Solved

VPN Tunnel through Gateway

Posted on 2008-10-27
6
2,181 Views
Last Modified: 2010-04-21
I am trying to set up a VPN Tunnel from our home office to a remote office, but have been unable to get it working.
The home office has a Linksys RVS4000 has two existing tunnels.
The remote office in Australia has a BigPond Wireless Home Gateway 7.2.  The Gateway
does not have VPN capability.   I have a Linksys RVS4000 connected to the gateway with
a static ip address of 10.0.0.10.  In the gateway, I have configured the DMZ host as 10.0.0.10.

I have confirmed the VPN settings on both routers match up.  

The is the log from the remote router:
2008-10-28 01:37:35      Kernel.Warning      192.168.5.1      Oct 27 06:34:17 192.168.5.1 [VPN Log]: "california" #2: initiating Main Mode
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: received Vendor ID payload [Openswan (this version) cvs2006Jan12_11:29:56  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: received Vendor ID payload [Dead Peer Detection]
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: received Vendor ID payload [RFC 3947] method set to=109
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: enabling possible NAT-traversal with method 3
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: STATE_MAIN_I2: sent MI2, expecting MR2
2008-10-28 01:37:37      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: I did not send a certificate because I do not have one.
2008-10-28 01:37:37      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: NAT-Traversal: Result using 3: i am NATed
2008-10-28 01:37:37      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
2008-10-28 01:37:37      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: STATE_MAIN_I3: sent MI3, expecting MR3
2008-10-28 01:37:38      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: ignoring informational payload, type INVALID_ID_INFORMATION
2008-10-28 01:37:38      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: received and ignored informational message
2008-10-28 01:37:48      Kernel.Warning      192.168.5.1      Oct 27 06:34:30 192.168.5.1 [VPN Log]: "california" #2: ignoring informational payload, type INVALID_ID_INFORMATION
2008-10-28 01:37:48      Kernel.Warning      192.168.5.1      Oct 27 06:34:30 192.168.5.1 [VPN Log]: "california" #2: received and ignored informational message
2008-10-28 01:37:48      Kernel.Warning      192.168.5.1      Oct 27 06:34:30 192.168.5.1 [VPN Log]: "california" #2: discarding duplicate packet; already STATE_MAIN_I3
2008-10-28 01:38:10      Kernel.Warning      192.168.5.1      Oct 27 06:34:52 192.168.5.1 [VPN Log]: "california" #2: discarding duplicate packet; already STATE_MAIN_I3
2008-10-28 01:38:10      Kernel.Warning      192.168.5.1      Oct 27 06:34:52 192.168.5.1 [VPN Log]: "california" #2: ignoring informational payload, type INVALID_ID_INFORMATION
2008-10-28 01:38:10      Kernel.Warning      192.168.5.1      Oct 27 06:34:52 192.168.5.1 [VPN Log]: "california" #2: received and ignored informational message

This is the log from the home router:

