Reply
 
Thread Tools Display Modes
  #1  
Old November 30th, 2008, 12:52 PM
bollar bollar is offline
Junior Member
NETGEAR Newbie
 
Join Date: Oct 2008
Posts: 29
bollar is on a distinguished road
Default FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

Hi all,

I apologize for what must be a noob question, but my search didn't yield anything that seems to apply -- maybe I'm not using the right terms. Anyway, I have just set up a FVS336G to FVS336G VPN tunnel using the VPN wizard. The tunnel appears to be operating and I can ping and tracert between the devices. The networks are 10.0.x.x and 10.10.x.x
Code:
Policy Name	Endpoint	Tx (KB)	Tx (Packets)	State	Action
Connect to zzzz	 zzzz.homedns.org	 13.89	 80	 IPsec SA Established
PING 10.10.0.1 (10.10.0.1): 56 data bytes
64 bytes from 10.10.0.1: icmp_seq=0 ttl=63 time=22.122 ms
64 bytes from 10.10.0.1: icmp_seq=1 ttl=63 time=21.586 ms

traceroute to 10.10.0.1 (10.10.0.1), 64 hops max, 40 byte packets
1 10.0.0.1 (10.0.0.1) 2.829 ms 0.938 ms 0.918 ms
2 10.10.0.1 (10.10.0.1) 40.652 ms 39.284 ms 44.140 ms

Trying to load http://10.10.0.1/ (the far FVS336G private IP) redirects to https://10.10.0.1/scgi-bin/index.htm but that page doesn't load.

Also, I can't ping, ftp, http or https the only resource located behind that firewall (a Netgear ReadyNAS NV+ located at 10.10.0.225).

PING 10.10.0.225 (10.10.0.225): 56 data bytes

--- 10.10.0.225 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

traceroute to 10.10.0.225 (10.10.0.225), 64 hops max, 40 byte packets
1 10.0.0.1 (10.0.0.1) 1.948 ms 1.076 ms 1.348 ms
2 * *

Otherwise, I just set up the network as suggested by the instructions. Do I need to do any kind of routing (i.e., a mode config record)?

I hope I've provided enough information to help you get me pointed in the right direction!
Reply With Quote
  #2  
Old November 30th, 2008, 01:17 PM
bollar bollar is offline
Junior Member
NETGEAR Newbie
 
Join Date: Oct 2008
Posts: 29
bollar is on a distinguished road
Default Re: FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

BTW, I can telnet and authenticate to the distant FVS336G's CLI using 10.10.0.1, so it seems to me that the tunnel itself is operational.
Reply With Quote
  #3  
Old November 30th, 2008, 01:58 PM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,290
adit is on a distinguished road
Default Re: FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

Post screenshots of the IKE & VPN policies of both sides of the tunnel.
Reply With Quote
  #4  
Old November 30th, 2008, 02:44 PM
bollar bollar is offline
Junior Member
NETGEAR Newbie
 
Join Date: Oct 2008
Posts: 29
bollar is on a distinguished road
Default Re: FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

10.10.0.1 IKE



10.10.0.1 VPN



10.0.0.1 IKE



10.0.0.1 VPN



Thanks!
Reply With Quote
  #5  
Old November 30th, 2008, 05:52 PM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,290
adit is on a distinguished road
Default Re: FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

Your subnet masks in the VPN policies are wrong. They should be 255.255.255.0.

Alternatively you could renumber one of the networks outside of the mask 255.255.0.0 (but I doubt you need a subnet with that many hosts at one site).

Set all SA's (IKE & VPN) to 3600 since you are using DDNS (if your dynamic IP changes frequently).
Reply With Quote
  #6  
Old November 30th, 2008, 06:23 PM
bollar bollar is offline
Junior Member
NETGEAR Newbie
 
Join Date: Oct 2008
Posts: 29
bollar is on a distinguished road
Default Re: FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

Thanks!

