Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

vpn client error

Status
Not open for further replies.
zachs9

zachs9

Technical User
Oct 22, 2007
6
US
trying to connect to a vpn using forticlient - I can connect with netgear prosafe client but not with forticlient?

here are the errors
--------------------
loc_ip=192.168.1.2 loc_port=500 rem_ip=70.242.107.223 rem_port=500 out_if=0 vpn_tunnel=anuclinic status=negotiate_error msg="No response from the peer, retransmit (st=2)....

program=ipsec msg=loc_ip=0.0.0.0 loc_port=0 rem_ip=0.0.0.0 rem_port=0 out_if=0 vpn_tunnel= status=negotiate_error msg="Received error notification from peer: INVALID_ID_INFORMATION"

In run_timer_list, jiffies=00000015, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 70.242.107.223:500->192.168.1.2:500,ifindex=196610, ....
Exchange Mode = 5, Message id = 0x00000000, Len = 56
####### ISAKMP INFO ##########
You should send a protected info...



here is test log
-----------------

In run_timer_list, jiffies=00000000, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
sys_get_local_gwy() called: remote gw:df6bf246 next hop:0
Detect local gateway for peer: 70.242.107.223
sys_get_local_gwy() called: remote gw:df6bf246 next hop:12e644
Get sa_connect message...192.168.1.2->70.242.107.223:0, natt_mode=0
Using new connection...natt_mode=0
Set connection name = anuclinic.
Adding timer #1... expiry=3600, data=16349472
Adding to bucket 3 at index 1
Tunnel 192.168.1.2 ---> 70.242.107.223:500,natt_en=1 is starting negotiation
Will negotiate a normal SA
Initiator: aggressive mode is sending 1st message...
Initiator:aggressive mode set dh=1024.
Sending DPD VID payloads....
Sending VID payload....
Sending NATT VID payload (draft3)....
Sending NATT VID payload (draft3 and draft1)....
Initiator: sent 70.242.107.223 aggressive mode message #1 (OK)
Adding timer #2... expiry=28770, data=16351376
Adding to bucket 4 at index 1
set retransmit: st=1, timeout=10.
Adding timer #2... expiry=10, data=16351376
Adding to bucket 1 at index 10
Next_time = 10 sec

In run_timer_list, jiffies=00000001, skipped = 1
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 70.242.107.223:500->192.168.1.2:500,ifindex=196610, ....
Exchange Mode = 4, I_COOKIE = 0xC875A5B9FBE3D081, Len = 362
Received Payloads= SA KE NONCE ID HASH VID 130 130 130
Initiator: aggressive mode get 1st response...
Negotiate Result
Proposal_id = 1:
Protocol_id = ISAKMP:
trans_id = KEY_IKE.
encapsulation = IKE/none
type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
type=OAKLEY_HASH_ALG, val=SHA.
type=AUTH_METHOD, val=PRESHARED_KEY.
type=OAKLEY_GROUP, val=1024.
Phase1 lifetimes=28800
Negotiate Success.(No echo).
parse all vendor ids...
- found NAT-T v0/1
---
Using IPS_NAT_MODE_KEEPALIVE.
Sending initial contact
set gw: 00F98090, timeout=28800.
Adding timer #2... expiry=28500, data=16351376
Adding to bucket 4 at index 1
Adding timer #2... expiry=28800, data=16349472
Adding to bucket 4 at index 1
Initiator: sent 70.242.107.223 aggressive mode message #2 (DONE)
confirmed nat-t draft1
My id: 192.168.1.2 255.255.255.255
Adding timer #3... expiry=28770, data=16354816
Adding to bucket 4 at index 1
Initiator:quick mode set pfs=1024...
Try to negotiate with 1800 life seconds.
Try to negotiate with 1800 life seconds.
Try to negotiate with 1800 life seconds.
Try to negotiate with 1800 life seconds.
confirmed nat-t draft1
Initiator: sent 70.242.107.223 quick mode message #1 (OK)
set retransmit: st=2, timeout=10.
Adding timer #3... expiry=10, data=16354816
Adding to bucket 1 at index 11


Next_time = 10 sec

In run_timer_list, jiffies=00000006, skipped = 5
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 70.242.107.223:500->192.168.1.2:500,ifindex=196610, ....
Exchange Mode = 4, I_COOKIE = 0xC875A5B9FBE3D081, Len = 362
confirmed nat-t draft1
Process retransmit....


Next_time = 5 sec

In run_timer_list, jiffies=0000000B, skipped = 5
tvecs[1]->bits is 3, tvecs[n]->index is 0
No response from the peer, retransmit (st=2)....
confirmed nat-t draft1
set retransmit: st=2, timeout=5.
Adding timer #3... expiry=5, data=16354816
Adding to queue
Adding timer #4... expiry=5, data=16354816
Adding to bucket 1 at index 16
Next_time = 5 sec

In run_timer_list, jiffies=0000000B, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 70.242.107.223:500->192.168.1.2:500,ifindex=196610, ....
Exchange Mode = 4, I_COOKIE = 0xC875A5B9FBE3D081, Len = 362
confirmed nat-t draft1
Process retransmit....


