Hello, I want to set up a VPN co

[killerken]

Hello,

I want to set up a VPN connection from my home to my work. The client pc has Netsreen remote control software to connect to a netscreen 5XP on the server side.

My log file looks like this:

22:32:02.890
22:32:02.890 My Connections\VPN to Sarens WAN - Initiating IKE Phase 1 (IP ADDR=80.200.252.150)
22:32:02.930 My Connections\VPN to Sarens WAN - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID)
22:32:03.020 My Connections\VPN to Sarens WAN - RECEIVED<<< ISAKMP OAK AG (SA, VID, VID, VID, KE, NON, ID, HASH, VID, NAT-D, NAT-D)
22:32:03.020 My Connections\VPN to Sarens WAN - Peer is NAT-T capable
22:32:03.020 My Connections\VPN to Sarens WAN - NAT is detected for Client and Peer
22:32:03.040 My Connections\VPN to Sarens WAN - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D, NAT-D, NOTIFY:STATUS_INITIAL_CONTACT)
22:32:03.040 My Connections\VPN to Sarens WAN - Established IKE SA
22:32:03.040 MY COOKIE 6 90 36 4 73 9e c1 44
22:32:03.040 HIS COOKIE 29 c8 c3 13 54 44 d 8b
22:32:03.090 My Connections\VPN to Sarens WAN - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
22:32:05.814 My Connections\VPN to Sarens WAN - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
22:32:05.854 My Connections\VPN to Sarens WAN - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
22:32:05.854 My Connections\VPN to Sarens WAN - Received Private IP Address = IP ADDR=10.26.0.5
22:32:05.854 My Connections\VPN to Sarens WAN - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
22:32:05.894 My Connections\VPN to Sarens WAN - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
22:32:05.894 My Connections\VPN to Sarens WAN - SENDING>>>> ISAKMP OAK TRANS *(HASH, ATTR)
22:32:05.924 My Connections\VPN to Sarens WAN - Initiating IKE Phase 2 with Client IDs (message id: BAB1226C)
22:32:05.924 Initiator = IP ADDR=10.26.0.5, prot = 0 port = 0
22:32:05.924 Responder = IP SUBNET/MASK=10.0.0.0/255.0.0.0, prot = 0 port = 0
22:32:05.924 My Connections\VPN to Sarens WAN - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID, ID)
22:32:05.994 My Connections\VPN to Sarens WAN - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, KE, ID, ID, NAT-OA)
22:32:05.994 My Connections\VPN to Sarens WAN - SENDING>>>> ISAKMP OAK QM *(HASH)
22:32:06.014 My Connections\VPN to Sarens WAN - Loading IPSec SA (Message ID = BAB1226C OUTBOUND SPI = B7337A7D INBOUND SPI = 88819DC7)
22:32:06.014

When I connect to the NS 5XP I get the IP 10.26.X.Y...

I see a yellow key on the N-icon of my VPN client but I can't ping to the server at work.

Does someone know what I have to do.

thx

 

[Njetscreamer]

Yeah,

First off check the tunnel is active, as I see no evidence of this in the debug.

NS>get sa active

if you see 2 lines or more of text with a state of A/- then the tunnel is up.

If you are then not getting any trafic through try the following.

NS>undebug all
NS>clear db
NS>set ff ip-proto 1
NS>debug flow basic

run a ping or so to something behind the netscreen

NS>get db stream

this should tell you why or where it is failing.

Are you able to ping the trust interface of the netscreen, if so then you may need to enale NAT on the policy for the inbound VPN connection.

Regards

Njetscreamer

 

[Hikmer]

I am having a similar issue, if not the same. I tried to debug and can see that the packet was recieved by the router, but for some reason dropped it or misrouted it. I recently had to upgrade the VPN remote software and everything was going well until I tried to change the IP address on the untrusted interface. I then had to load an old config file to get the router to work again, and the tunnel seems to establish but I can't get any traffic to pass over the connection.

 

[Njetscreamer]

Try putting NAT on on the policy,
this circumvent any Nat-T issues you may be experiencing.
The only down side is that all traffic over the tunnel will be seen as originating from the trusted interface.

Alternatively you could work with DIP pools and virtual interfaces, this would enable you to give yourself an internal ip address.

Regards

Njetscreamer