#21  
Old November 16th, 2009, 07:38 AM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,350
adit is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Do worry about hack attempts, if you have faith in your process. This is where Authentication comes in.


Here is info on the IP, it's local to you:


inetnum: 62.47.0.0 - 62.47.63.255
netname: TA-HIGHWAY-SPEED
descr: Highway Customers
descr: Telekom Austria TA AT
country: AT
admin-c: HMH25-RIPE
tech-c: AAH12-RIPE
tech-c: DAH12-RIPE
tech-c: HMH25-RIPE
status: ASSIGNED PA
remarks: please contact abuse@aon.at for criminal use, portscan, SPAM, etc.
mnt-by: AS8447-MNT
mnt-lower: AS8447-MNT
source: RIPE # Filtered
role: Host Master Highway
address: Telekom Austria TA AG
address: Arsenal Objekt 24
address: 1030 Vienna
address: Austria
phone: + 43 (0)59059 10
fax-no: + 43 1 7962565
abuse-mailbox: abuse@aon.at
remarks: for database maintenance please contact
remarks: < hostmaster @ aon.at >
admin-c: VM404-RIPE
tech-c: MA3804-RIPE
tech-c: AJ2061-RIPE
tech-c: HH1035-RIPE
tech-c: RH186-RIPE
nic-hdl: HMH25-RIPE
mnt-by: AS8447-MNT
source: RIPE # Filtered
role: Domain Admin Highway
address: Telekom Austria TA AG
address: Arsenal Objekt 24
address: 1030 Wien
address: Austria
phone: +43(0)59059 169340
fax-no: +43(0)59059 169347
abuse-mailbox: abuse@aon.at
admin-c: WC82-RIPE
tech-c: CW6434-RIPE
tech-c: WC82-RIPE
nic-hdl: DAH12-RIPE
mnt-by: AS8447-MNT
source: RIPE # Filtered
role: Abuse Admin Highway
address: Telekom Austria TA AG
address: Postfach 1001
address: 1011 Wien
address: Austria
phone: +43 (0)59059 159130
fax-no: +43 (0)59059 169347
abuse-mailbox: abuse@aon.at
admin-c: WC82-RIPE
tech-c: WC82-RIPE
nic-hdl: AAH12-RIPE
remarks: **************************************************
remarks: * CONTACT FOR CRIMINAL USE, PORTSCAN, SPAM, ETC. *
remarks: **************************************************
mnt-by: AS8447-MNT
source: RIPE # Filtered
% Information related to '62.46.0.0/15AS8447'
route: 62.46.0.0/15
descr: HIGHWAY194
origin: AS8447
remarks: ==========================================
remarks: please report abuse incidents (eg network
remarks: scanning, spam originating, etc.) to
remarks: abuse@aon.at
remarks: ==========================================
mnt-by: AS8447-MNT
source: RIPE # Filtered
Reply With Quote
  #22  
Old November 16th, 2009, 08:40 AM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Yes I'm worried about that, it is not the first time I caught a login attempt this one in particular (http://www.projecthoneypot.org/ip_62.47.9.136) seems to be used as spam relais.
I'm not even sure if the lockups arn't triggered by some external attack...

For no I have a lockup again. With my plain cert-setup (just me as account) no internal mac filtering, no nothing (in the vpn log it seems to start with the following entries:

2009 Nov 16 03:39:47 [FVS338] [IKE] clock skew detected, restarting racoon _
2009 Nov 16 03:39:47 [FVS338] [IKE] Duplicate ID : evkmode_
2009 Nov 16 03:39:47 [FVS338] [IKE] configuration read failed_
2009 Nov 16 08:40:31 [FVS338] [IKE] Could not find configuration for xx.xx.xx.52[500]_
- Last output repeated 40 times -
2009 Nov 16 15:29:44 [FVS338] [IKE] Could not find configuration for xx.xx.xx.170[500]_
)
Both xx.xx.xx.xx ip's are from known users.