2008-10-27 07:37:34      Kernel.Warning      192.168.1.1      Oct 27 07:37:28 192.168.1.1 do_bindings: helper existing for (c3449940)
2008-10-27 07:37:34      Kernel.Warning      192.168.1.1      Oct 27 07:37:28 192.168.1.1 do_bindings:813 exp list is EMPTY!!!!!!!!!!!!
2008-10-27 07:37:35      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [Access Log]I TCP Packet - 125.122.6.136:4272 --> 192.168.1.26:25
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [Openswan (this version) cvs2006Jan12_11:29:56  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [Dead Peer Detection]
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [RFC 3947] method set to=109
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: "Australia" #18: responding to Main Mode
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: "Australia" #18: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: "Australia" #18: STATE_MAIN_R1: sent MR1, expecting MI2
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:30 192.168.1.1 [Access Log]I TCP Packet - 192.168.3.2:4703 --> 192.168.1.233:445
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:30 192.168.1.1 [Access Log]I TCP Packet - 192.168.3.2:4704 --> 192.168.1.233:139
2008-10-27 07:37:37      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: NAT-Traversal: Result using 3: peer is NATed
2008-10-27 07:37:37      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2008-10-27 07:37:37      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: STATE_MAIN_R2: sent MR2, expecting MI3
2008-10-27 07:37:38      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.10'
2008-10-27 07:37:38      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: no suitable connection for peer '10.0.0.10'
2008-10-27 07:37:38      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: sending encrypted notification INVALID_ID_INFORMATION to 58.170.198.24:500
2008-10-27 07:37:44      Kernel.Warning      192.168.1.1      Oct 27 07:37:37 192.168.1.1 [Access Log]I TCP Packet - 84.55.207.1:2600 --> 192.168.1.26:25
2008-10-27 07:37:45      Kernel.Warning      192.168.1.1      Oct 27 07:37:38 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1378 --> 66.173.241.253:80
2008-10-27 07:37:45      Kernel.Warning      192.168.1.1      Oct 27 07:37:39 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1379 --> 66.173.241.253:80
2008-10-27 07:37:46      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1380 --> 66.173.240.151:80
2008-10-27 07:37:46      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1381 --> 66.173.240.151:80
2008-10-27 07:37:46      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O UDP Packet - 192.168.1.3:62626 --> 74.125.45.9:53
2008-10-27 07:37:46      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1382 --> 74.125.19.127:80
2008-10-27 07:37:47      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1383 --> 66.173.240.151:80
2008-10-27 07:37:48      Kernel.Warning      192.168.1.1      Oct 27 07:37:41 192.168.1.1 [VPN Log]: "Australia" #18: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.10'
2008-10-27 07:37:48      Kernel.Warning      192.168.1.1      Oct 27 07:37:41 192.168.1.1 [VPN Log]: "Australia" #18: no suitable connection for peer '10.0.0.10'
2008-10-27 07:37:48      Kernel.Warning      192.168.1.1      Oct 27 07:37:41 192.168.1.1 [VPN Log]: "Australia" #18: sending encrypted notification INVALID_ID_INFORMATION to 58.170.198.24:500
2008-10-27 07:37:49      Kernel.Warning      192.168.1.1      Oct 27 07:37:43 192.168.1.1 do_bindings: helper existing for (c34487e0)

0
Comment
Question by:fcadmin
  • 3
  • 3
6 Comments
 
LVL 18

Expert Comment

by:deimark
Comment Utility
Not really played with either model, however, I can talk about the basics.

If I understand right, you have 1 side with a full VPN capable router and the other side with a VPN capable router BEHIND another non VPN gateway in Oz?

If thats correct, have you stattically natted the VPN device in OZ to be publicly accessible to the main device?  I think that this may be your main issue.

Both nodes need to be able to talk to each other somehow else no VPN traffic will be sent and no tunnel will come up.

WHen reading the Oz logs, there appears to be an ID info error:

2008-10-28 01:37:38      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: ignoring informational payload, type INVALID_ID_INFORMATION

The ID info relates to the SA negotiated at phase 2, which will include VPN device IP address and VPN subnet (for both ends).

Double check these also.
0
 

Author Comment

by:fcadmin
Comment Utility
Yes, the root of the problem is the VPN device is reporting it's address as 10.0.0.10 rather than
the public address.  I am not sure how get it to use the public address.
0
 
LVL 18

Expert Comment

by:deimark
Comment Utility
Not sure if statically NATing the host through the Oz gateway will change the ID as presented across the VPN, I think you may need to try and get the Oz VPN with a public IP of possible.

AFAIK, if a VPN device is natted behind a public address upstream, you need to modify the VPM properties to send the public address across to the otehr VPN end point.  The only FW I have experience in setting this up with is Check Point VPN-1 systems, so not sure if you're set up will allow it.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:fcadmin
Comment Utility
Thank you for your input.  I was unable to get a public, static, IP.  

Did the Check Point system allow this type of setup;  VPN behind a gateway?

I'll continue to review all of the settings and look for another way to get this VPN set up.


0
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
Comment Utility
Yup, Check Point allowed the admin to set a specific IP to be used in VPN negotiations, where the specific IP was the public IP natted to the VPN endpoint.

I would be surprised if Check Point were the only ones to allow this feature but as am not familiar with your hardware, I can't comment on that.  Sorry bud.
0
 

Author Closing Comment

by:fcadmin
Comment Utility
Thank you for your time and input.  
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now