View Full Version : VPN fra ShrewSoft VPN Client e NETGEAR FVS338
Salve a tutti, come potete intuire dal titolo mi sono imbattuto nella configurazione di una connessione VPN Client fra un PC e il Firewall NETGEAR FVS338.
Vi faccio un riassunto di come č strutturata la rete aziendale:
Router NETGEAR DG834 con ip 192.168.100.250
Firewall NETGEAR FVS338 con ip 192.168.100.253 lato router e 192.168.1.250 con DHCP server attivato verso la rete pc.
Per attivare la vpn ho fatto quanto segue:
1- Sul DG834 dal menu "Regole del Firewall" ho aggiunto sia in ingresso che in uscita il servizio VPN-IPSEC come CONSENTI SEMPRE specificando nel servizio in
ingressi l'indirizzo ip del Firewall come Indirizzo IP server LAN.
2- Sul firewall FVS338: VPN -> VPN Wizard assegnati nome connessione e pre-shared key, inseriti il Remote e Local ID Information
3- Avviato Client ShrewSoft VPN Access Manager e configurato come segue:
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:client-dns-suffix-auto:1
n:client-addr-auto:1
s:network-host:IPPubblico
s:client-auto-mode:disabled
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:fvx_remote.com
s:ident-server-data:fvx_local.com
b:auth-mutual-psk:bXlwcmVzaGFyZWRrZXk=
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:0
s:policy-level:unique
s:policy-list-include:192.168.1.0 / 255.255.255.0
Quando clicco su connect sembra che parta tutto correttamente:
""...config loaded for site 'NETGEAR_fvx.vpn'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled..."
invece dopo qualche decina di secondi si disconnette e mi da questo messaggio:
"...negotiation timout occurred
tunnel disabled
detached from key daemon..."
Sono andato anche a controllare il logVPN presente sul Firewall, ve lo riporto di seguito per completezza:
2012 Feb 15 16:24:56 [FVS338] [IKE] Remote configuration for identifier "fvx_remote.com" found_
2012 Feb 15 16:24:56 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.100.253[500]<=>192.168.100.250[500]_
2012 Feb 15 16:24:56 [FVS338] [IKE] Beginning Aggressive mode._
2012 Feb 15 16:24:56 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated twice -
2012 Feb 15 16:24:56 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2012 Feb 15 16:24:56 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 3 times -
2012 Feb 15 16:24:56 [FVS338] [IKE] Received Vendor ID: DPD_
2012 Feb 15 16:24:56 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2012 Feb 15 16:24:56 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2012 Feb 15 16:24:56 [FVS338] [IKE] For 192.168.100.250[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2012 Feb 15 16:25:57 [FVS338] [IKE] Phase 1 negotiation failed due to time up for 192.168.100.250[500]. 077cc5a0e32cf327:c839665dbaf18034_
Non so cosa controllare per far funzionare il tutto, se qualcuno potesse aiutarmi o indicarmi qualche guida o tutorial...
Grazie in anticipo,
Ric
Salve a tutti, come potete intuire dal titolo mi sono imbattuto nella configurazione di una connessione VPN Client fra un PC e il Firewall NETGEAR FVS338.
Vi faccio un riassunto di come č strutturata la rete aziendale:
Router NETGEAR DG834 con ip 192.168.100.250
Firewall NETGEAR FVS338 con ip 192.168.100.253 lato router e 192.168.1.250 con DHCP server attivato verso la rete pc.
Per attivare la vpn ho fatto quanto segue:
1- Sul DG834 dal menu "Regole del Firewall" ho aggiunto sia in ingresso che in uscita il servizio VPN-IPSEC come CONSENTI SEMPRE specificando nel servizio in
ingressi l'indirizzo ip del Firewall come Indirizzo IP server LAN.
2- Sul firewall FVS338: VPN -> VPN Wizard assegnati nome connessione e pre-shared key, inseriti il Remote e Local ID Information
3- Avviato Client ShrewSoft VPN Access Manager e configurato come segue:
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:1
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:client-dns-suffix-auto:1
n:client-addr-auto:1
s:network-host:IPPubblico
s:client-auto-mode:disabled
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:fvx_remote.com
s:ident-server-data:fvx_local.com
b:auth-mutual-psk:bXlwcmVzaGFyZWRrZXk=
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:0
s:policy-level:unique
s:policy-list-include:192.168.1.0 / 255.255.255.0
Quando clicco su connect sembra che parta tutto correttamente:
""...config loaded for site 'NETGEAR_fvx.vpn'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled..."
invece dopo qualche decina di secondi si disconnette e mi da questo messaggio:
"...negotiation timout occurred
tunnel disabled
detached from key daemon..."
