VPN Not working
Hi all, I'm trying to setup up Tunneling VPN between two FreeBSD boxes. I have network A talking through gateway A to Network B via gateway B Network A IP Range - 192.168.11.0/24 Network B IP Range - 192.168.12.0/24 Gateway A Internal IP Address - 192.168.11.1 Gateway A External IP Address - 192.168.10.1 Gateway B Internal IP Address - 192.168.12.1 Gateway B External IP Address - 192.168.10.2 I have ip forwarding setup and with the VPN down, a machine behind the first gateway, 192.168.11.2 can ping a machine behind the second gateway, 192.168.12.2. As soon as I start the VPN up though, they can't talk at all any more. Not ssh, not ping, not anything. I am using the following scripts on Gateway A and B respectively to start my VPN #!/bin/bash setkey -c <
VPN not working
Hello, I am trying to connect to my workplace which uses a Cisco IW600. I am putting the connect log from the router below. -- terminal monitor IW600# *Feb 3 22:00:44.051: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 64.191.227.249, remote= 220.225.82.250, local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1), remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x5A88B8A1(1518909601), conn_id= 0, keysize= 0, flags= 0x400B *Feb 3 22:00:44.051: ISAKMP: received ke message (1/1) *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) *Feb 3 22:00:44.051: ISAKMP: Created a peer struct for 220.225.82.250, peer port 500 *Feb 3 22:00:44.051: ISAKMP: New peer created peer = 0x447C2CF4 peer_handle = 0x8286 *Feb 3 22:00:44.051: ISAKMP: Locking peer struct 0x447C2CF4, IKE refcount 1 for isakmp_initiator *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Setting client config settings 448F7964 *Feb 3 22:00:44.051: ISAKMP: local port 500, remote port 500 *Feb 3 22:00:44.051: ISAKMP: set new node 0 to QM_IDLE *Feb 3 22:00:44.051: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 447DC520 *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode. *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Looking for a matching key for 220.225.82.250 in default *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): : success *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 220.225.82.250 *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): sending packet to 220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE *Feb 3 22:00:54.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE... *Feb 3 22:00:54.051: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1 *Feb 3 22:00:54.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE *Feb 3 22:00:54.051: ISAKMP:(0:0:N/A:0): sending packet to 220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE *Feb 3 22:01:03.043: ISAKMP:(0:0:N/A:0):purging node 1798766697 *Feb 3 22:01:03.043: ISAKMP:(0:0:N/A:0):purging node 756905305 *Feb 3 22:01:04.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE... *Feb 3 22:01:04.051: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1 *Feb 3 22:01:04.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE *Feb 3 22:01:04.051: ISAKMP:(0:0:N/A:0): sending packet to 220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE *Feb 3 22:01:13.043: ISAKMP:(0:0:N/A:0):purging SA., sa=44872764, delme=44872764 *Feb 3 22:01:13.727: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 0 data 446BFA58 chunkmagic 400B97A8 chunk_freemagic 43EDF9F4 -Process= "IP Input", ipl= 4, pid= 74 -Traceback= 0x40ABDEE8 0x400BC510 0x402FF6B4 0x40ED1738 0x40ED48EC 0x40ED2F8C 0x40ED325C 0x40ED3318 0x40ED34BC *Feb 3 22:01:14.051: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 64.191.227.249, remote= 220.225.82.250, local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1), remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4) *Feb 3 22:01:14.051: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 64.191.227.249, remote= 220.225.82.250, local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1), remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x385ACC06(945474566), conn_id= 0, keysize= 0, flags= 0x400B *Feb 3 22:01:14.051: ISAKMP: received ke message (1/1) *Feb 3 22:01:14.051: ISAKMP: set new node 0 to QM_IDLE *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 64.191.227.249, remote 220.225.82.250) *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE... *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1 *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0): sending packet to 220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE *Feb 3 22:01:24.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE... *Feb 3 22:01:24.051: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1 *Feb 3 22:01:24.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE *Feb 3 22:01:24.051: ISAKMP:(0:0:N/A:0): sending pac
Re: VPN not working
You can try out this script if you like, it may or may not help. I created it so I could more easily remember all the VPN knobs that need to be touched when creating a VPN. http://www.roq.com/projects/vpnsetup/vpnsetup.pl Mike Subhro wrote: Hello, I am trying to connect to my workplace which uses a Cisco IW600. I am putting the connect log from the router below. -- terminal monitor IW600# *Feb 3 22:00:44.051: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 64.191.227.249, remote= 220.225.82.250, local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1), remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x5A88B8A1(1518909601), conn_id= 0, keysize= 0, flags= 0x400B *Feb 3 22:00:44.051: ISAKMP: received ke message (1/1) *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): SA request profile is (NULL) *Feb 3 22:00:44.051: ISAKMP: Created a peer struct for 220.225.82.250, peer port 500 *Feb 3 22:00:44.051: ISAKMP: New peer created peer = 0x447C2CF4 peer_handle = 0x8286 *Feb 3 22:00:44.051: ISAKMP: Locking peer struct 0x447C2CF4, IKE refcount 1 for isakmp_initiator *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Setting client config settings 448F7964 *Feb 3 22:00:44.051: ISAKMP: local port 500, remote port 500 *Feb 3 22:00:44.051: ISAKMP: set new node 0 to QM_IDLE *Feb 3 22:00:44.051: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 447DC520 *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode. *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Looking for a matching key for 220.225.82.250 in default *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): : success *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 220.225.82.250 *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1 *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange *Feb 3 22:00:44.051: ISAKMP:(0:0:N/A:0): sending packet to 220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE *Feb 3 22:00:54.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE... *Feb 3 22:00:54.051: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1 *Feb 3 22:00:54.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE *Feb 3 22:00:54.051: ISAKMP:(0:0:N/A:0): sending packet to 220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE *Feb 3 22:01:03.043: ISAKMP:(0:0:N/A:0):purging node 1798766697 *Feb 3 22:01:03.043: ISAKMP:(0:0:N/A:0):purging node 756905305 *Feb 3 22:01:04.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE... *Feb 3 22:01:04.051: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1 *Feb 3 22:01:04.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE *Feb 3 22:01:04.051: ISAKMP:(0:0:N/A:0): sending packet to 220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE *Feb 3 22:01:13.043: ISAKMP:(0:0:N/A:0):purging SA., sa=44872764, delme=44872764 *Feb 3 22:01:13.727: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 0 data 446BFA58 chunkmagic 400B97A8 chunk_freemagic 43EDF9F4 -Process= "IP Input", ipl= 4, pid= 74 -Traceback= 0x40ABDEE8 0x400BC510 0x402FF6B4 0x40ED1738 0x40ED48EC 0x40ED2F8C 0x40ED325C 0x40ED3318 0x40ED34BC *Feb 3 22:01:14.051: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 64.191.227.249, remote= 220.225.82.250, local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1), remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4) *Feb 3 22:01:14.051: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 64.191.227.249, remote= 220.225.82.250, local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1), remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x385ACC06(945474566), conn_id= 0, keysize= 0, flags= 0x400B *Feb 3 22:01:14.051: ISAKMP: received ke message (1/1) *Feb 3 22:01:14.051: ISAKMP: set new node 0 to QM_IDLE *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 64.191.227.249, remote 220.225.82.250) *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE... *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1 *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE *Feb 3 22:01:14.051: ISAKMP:(0:0:N/A:0): sending packet to 220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE *Feb 3 22:01:24.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO