techsolutionusa
asked on
FVG318 No matching SPD policy for the selectors received in IKE phase-II message
I have a FVG318 netgear and trying to connect using the prosafe client but im getting the following from the VPN Router Log:
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: Started phase-I negotiation
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: received NOTIFY PAYLOAD of notify type INITIAL_CONTACT
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: IKE phase-I started
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: Initiator SPD selectors received: IPADDR, 192.168.1.101, proto 0, port 0
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: Responder SPD selectors received: IP SUBNET, 192.168.0.0, mask 32 proto 0, port 0
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: No matching SPD policy for the selectors received in IKE phase-II message
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: IKE phase-II with message ID f0bc50e4 failed
and the Log file of the prosafe is:
8-01: 13:45:16.437 No Interfaces detected.
8-01: 13:45:17.750 Filter table loaded.
8-01: 13:45:40.265 Interface added: 192.168.1.101/255.255.255.
8-01: 14:27:02.578 Filter table loaded.
8-01: 14:27:33.593 Filter table loaded.
8-01: 14:27:49.187
8-01: 14:27:49.328 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=xx.xx.xxx.xx) (staict address of the site)
8-01: 14:27:49.468 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
8-01: 14:27:50.421 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, NAT-D 2x, VID 2x)
8-01: 14:27:50.421 My Connections\New Connection - Peer is NAT-T draft-02 capable
8-01: 14:27:50.421 My Connections\New Connection - NAT is detected for Client
8-01: 14:27:50.421 My Connections\New Connection - Floating to IKE non-500 port
8-01: 14:27:50.671 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONT
8-01: 14:27:50.671 My Connections\New Connection - Established IKE SA
8-01: 14:27:50.671 MY COOKIE 62 a0 c5 fc 2a 58 9b 53
8-01: 14:27:50.671 HIS COOKIE 9c 37 22 1c 21 57 c0 cf
8-01: 14:27:50.703 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: F0BC50E4)
8-01: 14:27:50.703 Initiator = IP ADDR=192.168.1.101, prot = 0 port = 0
8-01: 14:27:50.703 Responder = IP SUBNET/MASK=192.168.0.0/25
8-01: 14:27:50.703 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
8-01: 14:28:36.031 My Connections\New Connection - QM re-keying timed out (message id: F0BC50E4). Retry count: 1
8-01: 14:28:36.031 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
8-01: 14:29:21.046 My Connections\New Connection - Exceeded 1 re-keying attempts (message id: F0BC50E4)
8-01: 14:29:21.046 My Connections\New Connection - Disconnecting IKE SA negotiation
8-01: 14:29:21.046 My Connections\New Connection - Deleting IKE SA (IP ADDR=xx.xx.xxx.xx)
8-01: 14:29:21.046 MY COOKIE 62 a0 c5 fc 2a 58 9b 53
8-01: 14:29:21.046 HIS COOKIE 9c 37 22 1c 21 57 c0 cf
8-01: 14:29:21.046 My Connections\New Connection - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
its looks like it failes in phase2
I have sent the client software to the following
New Connection:
Secure
Remote Party Identity and addresesing
IP Subnet
192.168.0.0
255.255.255.0
protocal all
connect using Secure Gateway Tunnel
Domain name. fvg_local.com
and Gateway ip address (my static IP)
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: Started phase-I negotiation
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: received NOTIFY PAYLOAD of notify type INITIAL_CONTACT
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: IKE phase-I started
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: Initiator SPD selectors received: IPADDR, 192.168.1.101, proto 0, port 0
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: Responder SPD selectors received: IP SUBNET, 192.168.0.0, mask 32 proto 0, port 0
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: No matching SPD policy for the selectors received in IKE phase-II message
Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: IKE phase-II with message ID f0bc50e4 failed
and the Log file of the prosafe is:
8-01: 13:45:16.437 No Interfaces detected.
8-01: 13:45:17.750 Filter table loaded.
8-01: 13:45:40.265 Interface added: 192.168.1.101/255.255.255.
8-01: 14:27:02.578 Filter table loaded.
8-01: 14:27:33.593 Filter table loaded.