Sono andato anche a controllare il logVPN presente sul Firewall, ve lo riporto di seguito per completezza:
2012 Feb 15 16:24:56 [FVS338] [IKE] Remote configuration for identifier "fvx_remote.com" found_
2012 Feb 15 16:24:56 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.100.253[500]<=>192.168.100.250[500]_
2012 Feb 15 16:24:56 [FVS338] [IKE] Beginning Aggressive mode._
2012 Feb 15 16:24:56 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated twice -
2012 Feb 15 16:24:56 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2012 Feb 15 16:24:56 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 3 times -
2012 Feb 15 16:24:56 [FVS338] [IKE] Received Vendor ID: DPD_
2012 Feb 15 16:24:56 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2012 Feb 15 16:24:56 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2012 Feb 15 16:24:56 [FVS338] [IKE] For 192.168.100.250[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2012 Feb 15 16:25:57 [FVS338] [IKE] Phase 1 negotiation failed due to time up for 192.168.100.250[500]. 077cc5a0e32cf327:c839665dbaf18034_
Non so cosa controllare per far funzionare il tutto, se qualcuno potesse aiutarmi o indicarmi qualche guida o tutorial...
Grazie in anticipo,
Ric
Buongiorno a tutti!!! Ho effettuato qualche modifica alla configurazione del client ed ora il tunnel resta in piedi, ma a quanto pare non riesco a far prendere al client un ip. Di seguito vi riporto il log sperando che qualcuno possa darmi una mano.
2012 Feb 16 10:11:30 [FVS338] [IKE] Remote configuration for identifier "fvx_remote.com" found_
2012 Feb 16 10:11:30 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.100.253[500]<=>2.45.132.32[500]_
2012 Feb 16 10:11:30 [FVS338] [IKE] Beginning Aggressive mode._
2012 Feb 16 10:11:30 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 3 times -
2012 Feb 16 10:11:30 [FVS338] [IKE] Received Vendor ID: DPD_
2012 Feb 16 10:11:30 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2012 Feb 16 10:11:30 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2012 Feb 16 10:11:31 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_
2012 Feb 16 10:11:31 [FVS338] [IKE] ISAKMP-SA established for 192.168.100.253[500]-2.45.132.32[500] with spi:a842b27e0ac55872:04aa241a27547842_
2012 Feb 16 10:11:31 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2012 Feb 16 10:11:37 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:37 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:37 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:37 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:42 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:42 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:42 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:42 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:48 [FVS338] [IKE] packet shorter than isakmp header size._
2012 Feb 16 10:11:48 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:48 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:48 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:48 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:53 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:53 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:53 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:53 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:12:04 [FVS338] [IKE] packet shorter than isakmp header size._
2012 Feb 16 10:12:20 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_
2012 Feb 16 10:12:21 [FVS338] [IKE] packet shorter than isakmp header size._
2012 Feb 16 10:12:31 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_
2012 Feb 16 10:12:34 [FVS338] [IKE] packet shorter than isakmp header size._
2012 Feb 16 10:12:38 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=a842b27e0ac55872:04aa241a27547842._
2012 Feb 16 10:12:39 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.100.253[500]-2.45.132.32[500] with spi:a842b27e0ac55872:04aa241a27547842_
2012 Feb 16 10:12:42 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_
Buongiorno a tutti!!! Ho effettuato qualche modifica alla configurazione del client ed ora il tunnel resta in piedi, ma a quanto pare non riesco a far prendere al client un ip. Di seguito vi riporto il log sperando che qualcuno possa darmi una mano.
2012 Feb 16 10:11:30 [FVS338] [IKE] Remote configuration for identifier "fvx_remote.com" found_
2012 Feb 16 10:11:30 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.100.253[500]<=>2.45.132.32[500]_
2012 Feb 16 10:11:30 [FVS338] [IKE] Beginning Aggressive mode._
2012 Feb 16 10:11:30 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 3 times -
2012 Feb 16 10:11:30 [FVS338] [IKE] Received Vendor ID: DPD_
2012 Feb 16 10:11:30 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2012 Feb 16 10:11:30 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2012 Feb 16 10:11:31 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_
2012 Feb 16 10:11:31 [FVS338] [IKE] ISAKMP-SA established for 192.168.100.253[500]-2.45.132.32[500] with spi:a842b27e0ac55872:04aa241a27547842_
2012 Feb 16 10:11:31 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2012 Feb 16 10:11:37 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:37 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:37 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:37 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:42 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:42 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:42 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:42 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:48 [FVS338] [IKE] packet shorter than isakmp header size._
2012 Feb 16 10:11:48 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:48 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:48 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:48 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:53 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:53 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:11:53 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_
2012 Feb 16 10:11:53 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_
2012 Feb 16 10:12:04 [FVS338] [IKE] packet shorter than isakmp header size._
2012 Feb 16 10:12:20 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_
2012 Feb 16 10:12:21 [FVS338] [IKE] packet shorter than isakmp header size._
2012 Feb 16 10:12:31 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_
2012 Feb 16 10:12:34 [FVS338] [IKE] packet shorter than isakmp header size._
2012 Feb 16 10:12:38 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=a842b27e0ac55872:04aa241a27547842._
2012 Feb 16 10:12:39 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.100.253[500]-2.45.132.32[500] with spi:a842b27e0ac55872:04aa241a27547842_
2012 Feb 16 10:12:42 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_
Ok, ho risolto anche questa... Era un problema di configurazione del pool. Ora perņ il tunnel resta in piedi, il pc prende l'ip corretto ma non il gateway! Come fare?
vBulletin® v3.6.4, Copyright ©2000-2025, Jelsoft Enterprises Ltd.