Help with gateway-to-gateway VPN tunnel

[shadowheart]

Hello,

I'm trying to set up a VPN tunnel between my home network and a friend's home network. My friend uses a 3Com OfficeConnect Secure Router, which supports up to 2 VPN tunnels, and I'm using a NETGEAR ProSafe VPN Wireless ADSL Gateway DGFV338 which supports a large number of VPN tunnels. I'm unable to get the VPN tunnel to work, and I was hoping I could get some help with this.



When we try to manually open the tunnel from my friend's side, the following is logged in the router:

Nov 24 14:58:49 localhost kernel: IKE: IKE --Start Phase 1 negotiation with peer x.x.74.185
Nov 24 14:58:49 localhost kernel: IKE: IKE -- RemoteGateway ID: IPV4_ADDR--x.x.74.185 PresharedKey:***
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Protocol -- PROTO_ISAKMP
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Transform -- KEY_IKE
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Encryption -- TRIPLEDES_CBC
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Hash -- SHA_HASH
Nov 24 14:58:49 localhost kernel: IKE: IKE -- My ID: IPV4_ADDR--x.x.188.224 PresharedKey:***
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Authentication -- PRESHARED_KEY
Nov 24 14:58:49 localhost kernel: IKE: IKE -- LifeType -- SECONDS
Nov 24 14:58:49 localhost kernel: IKE: IKE -- LifeDuration -- 3600
Nov 24 14:58:49 localhost kernel: IKE: IKE -- GroupDescription -- MODP_1024
Nov 24 14:58:49 localhost kernel: IKE: IKE -- MainMode Exchange Selected
Nov 24 14:58:49 localhost kernel: IKE: IKE -- MainMode -- initiator sent out message1 to x.x.74.185, port 500->500.
Nov 24 14:58:29 localhost kernel: IKE: IKE --PHASE1_NEGOTIATION_ABORT -- peer x.x.74.185


The following is logged on my side in the router during this:

2007-11-24 14:58:48: ERROR: Could not find configuration for x.x.188.224[45290]
2007-11-24 14:58:58: ERROR: Could not find configuration for x.x.188.224[45290]
2007-11-24 14:59:08: ERROR: Could not find configuration for x.x.188.224[45290]
2007-11-24 14:59:18: ERROR: Could not find configuration for x.x.188.224[45290]



When we try to manually open the tunnel from my side, the following is logged in the router:

2007-11-24 15:07:51: INFO: accept a request to establish IKE-SA: x.x.188.224
2007-11-24 15:07:51: INFO: Configuration found for x.x.188.224.
2007-11-24 15:07:51: INFO: Initiating new phase 1 negotiation: x.x.74.185[500]<=>x.x.188.224[500]
2007-11-24 15:07:51: INFO: Beginning Identity Protection mode.
2007-11-24 15:08:22: ERROR: Invalid SA protocol type: 0
2007-11-24 15:08:22: ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
2007-11-24 15:08:51: ERROR: Phase 1 negotiation failed due to time up for x.x.188.224[500]. 157f5d92b4e88b51:0000000000000000

The 3Com router at my friend's side does not seem to be logging anything at all during this (and it's setup to be logging everything).


This is the configuration on the 3Com router:

http://www.shadowheart.se/misc/vpn/3com-ipsec-config.GIF

http://www.shadowheart.se/misc/vpn/3com-vpn-tunnel-config.GIF

This is the configuration on the Netgear router:

http://www.shadowheart.se/misc/vpn/netgear-ike-policy.GIF

http://www.shadowheart.se/misc/vpn/netgear-vpn-policy.GIF

The Netgear does have far more settings than the 3Com...



Thanks in advance for any help!

 

[burtsbees]

Sounds like they can't agree on the settings (SA's) or a firewall is blocking them from seeing the pre-shared keys. They are the same in both devices, right? They are using the same encryption, right? Same SA's?

Burt

 

[piperent]

Don't know much about this, but I seem to remember that on some routers (netgear I think), if you are using 'Diffie-Hellman', then you should be using Aggressive-mode rather than Main-mode for the key exchange. Like I say, just a hunch.

JP

 

[shadowheart]

burtsbees: Yes, the pre-shared key is the same on both sides (I have double checked this). The encryptions should also match. You can look at the provided screenshots if you want.

piperent: Thanks for the tip, I'll try that.

Also, the routers ARE firewalls. Any firewall/router/gateway/whatever between mine and my friend's router belongs to an ISP and is outside of our control.

 

[burtsbees]

I meant software firewalls. Looks like you have an ethernet handoff from the ISP?
The screenshots do not show your preshared keys (for obvious reasons), but if they match...
If it can't even get past IKE phase one, you may actually have better luck trying aggressive mode, which combines IKE phase 1 and 2. There are not enough viewable settings in those screenshots to see what exactly may be going on...do you have an option for D-H group 5?

Burt

 

[burtsbees]

Also, you may want to try a protocol analyzer to see what is and is not getting through. If they each agree on encryption types and keys, then that's IKE 1 and 2...since it terminates before getting to IKE 2 (seemingly because one can't see the other's settings, which is why I suggested firewall), then try the same manufacturer for both ends.

Burt

 

[shadowheart]

Looks like you have an ethernet handoff from the ISP?

I'm sorry, but what do you mean by handoff?

My router is connected directly to the wall with an Ethernet cable, and the same goes for my friend's router. Both ISPs use DHCP (mine allows for a static IP for an extra small amount per month if you want it - but I haven't applied for that, yet anyway).

There are not enough viewable settings in those screenshots to see what exactly may be going on...do you have an option for D-H group 5?

Unfortunately, those are all the possible settings for VPN on the two routers. And yes, I can choose from D-H Group 1, 2 and 5 on both ends.

Also, you may want to try a protocol analyzer to see what is and is not getting through

How would I go about doing this? I assume you mean plugging in some kind of adapter between my router and the wall?


I haven't been able to test aggressive mode yet, but I will get back when I have.

 

[burtsbees]

No---protocol analyzer is software that captures all packets travelling in and out of your interface on your computer. Ethereal is a freeware one, so you can download it.
An ethernet handoff is a connection to the internet through some special equipment that terminates on your router so that you don't have to have any special interface (like T1, ATM, etc.). Is this adsl then? If so, you may want to sell those things on Ebay and get yourself a Cisco 837 for each of you. Of course, I am a Cisco man, so naturally I would suggest that...lol
I would also suggest trying Diffie-Hellman group 5 on both appliances, if aggressive mode does not take care of it.
One thing I forgot---some ISP's block VPN traffic, and come to think of it, that is a very likely scenario in this situation---the appliances can't negotiate on IKE phase one, so one can't read the other's settings---I would bet the ISP is blocking the IPSec traffic.

Burt

 

[burtsbees]

One more thing---

http://www.dyndns.org

will help (for free) you to map your dynamic IP address, no matter what it is at any given time, to a static DNS name, so that you don't have to constantly change settings because of your IP address changing all the time. You can register up to 5 names with them for free!

Burt

 

[shadowheart]

I'm actually familiar with Ethereal (just not the term protocol analyzer), but well, how would it help me if the routers can't get the tunnel up in the first place? It's not like my personal computer is involved in the negotiation.

It's not ADSL - it's like I said, an Ethernet cable plugged directly into the wall. All apartments in this building are prepared with Ethernet wall plugs. No modems or other special equipment needed. It's fairly common here in Sweden, especially when building new apartments.

Thanks for the tip with DH group 5, I will try that. As for the ISP blocking VPN traffic, I'll look into that as well.