Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Symantec 200R, VPN client & NAT 2

Status
Not open for further replies.
avertere

avertere

Vendor
Aug 17, 2004
8
GB
I am running the firewall behind an adsl router/firewall (supplied by the ISP) and having problems with getting VPN to work.

I've done the updates, configured as per the recommendations on previous threads here - yet it will not work and I can only assume it is something to do with the adsl router running nat. I have a public IP on the router, 192.128.1.1 inside the router, 192,168.1.2 on the outside (WAN1) interface on the 200R and then run a 192.168.0.0 network internally.

The error message on the client is a 3360 "client ID or unique key do not exist" and the firewall shows:
08/18/2004 07:44:28.58 vpnclient - STATE_AGGR_R1: from STATE_AGGR_R0; sent AR1, expecting AI2
08/18/2004 07:44:28.88 vpnclient - Receive ISAKMP OAK INFO (PAYLOAD_MALFORMED)

Any help here would be greatly appreciated
 
Sort by date Sort by votes
Is your public IP Address fixed or dynamic? If it's not fixed, you must use dynamic DNS, and set your DSL modem/router to passthrough mode.

I think the problem is that your WAN1 IP address on the 200R is not set to your public IP address, so when the VPN packet comes in the IP addresses do not match.

Unfortunately these Symantec VPN appliances are not very flexible to a routing solution. I have only gotten them to work with a public address.
 
Upvote 0 Downvote
Thanks for this tip. I do have a fixed IP addess so I will set the WAN IP to match the public IP on the router and see if that works.

Paul
 
Upvote 0 Downvote
I see this error everyday, the VPN tunnel is failing on the Phase 1 ID. This is because the 200/R is being NATed behind the modem.

To resolve the problem, try the following.

For the "Local Security Gateway" I am assuming that you have the "ID Type" set to "IP Address" and you have a blank "Phase 1 ID". If this is the case then the 200/R is going to be sending the IP address 192.168.1.2 as its Phase 1 ID, when the remote VPN client is setup to beleive that the Phase 1 ID should be the public ip 192.128.1.1.

Now seeing that you are using a VPN client, you should also checkout the following KB from Symantec.


I hope this helps,


SefLogic

tips on fixing any problem in the world
1. Check google / google-groups
2. check the vendor support page
3. get a book on the topic
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
351
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
313
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
130
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
383
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
91
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top