connections\<NAME>- Initiating IKE Phase 2 with Client IDs (message id: A38D66DB)
4-28: 23:22:39.687 My Connections\<NAME>- Initiator = IP ADDR=xx.xx.xxx.xxx(my client IP), prot = 0 port = 0
4-28: 23:22:39.687 My Connections\<NAME>- Responder = IP SUBNET/MASK=10.10.10.0/255.255.255.0, prot = 0 port = 0
4-28: 23:22:39.687 My Connections\<NAME>- SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
4-28: 23:23:25.390 My Connections\<NAME>- QM re-keying timed out. Retry count: 1
4-28: 23:23:25.390 My Connections\<NAME>- SENDING>>>> ISAKMP OAK QM *(Retransmission)
4-28: 23:24:10.390 My Connections\<NAME>- QM re-keying timed out. Retry count: 2
4-28: 23:24:10.390 My Connections\<NAME>- SENDING>>>> ISAKMP OAK QM *(Retransmission)
4-28: 23:24:55.390 My Connections\<NAME>- QM re-keying timed out. Retry count: 3
4-28: 23:24:55.390 My Connections\<NAME>- SENDING>>>> ISAKMP OAK QM *(Retransmission)

I've replaced our ip addr's and policy name in the above text.

I really am a newcomer to this so any help will be greatfully received

Thanks!

[Advertisements]

Hello, timma

Welcome to the Geeks To Go Forums.

you can see it attempted the QM re-keying 3 times before timing out.

QM re-keying timed out. Retry count: 3

This message indicates that the client tried to initiate a tunnel by sending out IKE MSG1, but didn't receive a response from the security appliance on the other end.

Sometimes turning off PFS will help with this error (should be in your security pane) - what mode are you in? Normal - Agressive - or Manual?

[Salient]

Hello, timma

Welcome to the Geeks To Go Forums.

you can see it attempted the QM re-keying 3 times before timing out.

QM re-keying timed out. Retry count: 3

This message indicates that the client tried to initiate a tunnel by sending out IKE MSG1, but didn't receive a response from the security appliance on the other end.

Sometimes turning off PFS will help with this error (should be in your security pane) - what mode are you in? Normal - Agressive - or Manual?

[timma]

Hi and thanks for your reply

I have just managed to connect sucessfully in agressive mode with pfs off. Unfortunately the initiator ip address is my clients public address and the responders ip is that of our lan subnet.

I am guessing this is why I cant ping any machine on our lan from my client?

Basically I have a connection that is not routing traffic from my clients public addr to our lan. I have tried to add a virtual adapter in the safenet software specifying an IP addr in the range of our lan and while attempting to connect I can ping our lan.

Unfortunately phase 2 doesn't complete reporting "No matching SPD policy for the selectors received in IKE phase-II message". The connection then times out.

I feel as though I am nearly there, so frustrating lol!

Please, if you feel you can help, ask me for the info you may need from me as these connection logs can get big and I don't want to over complicate or spam this thread

Thanks again!

Tim

[Salient]

Hi timma,

Instead of me filling up this post with lines of hard to read small text - I will pass you off to a more readable format.

Here is a few good article's that will hopefully answer your questions better than i can - especially the section's on IKE and all of it's many complexity's:
http://support.micro...;305550&sd=tech
http://www.microsoft...y/ipsecimp.mspx

If you can't find it in that article - you will find it in here somewhere:
http://www.microsoft...ns/default.mspx

[Salient]

Whoops - just noticed your running 2000 and not XP -
Midway down this article for setting up a VPN server for 2000, is a section on "How to Configure a VPN Connection from a Client Computer" which should help you out.
http://support.micro...;308208&sd=tech

[timma]

Hi Salient

Thanks a lot for your help. I read the articles with interest and realised soon that the problem I was having was not with the VPN configuration but with the way I had connected the FVX538 to the modem/firewall. I.E. I had told the modem/firewall to treat the VPN router as if it were attached to a DMZ port and not a normal port with VPN passthrough.

Reconfigured and hey presto! All is right with the world!

Again, thanks!

Tim

[ducatim900]

Please don't stop now.. Tell us the fix. and what you did. I need to know I have the same thing here. The supens is killing me... Netgear is no help there support line ---- well let's just say they use flow charts...

[timma]

There's not much to say really ducatim900.

I followed Netgears instructions to configure the FVX538 and then Prosafe client (as found on the cd that came with the FVX538/Prosafe bundle).
Made sure that there was a rule to allow VPN traffic to pass through the modem (which is actually a Netgear DG834 not a 3com as I previously mentiioned) to the FVX538.
Set the default gateway on the PC I needed to share files with to the LAN IP of the FVX538.
As I had previously configured the DG834's DMZ to route to the FVX538 I disabled this.

I have 3 static public Ip's assigned:
1 to the WAN port of the DG834
1 to the LAN port of the DG834
1 to the WAN1 port of the FVX538
The LAN port of the FVX538 has been assigned an IP out of our private LAN pool.

The VPN is accessed by pointing the clients prosafe VPN policy to the IP of the WAN1 port on the FVX538.

I hope this is of help. If you need any more info please say.