Netgear FVS318 VPN: phase 2 IKE fails when connecting via ADSL 1

[wanaBateki]

Hi,

This post continues a thead I started on Monday, but I still have a problem. The original thread was titled:

"cannot respond to IPSec request because no connection"

Thanks guys for all your suggestions and advice.

In summary:

1. I can connect to our office VPN router (fvs318) using a dialup internet connection
2. Phase 2 IKE fails when I connect using my dg814 (ADSL)

I have copied and pasted two sections of the server side vpn logs below. One for the successful dialup and the same section of the log for the failed adsl connection. Does this shed any light on the matter?

1. Why/what does "IPsec:New State index:1, sno:5" mean compared to "IPsec:New State index:1, sno:3"?

2. It seems to fail to get the ipsec_spi over adsl?

3. I think I'll get hold of another adsl client device to enable me to eliminate the dg814 from the equation...

I hope you can assist me further on this. Logs follow.

Thanks again everyone.

Jago


Dialup (phase 2 IKE success):
...
IPsec:STATE_MAIN_R3: sent MR3, ISAKMP SA established
IPsec:Receive Packet address:0x1397478 from 62.137.86.xxx
IPsec:New State index:1, sno:5
IKE:[JagoVPN_tmp2] RX << QM_I1 : 62.137.86.xxx
IPsec:in get_ipsec_spi() spi=e4db4a9d
:[ESP_3DES/AUTH_ALGORITHM_HMAC_SHA1/In SPI:e4db4a9d,Out SPI:11fc9f7a]
IPsec:responding to Quick Mode
IPsec: ESP(3DES-CBC SHA-1)
IKE:[JagoVPN_tmp2] TX >> QM_R1 : 62.137.86.xxx
IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #5
IPsec:Receive Packet address:0x1397478 from 62.137.86.xxx
IKE:[JagoVPN_tmp2] RX << QM_I2 : 62.137.86.xxx
IPsec: ESP(3DES-CBC SHA-1)
IKE:[JagoVPN_tmp2] established with 62.137.86.xxx successfully
IPsec:inserting event EVENT_SA_EXPIRE, timeout in 28980 seconds for #5
IPsec:STATE_QUICK_R2: IPsec SA established
__________________________________________

ADSL (phase 2 IKE failed)
...
IPsec:STATE_MAIN_R3: sent MR3, ISAKMP SA established
IPsec:Receive Packet address:0x1397478 from 212.84.127.xxx
IPsec:New State index:1, sno:3
IKE:[JagoVPN_tmp1] RX << QM_I1 : 212.84.127.xxx
IPsec:cannot respond to IPsec SA request because no connection is known for 192.168.0.0/255.255.255.0-212.84.114.xxx=====212.84.127.xxx-19
IPsec:Receive Packet address:0x1397478 from 212.84.127.xxx
IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Hash Payload has an unknown value: 208
IPsec:malformed payload in packet

 

[deeno]

Right.

Have you tried to connect to a different IPSec VPN server from behind your router? One other than the fvs318?

Maybe someone here can correct me, but as I mentioned in the last thread I still believe you are having a server-side problem. The reason is because I can reproduce the same error log by making a configuration change on my VPN server. While the VPN server I use is a Linksys, I have to believe that the principles behind the message are the same.

Unfortunately I can't explain the specific differences in your error log. I doubt that a different client-side router will help and all that I can recommend is that you at least attempt to connect to a different brand/model IPSec VPN server.

I hope you get it. And if I'm wrong I hope someone corrects me.

Anyway, I caught this just as I was heading out the door to go to an out of state meeting. I'll check in but won't be able to reply as often as I normally would.

Good luck...

deeno

 

[wanaBateki]

deeno,

Thanks for keeping things going.

I will try to resolve this at the server end. I don't have another VPN device to try but I guess I need to keep slogging away at it.

I might try setting up another VPN tunnel on the fvs318.

I'll post any progress.

Thanks again,

Jago

 

[whizza]

Hi

I'm having the same problem.

I have a Dlink300G+ and Netgear FVS318 connected
to an ADSL line. When trying to create the VPN tunnel
from a remote dial up site using the PROSafe VPN client
software I am getting the same sort of messages.

This is the section of the log that I would like an
explanation for...
IPsec:cannot respond to IPsec SA request because no connection is known for 192.168.0.0/255.255.255.0-212.84.114.xxx=====212.84.127.xxx-19
Can anyone help?

Regards
Tony

 

[wanaBateki]

whizza,

I managed to resolve the issue. My problem was server side, rather than client problem.

It was a combination of factors, being:

1. The Tunnel was the first configured on the router. A bug in the firmware I think.

2. The VPN SA Policy was not tight enough (i.e. accessible from any WAN address 0.0.0.0)

3. Once I successfully connected, all issues were resolved

I'm assuming that the Dlink is a transparent bridge (modem) and therefore the WAN IP on the FVS is the IP assigned by your ISP...

To correct the issue I created a new VPN tunnel (on different VPN SA)

Make sure you complete the following:

Local IPSec ID: WAN IP on the FVS (from ISP)
Tunnel can be assessed from: subnet of LAN (e.g. 192.168.0.0 255.255.255.0)
Tunnel can access: single remote address
Remote LAN IP: IP of your remote client
Remote WAN IP: IP assigned to wan port of remote client
SA: Main Mode
PFS: enabled

etc...

Try this client specific config first. Then, if required, loosen the configuration as required.

Give this a try and let me know how you get on.

Jago