Hi,
I've been following the "how to setup a Netgear VPN client" guide, but
am struggling to connect to a netgear336GV2 VPN server. I'd really
appreciate any tips anyone can give.
I'm running the 2.17 linux version of the VPN access manager, and
can establish a tunnel, but the IPsec SA configuration is failing. If
I run the client daemon in foreground mode, the message I get is "K! :
unhandled pfkey message type EXPIRE ( 8 )". I have been assuming this
is a complaint about the PFS key, but don't understand why since I have
disabled PFS in both the server and client.
Here's the log from the server when I try to connect....
2011 Feb 8 12:37:18 [FVS336GV2] [IKE] Remote configuration
for identifier "steve_remote.com" found_
2011 Feb 8 12:37:18 [FVS336GV2] [IKE] Received request for new phase 1
negotiation: x.x.x.x[500]<=>y.y.y.y[500]_
2011 Feb 8 12:37:18 [FVS336GV2] [IKE] Beginning Aggressive mode._
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] Received unknown Vendor ID_
- Last output repeated twice -
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] Received unknown Vendor ID_
- Last output repeated 5 times -
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] Received Vendor ID: CISCO-UNITY_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] Received unknown Vendor ID_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] For y.y.y.y[500], Selected NAT-T
version: draft-ietf-ipsec-nat-t-ike-02_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] Setting DPD Vendor ID_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] Floating ports for NAT-T with
peer y.y.y.y[4500]_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] NAT-D payload does not match for
x.x.x.x[4500]_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] NAT-D payload does not match for
y.y.y.y[4500]_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] NAT detected: Local is behind a
NAT device. and alsoPeer is behind a NAT device_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] 192.168.225.100 IP address is
assigned to remote peer y.y.y.y[4500]_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] ISAKMP-SA established for
x.x.x.x[4500]-y.y.y.y[4500] with spi:*********_
2011 Feb 8 12:37:19 [FVS336GV2] [IKE] Sending Informational Exchange:
notify payload[INITIAL-CONTACT]_
2011 Feb 8 12:37:43 [FVS336GV2] [IKE] Responding to new phase 2
negotiation: x.x.x.x[0]<=>y.y.y.y[0]_
2011 Feb 8 12:37:43 [FVS336GV2] [IKE] Failed to get IPsec SA
configuration for: 0.0.0.192/0<->192.168.225.100/32 from
steve_remote.com_
I have had to disable the auto-configuration in the client because
using the recommended "ike pull" method brings up an "invalid message
type" response, but I don't think this is causing the problem as the
correct IP address is being assigned. The client address is on a
different subnet to the VPN server. It's the phase 2 negotiations
which are failing.
Any tips?
Thanks.
Steve
|
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
