Link to home
Start Free TrialLog in
Avatar of GeeMoon
GeeMoonFlag for United States of America

asked on

Trying to setup VPN Client access to a Symantec Gateway Security 320

Last Tech person left no documentation or supporting software - including a possible VPN client.

I have reviewed this document: ftp://ftp.symantec.com/public/english_us_canada/products/symantec_gateway_security/300-Series_2.0/manuals/SGS300_ADM.pdf

All appears to be inorder. I even tried to create a new user/shared key.

Being I don't have the original software, I tried Cisco's VPN Client 5.0.04.0300 and Link Sys Quick VPN - No success.  
Cisco error - ' Secure VPN connecton terminated locally by the client. Reason 412'
Link Sys error - ' Failed to establish a connection'
I can't seem to be able to view an updated activity log on the Gateway 320.

Does anybody know How I can get the original VPN client software?
Does anybody know how to configure a client to gateway VPN?
ASKER CERTIFIED SOLUTION
Avatar of Allvirtual
Allvirtual
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hello,

You need the following information to connect to the VPN gateway:

VPN gateway IP address
VPN username and password
One time password or security token (where needed)

This means that the server has been configured to allocate an IP range to the security token that you will be using to connect to the gateway.

Thanks.
Avatar of GeeMoon

ASKER

Thanks for the heads up on NCP client AllVirtual.

I still am unable to connect.

I have 2 logs - one from the NCP client (IPSEC VPN Client) and one from the Symantec Gateway Security 320:

Gateway -

*** I pulled out the Gateway= address for client protection ***

4/12/2011 8:09:31 AM  System: Protecting RAS adapter - 0
4/12/2011 8:09:34 AM  IPSec: Start building connection
4/12/2011 8:09:34 AM  Ike: Outgoing connect request AGGRESSIVE mode - gateway=0.0.0.0 : GEO 4/12/2011 8:09:34 AM  Ike: XMIT_MSG1_AGGRESSIVE - GEO
4/12/2011 8:09:34 AM  Ike: RECV_MSG2_AGGRESSIVE - GEO
4/12/2011 8:09:34 AM  Ike: IKE phase I: Setting LifeTime to 28800 seconds
4/12/2011 8:09:34 AM  Ike: IkeSa negotiated with the following properties -
4/12/2011 8:09:34 AM    Authentication=PRE_SHARED_KEY,Encryption=DES3,Hash=SHA,DHGroup=2,KeyLen=0
4/12/2011 8:09:34 AM  IPSec: Final Tunnel EndPoint is:0.0.0.0
4/12/2011 8:09:34 AM  Ike: XMIT_MSG3_AGGRESSIVE - GEO
4/12/2011 8:09:34 AM  Ike: IkeSa negotiated with the following properties -
4/12/2011 8:09:34 AM    Authentication=PRE_SHARED_KEY,Encryption=DES3,Hash=SHA,DHGroup=2,KeyLen=0
4/12/2011 8:09:34 AM  Ike: phase1:name(GEO) - connected
4/12/2011 8:09:34 AM  SUCCESS: IKE phase 1 ready
4/12/2011 8:09:34 AM  IPSec: Phase1 is Ready - IkeIndex=42,AltRekey=1
4/12/2011 8:09:36 AM  IkeCfg: XMIT_IKECFG_REQUEST - GEO
4/12/2011 8:09:40 AM  IkeCfg: RECV_IKECFG_REPLY - GEO
4/12/2011 8:09:40 AM  IkeCfg: name <GEO> - enter state open
4/12/2011 8:09:40 AM  SUCCESS: IkeCfg ready
4/12/2011 8:09:40 AM  IPSec: Quick Mode is Ready: IkeIndex = 0000002a , VpnSrcPort = 500
4/12/2011 8:09:40 AM  IPSec: Assigned IP Address: 0.0.0.0
4/12/2011 8:09:40 AM  IkeQuick: XMIT_MSG1_QUICK - GEO
4/12/2011 8:09:40 AM  Ike: NOTIFY : GEO : RECEIVED : INVALID_ID_INFORMATION : 18
4/12/2011 8:10:00 AM  IkeQuick: phase2:name(GEO) - error - cleared by phase1
4/12/2011 8:10:00 AM  ERROR - 4037: IKE(phase2):Waiting for message2, cleared by phase1 - GEO.
4/12/2011 8:10:00 AM  IPSec: Disconnected from GEO on channel 1.


