Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2672
  • Last Modified:

FVG318 No matching SPD policy for the selectors received in IKE phase-II message

I have a FVG318 netgear and trying to connect using the prosafe client but im getting the following from the VPN Router Log:

 Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: Started phase-I negotiation
 Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: received NOTIFY PAYLOAD of notify type INITIAL_CONTACT
 Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: IKE phase-I started
 Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: Initiator SPD selectors received: IPADDR, 192.168.1.101, proto 0, port 0
 Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: Responder SPD selectors received: IP SUBNET, 192.168.0.0, mask 32 proto 0, port 0
 Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: No matching SPD policy for the selectors received in IKE phase-II message
 Init Cookie: 0x62a0c5fc2a589b53 & Resp Cookie: 0x9c37221c2157c0cf INFO :: IKE phase-II with message ID f0bc50e4 failed

and the Log file of the prosafe is:

 8-01: 13:45:16.437 No Interfaces detected.
 8-01: 13:45:17.750 Filter table loaded.
 8-01: 13:45:40.265 Interface added: 192.168.1.101/255.255.255.0 on LAN "Intel(R) PRO/Wireless 2200BG Network Connection".
 8-01: 14:27:02.578 Filter table loaded.
 8-01: 14:27:33.593 Filter table loaded.
 8-01: 14:27:49.187
 8-01: 14:27:49.328 My Connections\New Connection - Initiating IKE Phase 1 (IP ADDR=xx.xx.xxx.xx) (staict address of the site)
 8-01: 14:27:49.468 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
 8-01: 14:27:50.421 My Connections\New Connection - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, NAT-D 2x, VID 2x)
 8-01: 14:27:50.421 My Connections\New Connection - Peer is NAT-T draft-02 capable
 8-01: 14:27:50.421 My Connections\New Connection - NAT is detected for Client
 8-01: 14:27:50.421 My Connections\New Connection - Floating to IKE non-500 port
 8-01: 14:27:50.671 My Connections\New Connection - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONTACT)
 8-01: 14:27:50.671 My Connections\New Connection - Established IKE SA
 8-01: 14:27:50.671    MY COOKIE 62 a0 c5 fc 2a 58 9b 53
 8-01: 14:27:50.671    HIS COOKIE 9c 37 22 1c 21 57 c0 cf
 8-01: 14:27:50.703 My Connections\New Connection - Initiating IKE Phase 2 with Client IDs (message id: F0BC50E4)
 8-01: 14:27:50.703   Initiator = IP ADDR=192.168.1.101, prot = 0 port = 0
 8-01: 14:27:50.703   Responder = IP SUBNET/MASK=192.168.0.0/255.255.255.255, prot = 0 port = 0
 8-01: 14:27:50.703 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
 8-01: 14:28:36.031 My Connections\New Connection - QM re-keying timed out (message id: F0BC50E4). Retry count: 1
 8-01: 14:28:36.031 My Connections\New Connection - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 8-01: 14:29:21.046 My Connections\New Connection - Exceeded 1 re-keying attempts (message id: F0BC50E4)
 8-01: 14:29:21.046 My Connections\New Connection - Disconnecting IKE SA negotiation
 8-01: 14:29:21.046 My Connections\New Connection - Deleting IKE SA (IP ADDR=xx.xx.xxx.xx)
 8-01: 14:29:21.046    MY COOKIE 62 a0 c5 fc 2a 58 9b 53
 8-01: 14:29:21.046    HIS COOKIE 9c 37 22 1c 21 57 c0 cf
 8-01: 14:29:21.046 My Connections\New Connection - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)

its looks like it failes in phase2

I have sent the client software to the following
New Connection:
Secure
Remote Party Identity and addresesing
IP Subnet
192.168.0.0
255.255.255.0
protocal all
connect using Secure Gateway Tunnel
Domain name. fvg_local.com
and Gateway ip address (my static IP)
0
techsolutionusa
Asked:
techsolutionusa
  • 3
  • 2
1 Solution
 
Rob WilliamsCommented:
Sounds like the router configuration is not complete.
Also I have had better luck using ID Type = e-mail address, and just make anything up.
Have a look at the following sample configuration for the FVS318, it should be very similar, at least as far as the configurations:
http://www.lan-2-wan.com/vpns-netgear-sample1.htm
Following FVS318 case study may be helpful as well:
http://www.vpncasestudy.com/casestudy/FVS318/v3/casestudy.html
0
 
techsolutionusaAuthor Commented:
Tried that still the same.. i must be missing something.
0
 
Rob WilliamsCommented:
Did you compare your client and router configurations to the one in the sample above?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
gb-sdcCommented:
That error usually means the IPSec security policies so not match.

From the log:
---
8-01: 14:27:50.703   Responder = IP SUBNET/MASK=192.168.0.0/255.255.255.255, prot = 0 port = 0
---

Your client configuration:
----
IP Subnet
192.168.0.0
255.255.255.0
---

Hope this helps.
0
 
techsolutionusaAuthor Commented:
Thanks RobWill

it worked now i assume i just created mutiple ones for each user that will be connecting via vpn. Now that i am connected i can ping via IP address but when i try to map to via name i will not map but it maps using the ip address any suggestions?
0
 
Rob WilliamsCommented:
You can export that policy from the client and save it. This makes it very easy to configure for the next user, by just importing. You can use the same policy/tunnel for every user, or you can create one for each user, if not too many. The only advantage of the latter is you can disable access from the router end, if one of your users leaves the company. You can always change the pass-phrase as well.

Name resolution over a VPN can be a problem. First on the router, in the VPN configuration, there is an option to enable NetBIOS names. Check that.
You can also choose to enable the virtual adapter in the client's security policy, reboot the machine, and then under network connections you will see the virtual adapter. Within that you can add the domain suffix under WINS, as well as your DNS and WINS server IP's.
Then there are the non- Netgear options:

NetBIOS names  (computer names) are not broadcast over most VPN's.
You can resolve this in several ways:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfd_lmh_qxqq.mspx?mfr=true
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]

Thanks techsolutionusa.
Cheers !
--Rob
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now