8-01: 14:27:49.187
8-01: 14:27:49.328 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=xx.xx.xxx.xx) (staict address of the site)
8-01: 14:27:49.468 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
8-01: 14:27:50.421 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, NAT-D 2x, VID 2x)
8-01: 14:27:50.421 My Connections\New Connection - Peer is NAT-T draft-02 capable
8-01: 14:27:50.421 My Connections\New Connection - NAT is detected for Client
8-01: 14:27:50.421 My Connections\New Connection - Floating to IKE non-500 port
8-01: 14:27:50.671 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONT
8-01: 14:27:50.671 My Connections\New Connection - Established IKE SA
8-01: 14:27:50.671 MY COOKIE 62 a0 c5 fc 2a 58 9b 53
8-01: 14:27:50.671 HIS COOKIE 9c 37 22 1c 21 57 c0 cf
8-01: 14:27:50.703 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: F0BC50E4)
8-01: 14:27:50.703 Initiator = IP ADDR=192.168.1.101, prot = 0 port = 0
8-01: 14:27:50.703 Responder = IP SUBNET/MASK=192.168.0.0/25
8-01: 14:27:50.703 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
8-01: 14:28:36.031 My Connections\New Connection - QM re-keying timed out (message id: F0BC50E4). Retry count: 1
8-01: 14:28:36.031 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
8-01: 14:29:21.046 My Connections\New Connection - Exceeded 1 re-keying attempts (message id: F0BC50E4)
8-01: 14:29:21.046 My Connections\New Connection - Disconnecting IKE SA negotiation
8-01: 14:29:21.046 My Connections\New Connection - Deleting IKE SA (IP ADDR=xx.xx.xxx.xx)
8-01: 14:29:21.046 MY COOKIE 62 a0 c5 fc 2a 58 9b 53
8-01: 14:29:21.046 HIS COOKIE 9c 37 22 1c 21 57 c0 cf
8-01: 14:29:21.046 My Connections\New Connection - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
its looks like it failes in phase2
I have sent the client software to the following
New Connection:
Secure
Remote Party Identity and addresesing
IP Subnet
192.168.0.0
255.255.255.0
protocal all
connect using Secure Gateway Tunnel
Domain name. fvg_local.com
and Gateway ip address (my static IP)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you compare your client and router configurations to the one in the sample above?
That error usually means the IPSec security policies so not match.
From the log:
---
8-01: 14:27:50.703 Responder = IP SUBNET/MASK=192.168.0.0/25
---
Your client configuration:
----
IP Subnet
192.168.0.0
255.255.255.0
---
Hope this helps.
From the log:
---
8-01: 14:27:50.703 Responder = IP SUBNET/MASK=192.168.0.0/25
---
Your client configuration:
----
IP Subnet
192.168.0.0
255.255.255.0
---
Hope this helps.
ASKER
Thanks RobWill
it worked now i assume i just created mutiple ones for each user that will be connecting via vpn. Now that i am connected i can ping via IP address but when i try to map to via name i will not map but it maps using the ip address any suggestions?
it worked now i assume i just created mutiple ones for each user that will be connecting via vpn. Now that i am connected i can ping via IP address but when i try to map to via name i will not map but it maps using the ip address any suggestions?
You can export that policy from the client and save it. This makes it very easy to configure for the next user, by just importing. You can use the same policy/tunnel for every user, or you can create one for each user, if not too many. The only advantage of the latter is you can disable access from the router end, if one of your users leaves the company. You can always change the pass-phrase as well.
Name resolution over a VPN can be a problem. First on the router, in the VPN configuration, there is an option to enable NetBIOS names. Check that.
You can also choose to enable the virtual adapter in the client's security policy, reboot the machine, and then under network connections you will see the virtual adapter. Within that you can add the domain suffix under WINS, as well as your DNS and WINS server IP's.
Then there are the non- Netgear options:
NetBIOS names (computer names) are not broadcast over most VPN's.
You can resolve this in several ways:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as; \\123.123.123.123\ShareNam
Net Use U: \\123.123.123.123\ShareNam
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Et
192.168.0.101 CompName #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfd_lmh_qxqq.mspx?mfr=true
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as \\ComputerName.domain.loca
Thanks techsolutionusa.
Cheers !
--Rob
Name resolution over a VPN can be a problem. First on the router, in the VPN configuration, there is an option to enable NetBIOS names. Check that.
You can also choose to enable the virtual adapter in the client's security policy, reboot the machine, and then under network connections you will see the virtual adapter. Within that you can add the domain suffix under WINS, as well as your DNS and WINS server IP's.
Then there are the non- Netgear options:
NetBIOS names (computer names) are not broadcast over most VPN's.
You can resolve this in several ways:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as; \\123.123.123.123\ShareNam
Net Use U: \\123.123.123.123\ShareNam
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Et
192.168.0.101 CompName #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfd_lmh_qxqq.mspx?mfr=true
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as \\ComputerName.domain.loca
Thanks techsolutionusa.
Cheers !
--Rob
ASKER