I'll try changing the mask tomorrow to see if that helps -- but I thought that 10.10.x.x and 10.0.x.x were numbered correctly with that 255.255.0.0 mask. I do have a couple of subnets on either side (i.e., I do have 10.0.1.x and 10.0.2.x) and I was hoping to be able to access all of those subnets over the VPN. But hey, if I can get *any* configuration working, that will be a great start!

I'll also change the SA expiry.
Reply With Quote
  #7  
Old November 30th, 2008, 07:24 PM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,290
adit is on a distinguished road
Default Re: FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

Both 10.0.1.x and 10.0.2.x fall under a single mask of 255.255.0.0 and therefore cannot be routed across a VPN tunnel.

10.0.0.0 255.255.0.0 (/16) = 10.0.0.1 - 10.0.255.255

You may need to rearrange some of your subnets or use LAN Multihoming and cut your main LAN mask to a /24.

Last edited by adit; November 30th, 2008 at 07:26 PM.
Reply With Quote
  #8  
Old December 1st, 2008, 06:47 AM
bollar bollar is offline
Junior Member
NETGEAR Newbie
 
Join Date: Oct 2008
Posts: 29
bollar is on a distinguished road
Default Re: FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

Okay, I'll give it a go and report back.


Thanks!
Reply With Quote
  #9  
Old December 2nd, 2008, 04:43 AM
bollar bollar is offline
Junior Member
NETGEAR Newbie
 
Join Date: Oct 2008
Posts: 29
bollar is on a distinguished road
Default Re: FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

Okay, I have changed the settings as suggested. I also deleted all routing entries and ssl-vpn configurations on the near side just to make sure that I haven't introduced any variability. One thing I noticed this time is that the distant VPN (zzzz) can ping any resource on the near VPN. The near VPN (xxxx) can only ping 10.10.0.1 but it still can't access any resource on the distant VPN.

Here are the logs -- one thing I notice is that the distant VPN is ignoring ping requests from the near VPN and I wonder if that's a crucial point? Otherwise, x is the near vpn 10.0.0.x and z is the far vpn 10.10.0.x

2008 Dec 2 07:16:12 [FVS336G xxxx] [IKE] Adding IPSec configuration with identifier "Connect to zzzz"_
2008 Dec 2 07:16:12 [FVS336G xxxx] [IKE] Adding IKE configuration with identifer "Connect to zzzz"_
2008 Dec 2 07:16:12 [FVS336G xxxx] [VPNKA] ifName: eth0.2_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] Using IPsec SA configuration: 10.0.0.0/24<->10.10.0.0/24_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] remote configuration for identifier "zzzz.homedns.org" found_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] Initiating new phase 1 negotiation: 192.168.1.2[500]<=>zzz.zzz.zzz.zzz[500]_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] Beginning Identity Protection mode._
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] Received Vendor ID: RFC XXXX_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] Received Vendor ID: DPD_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] Received Vendor ID: KAME/racoon_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] For zzz.zzz.zzz.zzz[500], Selected NAT-T version: RFC XXXX_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] Received Vendor ID: KAME/racoon_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] NAT-D payload does not match for 192.168.1.2[500]_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] NAT-D payload matches for zzz.zzz.zzz.zzz[500]_
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] NAT detected: ME _
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] for debugging :: changing ports
2008 Dec 2 07:16:20 [FVS336G xxxx] [IKE] port changed !!_
2008 Dec 2 07:16:21 [FVS336G xxxx] [IKE] ISAKMP-SA established for 192.168.1.2[4500]-zzz.zzz.zzz.zzz[4500] with spi:5b5df420f8fb312f:0203c4cbbaad9bed_
2008 Dec 2 07:16:21 [FVS336G xxxx] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2008 Dec 2 07:16:22 [FVS336G xxxx] [IKE] Initiating new phase 2 negotiation: 192.168.1.2[0]<=>zzz.zzz.zzz.zzz[0]_
2008 Dec 2 07:16:22 [FVS336G xxxx] [IKE] Adjusting encryption mode to use UDP encapsulation_
2008 Dec 2 07:16:22 [FVS336G xxxx] [IKE] Adjusting peer's encmode 3(3)->Tunnel(1)_
2008 Dec 2 07:16:23 [FVS336G xxxx] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel zzz.zzz.zzz.zzz->192.168.1.2 with spi=115055411(0x6db9b33)_
2008 Dec 2 07:16:23 [FVS336G xxxx] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.1.2->zzz.zzz.zzz.zzz with spi=31812999(0x1e56d87)_

