Solved

VPN Tunnel through Gateway

Posted on 2008-10-27
6
2,197 Views
Last Modified: 2010-04-21
I am trying to set up a VPN Tunnel from our home office to a remote office, but have been unable to get it working.
The home office has a Linksys RVS4000 has two existing tunnels.
The remote office in Australia has a BigPond Wireless Home Gateway 7.2.  The Gateway
does not have VPN capability.   I have a Linksys RVS4000 connected to the gateway with
a static ip address of 10.0.0.10.  In the gateway, I have configured the DMZ host as 10.0.0.10.

I have confirmed the VPN settings on both routers match up.  

The is the log from the remote router:
2008-10-28 01:37:35      Kernel.Warning      192.168.5.1      Oct 27 06:34:17 192.168.5.1 [VPN Log]: "california" #2: initiating Main Mode
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: received Vendor ID payload [Openswan (this version) cvs2006Jan12_11:29:56  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: received Vendor ID payload [Dead Peer Detection]
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: received Vendor ID payload [RFC 3947] method set to=109
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: enabling possible NAT-traversal with method 3
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
2008-10-28 01:37:36      Kernel.Warning      192.168.5.1      Oct 27 06:34:18 192.168.5.1 [VPN Log]: "california" #2: STATE_MAIN_I2: sent MI2, expecting MR2
2008-10-28 01:37:37      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: I did not send a certificate because I do not have one.
2008-10-28 01:37:37      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: NAT-Traversal: Result using 3: i am NATed
2008-10-28 01:37:37      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
2008-10-28 01:37:37      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: STATE_MAIN_I3: sent MI3, expecting MR3
2008-10-28 01:37:38      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: ignoring informational payload, type INVALID_ID_INFORMATION
2008-10-28 01:37:38      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: received and ignored informational message
2008-10-28 01:37:48      Kernel.Warning      192.168.5.1      Oct 27 06:34:30 192.168.5.1 [VPN Log]: "california" #2: ignoring informational payload, type INVALID_ID_INFORMATION
2008-10-28 01:37:48      Kernel.Warning      192.168.5.1      Oct 27 06:34:30 192.168.5.1 [VPN Log]: "california" #2: received and ignored informational message
2008-10-28 01:37:48      Kernel.Warning      192.168.5.1      Oct 27 06:34:30 192.168.5.1 [VPN Log]: "california" #2: discarding duplicate packet; already STATE_MAIN_I3
2008-10-28 01:38:10      Kernel.Warning      192.168.5.1      Oct 27 06:34:52 192.168.5.1 [VPN Log]: "california" #2: discarding duplicate packet; already STATE_MAIN_I3
2008-10-28 01:38:10      Kernel.Warning      192.168.5.1      Oct 27 06:34:52 192.168.5.1 [VPN Log]: "california" #2: ignoring informational payload, type INVALID_ID_INFORMATION
2008-10-28 01:38:10      Kernel.Warning      192.168.5.1      Oct 27 06:34:52 192.168.5.1 [VPN Log]: "california" #2: received and ignored informational message

This is the log from the home router:

2008-10-27 07:37:34      Kernel.Warning      192.168.1.1      Oct 27 07:37:28 192.168.1.1 do_bindings: helper existing for (c3449940)
2008-10-27 07:37:34      Kernel.Warning      192.168.1.1      Oct 27 07:37:28 192.168.1.1 do_bindings:813 exp list is EMPTY!!!!!!!!!!!!
2008-10-27 07:37:35      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [Access Log]I TCP Packet - 125.122.6.136:4272 --> 192.168.1.26:25
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [Openswan (this version) cvs2006Jan12_11:29:56  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [Dead Peer Detection]
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [RFC 3947] method set to=109
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: packet from 58.170.198.24:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: "Australia" #18: responding to Main Mode
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: "Australia" #18: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:29 192.168.1.1 [VPN Log]: "Australia" #18: STATE_MAIN_R1: sent MR1, expecting MI2
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:30 192.168.1.1 [Access Log]I TCP Packet - 192.168.3.2:4703 --> 192.168.1.233:445
2008-10-27 07:37:36      Kernel.Warning      192.168.1.1      Oct 27 07:37:30 192.168.1.1 [Access Log]I TCP Packet - 192.168.3.2:4704 --> 192.168.1.233:139
2008-10-27 07:37:37      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: NAT-Traversal: Result using 3: peer is NATed
2008-10-27 07:37:37      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2008-10-27 07:37:37      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: STATE_MAIN_R2: sent MR2, expecting MI3
2008-10-27 07:37:38      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.10'
2008-10-27 07:37:38      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: no suitable connection for peer '10.0.0.10'
2008-10-27 07:37:38      Kernel.Warning      192.168.1.1      Oct 27 07:37:31 192.168.1.1 [VPN Log]: "Australia" #18: sending encrypted notification INVALID_ID_INFORMATION to 58.170.198.24:500
2008-10-27 07:37:44      Kernel.Warning      192.168.1.1      Oct 27 07:37:37 192.168.1.1 [Access Log]I TCP Packet - 84.55.207.1:2600 --> 192.168.1.26:25
2008-10-27 07:37:45      Kernel.Warning      192.168.1.1      Oct 27 07:37:38 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1378 --> 66.173.241.253:80
2008-10-27 07:37:45      Kernel.Warning      192.168.1.1      Oct 27 07:37:39 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1379 --> 66.173.241.253:80
2008-10-27 07:37:46      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1380 --> 66.173.240.151:80
2008-10-27 07:37:46      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1381 --> 66.173.240.151:80
2008-10-27 07:37:46      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O UDP Packet - 192.168.1.3:62626 --> 74.125.45.9:53
2008-10-27 07:37:46      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1382 --> 74.125.19.127:80
2008-10-27 07:37:47      Kernel.Warning      192.168.1.1      Oct 27 07:37:40 192.168.1.1 [Access Log]O TCP Packet - 192.168.1.179:1383 --> 66.173.240.151:80
2008-10-27 07:37:48      Kernel.Warning      192.168.1.1      Oct 27 07:37:41 192.168.1.1 [VPN Log]: "Australia" #18: Main mode peer ID is ID_IPV4_ADDR: '10.0.0.10'
2008-10-27 07:37:48      Kernel.Warning      192.168.1.1      Oct 27 07:37:41 192.168.1.1 [VPN Log]: "Australia" #18: no suitable connection for peer '10.0.0.10'
2008-10-27 07:37:48      Kernel.Warning      192.168.1.1      Oct 27 07:37:41 192.168.1.1 [VPN Log]: "Australia" #18: sending encrypted notification INVALID_ID_INFORMATION to 58.170.198.24:500
2008-10-27 07:37:49      Kernel.Warning      192.168.1.1      Oct 27 07:37:43 192.168.1.1 do_bindings: helper existing for (c34487e0)

0
Comment
Question by:fcadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 22816691
Not really played with either model, however, I can talk about the basics.

If I understand right, you have 1 side with a full VPN capable router and the other side with a VPN capable router BEHIND another non VPN gateway in Oz?

If thats correct, have you stattically natted the VPN device in OZ to be publicly accessible to the main device?  I think that this may be your main issue.

Both nodes need to be able to talk to each other somehow else no VPN traffic will be sent and no tunnel will come up.

WHen reading the Oz logs, there appears to be an ID info error:

2008-10-28 01:37:38      Kernel.Warning      192.168.5.1      Oct 27 06:34:20 192.168.5.1 [VPN Log]: "california" #2: ignoring informational payload, type INVALID_ID_INFORMATION

The ID info relates to the SA negotiated at phase 2, which will include VPN device IP address and VPN subnet (for both ends).

Double check these also.
0
 

Author Comment

by:fcadmin
ID: 22817829
Yes, the root of the problem is the VPN device is reporting it's address as 10.0.0.10 rather than
the public address.  I am not sure how get it to use the public address.
0
 
LVL 18

Expert Comment

by:deimark
ID: 22819659
Not sure if statically NATing the host through the Oz gateway will change the ID as presented across the VPN, I think you may need to try and get the Oz VPN with a public IP of possible.

AFAIK, if a VPN device is natted behind a public address upstream, you need to modify the VPM properties to send the public address across to the otehr VPN end point.  The only FW I have experience in setting this up with is Check Point VPN-1 systems, so not sure if you're set up will allow it.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:fcadmin
ID: 22821254
Thank you for your input.  I was unable to get a public, static, IP.  

Did the Check Point system allow this type of setup;  VPN behind a gateway?

I'll continue to review all of the settings and look for another way to get this VPN set up.


0
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 22822677
Yup, Check Point allowed the admin to set a specific IP to be used in VPN negotiations, where the specific IP was the public IP natted to the VPN endpoint.

I would be surprised if Check Point were the only ones to allow this feature but as am not familiar with your hardware, I can't comment on that.  Sorry bud.
0
 

Author Closing Comment

by:fcadmin
ID: 31510377
Thank you for your time and input.  
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RDP- Windows 7 home Premium to 7 Pro via VPN 10 51
BGP Local Preference 5 78
VNC stopped working when I log off the PC connected via VPN 20 52
Access-List 15 62
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question