NCP Client -

*** I pulled out the Remote Peer address for client protection ***

04/12/2011 11:34:00.60 - ERR:Quick Mode message is for a non-existent (expired?) ISAKMP SA      
04/12/2011 11:33:54.65 Wan Client - Terminating connection      
04/12/2011 11:33:54.65 Wan Client - Terminating connection      
04/12/2011 11:33:54.65 Wan Client - Sending ISAKMP OAK INFO (Notification IKE SA)      
04/12/2011 11:33:54.65 Wan Client - state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION      
04/12/2011 11:33:54.65 Wan Client - (null): INVALID_ID_INFORMATION      
04/12/2011 11:33:54.60 Wan Client - STATE_TRANS_DONE ISAKMP Config done      
04/12/2011 11:33:52.95 Wan Client - STATE_AGGR_R2 ISAKMP SA established      
04/12/2011 11:33:52.85 Wan Client - STATE_AGGR_R1: from STATE_AGGR_R0; sent AR1, expecting AI2      
04/12/2011 11:33:52.55 Wan Client - ERR: unsupported OAKLEY attribute. Attribute OAKLEY_KEY_LENGTH      
04/12/2011 11:33:52.55 Wan Client - ERR: unsupported OAKLEY attribute. Attribute OAKLEY_KEY_LENGTH      
04/12/2011 11:33:52.55 Wan Client - Responding to Aggressive Mode from Remote Peer 0.0.0.0  




It appears that Phase 1 is successful, but Phase 2 gets jammed.

Note: taken from both logs - highlights

4/12/2011 8:09:40 AM  Ike: NOTIFY : GEO : RECEIVED : INVALID_ID_INFORMATION : 18
04/12/2011 11:34:00.60 - ERR:Quick Mode message is for a non-existent (expired?) ISAKMP SA      
04/12/2011 11:33:52.55 Wan Client - ERR: unsupported OAKLEY attribute. Attribute
04/12/2011 11:33:54.65 Wan Client - state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION      

What am I not seeing???
Your configuration is incorrect. Maybe you did not match Local and Remote ID, or wrong type FQDN or U-FQDN. Why don't you contact NCP technical support. They support the product even during eval.
Hello,

I am sorry if you have already mentioned it, but I am wondering if you are using certificate on your VPN.  If you are, is there any chance the certificate could have expired?

Thanks.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of GeeMoon

ASKER

Here's the current status.

I opted to contact Tech support from the NCP trial I installed. Very good support. Unfortunately
they were just as stuck as I was, but, managed to shed some light on the fact I needed to install
the client on a non domain server ( I was using as a test). Now a whole new list of problems are happening - still no connectivity.

I will check the firewall again on this gateway 320. It was blocking VPN access at one point - I enabled it. I don't remember what I changed - currently working on multiple items. I will get back to you

 No,  I am not using a certificate.

Thanks for all the great comments. I just wanted to let you know I am still persuing the issue and will get back to you
Avatar of GeeMoon

ASKER

OK....

I went direct from an XP system (w/ internal firewall disabled) through a Optimum cable modem. I attempted to connect using the trial version of NCP client software. This is what I get:

Pulled from NCP Client Log:

4/20/2011 3:41:58 PM  IPSec: Start building connection
4/20/2011 3:41:58 PM  Ike: Outgoing connect request AGGRESSIVE mode - gateway=0.0.0.0 : GEO
4/20/2011 3:41:58 PM  Ike: XMIT_MSG1_AGGRESSIVE - GEO
4/20/2011 3:42:36 PM  ERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - Geo.
4/20/2011 3:42:36 PM  Ike: phase1:name(Eastern) - ERROR - retry timeout - max retries
4/20/2011 3:42:36 PM  IPSec: Disconnected from GEO on channel 1.

I pulled the Gateway address from above to protect the client.

Strangly enough, prior to working with NCP support, I was able to establish PHase I access.

I get nothing on the Smantec Gateway logs. It just states that the client is terminated. I performed a full Debug - nothing

I stated I didnt remember what I changed in my last message - it was opening a port for IPSec in the Symantec Gateway firewall.

I am thinking a possible  firmware upgrade on the Gateway device. Prior to that, I would like to disable the firewall on the Gateway an attempt another connection. I just don't want to try this during business hours. It seems I have to pull the Gateway out of NAT mode - scarry, derived from help files.
I am doing most of this remotely - yes I am able to access via RDP.
It appears the previous tech guy open the RDP port - proably gave up on the VPN.

How secure is RDP through windows 2003? Am I safe?

Does anybody have experience with the Symantec Gateway Security 320 VPN client setup?
Hello,

It is possible your Symantec software could be getting on the way of the NCP client contacting the server to establish connection. My advice is to try another machine where you do not have Symantec Security stuff.

Take a look at this post: http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Netscreen-5-GT-VPN-configuration-with-NCP-Secure-Client/td-p/79248

Thanks.
Avatar of GeeMoon

ASKER

I am going to propose to the client to purchase a new Cisco firewall. It's not worth the time I have been investing. I thank you for your truly valid comments - excellent advice.