Next_time = 5 sec

In run_timer_list, jiffies=00000010, skipped = 5
tvecs[1]->bits is 3, tvecs[n]->index is 0
No response from the peer, retransmit (st=2)....
confirmed nat-t draft1
set retransmit: st=2, timeout=5.
Adding timer #3... expiry=5, data=16354816
Adding to queue
Adding timer #4... expiry=5, data=16354816
Adding to bucket 1 at index 21
Next_time = 5 sec

In run_timer_list, jiffies=00000010, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 70.242.107.223:500->192.168.1.2:500,ifindex=196610, ....
Exchange Mode = 4, I_COOKIE = 0xC875A5B9FBE3D081, Len = 362
confirmed nat-t draft1
Process retransmit....


Next_time = 5 sec

In run_timer_list, jiffies=00000015, skipped = 5
tvecs[1]->bits is 3, tvecs[n]->index is 0
No response from the peer, retransmit (st=2)....
confirmed nat-t draft1
set retransmit: st=2, timeout=5.
Adding timer #3... expiry=5, data=16354816
Adding to queue
Adding timer #4... expiry=5, data=16354816
Adding to bucket 1 at index 26
Next_time = 5 sec

In run_timer_list, jiffies=00000015, skipped = 0
tvecs[1]->bits is 3, tvecs[n]->index is 0
Comes 70.242.107.223:500->192.168.1.2:500,ifindex=196610, ....
Exchange Mode = 5, Message id = 0x00000000, Len = 56
####### ISAKMP INFO ##########
You should send a protected info...


Next_time = 5 sec

In run_timer_list, jiffies=0000001A, skipped = 5
tvecs[1]->bits is 3, tvecs[n]->index is 0
No response from the peer, retransmit (st=2)....
confirmed nat-t draft1
set retransmit: st=2, timeout=5.
Adding timer #3... expiry=5, data=16354816
Adding to queue
Adding timer #4... expiry=5, data=16354816
Adding to bucket 1 at index 31
Next_time = 5 sec

In run_timer_list, jiffies=0000001F, skipped = 5
tvecs[1]->bits is 3, tvecs[n]->index is 0
No response from the peer, retransmit (st=2)....
confirmed nat-t draft1
set retransmit: st=2, timeout=5.
Adding timer #3... expiry=5, data=16354816
Adding to queue
Adding timer #4... expiry=5, data=16354816
Adding to bucket 1 at index 36
Next_time = 5 sec

In run_timer_list, jiffies=00000024, skipped = 5
tvecs[1]->bits is 3, tvecs[n]->index is 0
No response from the peer, retransmit (st=2)....
confirmed nat-t draft1
set retransmit: st=2, timeout=5.
Adding timer #3... expiry=5, data=16354816
Adding to queue
Adding timer #4... expiry=5, data=16354816
Adding to bucket 1 at index 41
Next_time = 5 sec

In run_timer_list, jiffies=00000029, skipped = 5
tvecs[1]->bits is 3, tvecs[n]->index is 0
No response from the peer, retransmit (st=2)....
confirmed nat-t draft1
set retransmit: st=2, timeout=5.
Adding timer #3... expiry=5, data=16354816
Adding to queue
Adding timer #4... expiry=5, data=16354816
Adding to bucket 1 at index 46
Next_time = 5 sec



 
Sort by date Sort by votes
the router i am connecting to is netgear fwag114 - anuclinic.dnsalias.net - 192.168.20.0/255.255.255.0
 
Upvote 0 Downvote
Well, why not use the Netgear client when connecting to a Netgear product? Looks like your forticlient is tossing bits into the bit bucket, probably because it doesn't know how to negotiate or find the parameters you set for NAT-transversal. This is common with vpn servers that use IPSec and NAT, but if your Netgear client works fine, then use it. What advantage do you have using forti-client, or whatever? The big disadvantage is that it doesn't work!

Burt
 
Upvote 0 Downvote
got it to work just now.

Burt, appreciate your response. the problem with netgear is it does not work on Vista - isnt that amazing - after years of OS release netgear would care to acknowledge a popular OS.

Setting the routers vpn policy's remote IP to "any"! it may not be the safest but lets hope nobody can crack my passphrase? I will try the made up domain names and see if that works..

even if netgear would wake up and release the client that would cost about 100 easy.. fortinet is free - lets see how long!
 
Upvote 0 Downvote
I think Cisco VPN client version 5.0 may be compatible with Vista...it is free, with a free CCO registration. May be worth a try.
I guess potentially someone would be able to do a port scan and see port 1720 open, and try to brute force the group name and password...it would take centuries even for a cracker working in hybrid mode to guess a 10 character group name with a mix of caps, small letters, numbers and symbols. But if you used a firewall that allows vpn connections only from specific sources, then you could be even safer. If the passwords are good like I have suggested, then you're good to go.

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
600
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
442
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
398
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
351
Joon Smith
Joon Smith
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
413
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top