But for the sake of simplicity I will now delete this configuration and I'm going back to PSK mode.
I will just allow 2 accounts (me and my co-admin) but es the current config (after a complete reset last saturday) has lock yesterday night I'm quite sure it will happen again in psk mode too ... so stay tuned

TIA
Whookie
Reply With Quote
  #23  
Old November 16th, 2009, 09:06 AM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

So VPN is working now (just 2 accounts) ...
I've made 2 screen shots (ike+modeconfig) but couldn't upload them so if you want to have a look at them we can find another way to exchange them.

TIA
Gustav
Reply With Quote
  #24  
Old November 16th, 2009, 12:11 PM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,350
adit is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Quote:
Originally Posted by Whookie View Post
So VPN is working now (just 2 accounts) ...
I've made 2 screen shots (ike+modeconfig) but couldn't upload them so if you want to have a look at them we can find another way to exchange them.

TIA
Gustav
Read my sig for a place to post screenshots.
Reply With Quote
  #25  
Old November 16th, 2009, 01:09 PM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Ok that much space is available on our site too

Mode Config:


IKE:
Reply With Quote
  #26  
Old November 16th, 2009, 01:40 PM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,350
adit is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Read my SA Lifetime Guidelines below. I would cut them in half (12 hours) looking at your situation.

What about the VPN Client screenshots?

If you run an internal DNS/WINS servers you can push that info out to the Clients in the Mode Config Record.

I usually push out the Internal DNS as Primary, and a public one 4.2.2.2 as Secondary.
Reply With Quote
  #27  
Old November 16th, 2009, 03:02 PM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Okay, I have:
#1 changed both SA-life-times to 43200sec
#2 Assigned 192.168.11.55 as primary DNS and 195.58.160.194 as secondary
#3 Assigned 192.168.11.55 as WINS

And here is the client config:


TIA
Whookie
Reply With Quote
  #28  
Old November 17th, 2009, 02:30 PM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Hi once again!
We do have a stable VPN for at least 24h hours. Not to get over-optimistic but it is a starting point!

If seen some more spamers from around the world (italy and texas) today. Is there a way to send the vpn log-entries to an external syslog-server ? That would allow me some realtime alerts and an additional login statistics ....

TIA
Whookie
Reply With Quote
  #29  
Old November 19th, 2009, 12:21 AM
Whookie Whookie is offline
Junior Member
NETGEAR Newbie
 
Join Date: Nov 2009
Posts: 36
Whookie is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Today the Router has locked up again. The VPN log shows:

2009 Nov 19 03:31:18 [FVS338] [IKE] clock skew detected, restarting racoon _
2009 Nov 19 03:31:18 [FVS338] [IKE] Duplicate ID : evkmode_
2009 Nov 19 03:31:18 [FVS338] [IKE] configuration read failed_
2009 Nov 19 08:34:18 [FVS338] [IKE] Could not find configuration for 84.119.42.78[500]_
- Last output repeated 7 times -
2009 Nov 19 08:56:43 [FVS338] [IKE] Could not find configuration for 85.126.245.162[500]_

And there is now way in except to change a paramter in the ike-policy (see first post).

I hope there is a way to get this going ... I had promised to get the thing working and therefore locked out our vpn-users but they get a bit angry lately and I'm not sure what to do any-more. Reseting and manually entering the configuration seem to had no effect on my phenomon

TIA
Whookie
Reply With Quote
  #30  
Old November 19th, 2009, 04:54 AM
adit's Avatar
adit adit is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Location: USA
Posts: 5,350
adit is on a distinguished road
Default Re: FVS338 Frequent VPN drops and lockup

Based on the screenshots it's hard to tell what they are from.

The VPN Clients should not be able to connect. The VPN Client Security Policy does not have PFS enabled w/ Group 2.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 09:17 AM.