2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] remote configuration for identifier "xxxx.homedns.org" found_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] Received request for new phase 1 negotiation: zzz.zzz.zzz.zzz[500]<=>xxx.xxx.xxx.xxx[500]_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] Beginning Identity Protection mode._
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] Received Vendor ID: RFC XXXX_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] Received Vendor ID: DPD_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] For xxx.xxx.xxx.xxx[500], Selected NAT-T version: RFC XXXX_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] Received Vendor ID: KAME/racoon_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] NAT-D payload matches for zzz.zzz.zzz.zzz[500]_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] NAT-D payload does not match for xxx.xxx.xxx.xxx[500]_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] NAT detected: PEER_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] Floating ports for NAT-T with peer xxx.xxx.xxx.xxx[4500]_
2008 Dec 2 07:16:19 [FVS336G zzzz] [IKE] ISAKMP-SA established for zzz.zzz.zzz.zzz[4500]-xxx.xxx.xxx.xxx[4500] with spi:5b5df420f8fb312f:0203c4cbbaad9bed_
2008 Dec 2 07:16:20 [FVS336G zzzz] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2008 Dec 2 07:16:21 [FVS336G zzzz] [IKE] Responding to new phase 2 negotiation: zzz.zzz.zzz.zzz[0]<=>xxx.xxx.xxx.xxx[0]_
2008 Dec 2 07:16:21 [FVS336G zzzz] [IKE] Using IPsec SA configuration: 10.10.0.0/24<->10.0.0.0/24_
2008 Dec 2 07:16:21 [FVS336G zzzz] [IKE] Adjusting peer's encmode 3(3)->Tunnel(1)_
2008 Dec 2 07:16:22 [FVS336G zzzz] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel xxx.xxx.xxx.xxx->zzz.zzz.zzz.zzz with spi=31812999(0x1e56d87)_
2008 Dec 2 07:16:22 [FVS336G zzzz] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel zzz.zzz.zzz.zzz->xxx.xxx.xxx.xxx with spi=115055411(0x6db9b33)_
2008 Dec 2 07:26:03 [FVS336G zzzz] [VPNKA] Ignored ICMP ECHO Reply with seq(0) and id(23141) from 10.0.0.1_
2008 Dec 2 07:26:03 [FVS336G zzzz] [VPNKA] Ignored ICMP ECHO Reply with seq(1) and id(23141) from 10.0.0.1_
2008 Dec 2 07:26:03 [FVS336G zzzz] [VPNKA] Ignored ICMP ECHO Reply with seq(2) and id(23141) from 10.0.0.1_
2008 Dec 2 07:26:03 [FVS336G zzzz] [VPNKA] Ignored ICMP ECHO Reply with seq(3) and id(23141) from 10.0.0.1_
Reply With Quote
  #10  
Old December 2nd, 2008, 04:49 AM
jmizoguchi jmizoguchi is offline
Banned
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 0
jmizoguchi is an unknown quantity at this point
Default Re: FVS336G VPN Tunnel Help (resources beyond FVS336G not available)

assume you fix this by

Quote:
Otherwise, x is the near vpn 10.0.0.x and z is the far vpn 10.10.0.x
10.0.0.0/255.255.255.0 (prosafe #1)

10.10.0.0/255.255.255.0 (prosafe #2)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 01:08 AM.