Trying to setup VPN Client access to a Symantec Gateway Security 320

Last Tech person left no documentation or supporting software - including a possible VPN client.

I have reviewed this document: ftp://ftp.symantec.com/public/english_us_canada/products/symantec_gateway_security/300-Series_2.0/manuals/SGS300_ADM.pdf

All appears to be inorder. I even tried to create a new user/shared key.

Being I don't have the original software, I tried Cisco's VPN Client 5.0.04.0300 and Link Sys Quick VPN - No success.  
Cisco error - ' Secure VPN connecton terminated locally by the client. Reason 412'
Link Sys error - ' Failed to establish a connection'
I can't seem to be able to view an updated activity log on the Gateway 320.

Does anybody know How I can get the original VPN client software?
Does anybody know how to configure a client to gateway VPN?
LVL 1
GeeMoonIT ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AllvirtualCommented:
Maybe try NCP client http://www.ncp-e.com/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
koudryCommented:
Hello,

You need the following information to connect to the VPN gateway:

VPN gateway IP address
VPN username and password
One time password or security token (where needed)

This means that the server has been configured to allocate an IP range to the security token that you will be using to connect to the gateway.

Thanks.
0
GeeMoonIT ConsultantAuthor Commented:
Thanks for the heads up on NCP client AllVirtual.

I still am unable to connect.

I have 2 logs - one from the NCP client (IPSEC VPN Client) and one from the Symantec Gateway Security 320:

Gateway -

*** I pulled out the Gateway= address for client protection ***

4/12/2011 8:09:31 AM  System: Protecting RAS adapter - 0
4/12/2011 8:09:34 AM  IPSec: Start building connection
4/12/2011 8:09:34 AM  Ike: Outgoing connect request AGGRESSIVE mode - gateway=0.0.0.0 : GEO 4/12/2011 8:09:34 AM  Ike: XMIT_MSG1_AGGRESSIVE - GEO
4/12/2011 8:09:34 AM  Ike: RECV_MSG2_AGGRESSIVE - GEO
4/12/2011 8:09:34 AM  Ike: IKE phase I: Setting LifeTime to 28800 seconds
4/12/2011 8:09:34 AM  Ike: IkeSa negotiated with the following properties -
4/12/2011 8:09:34 AM    Authentication=PRE_SHARED_KEY,Encryption=DES3,Hash=SHA,DHGroup=2,KeyLen=0
4/12/2011 8:09:34 AM  IPSec: Final Tunnel EndPoint is:0.0.0.0
4/12/2011 8:09:34 AM  Ike: XMIT_MSG3_AGGRESSIVE - GEO
4/12/2011 8:09:34 AM  Ike: IkeSa negotiated with the following properties -
4/12/2011 8:09:34 AM    Authentication=PRE_SHARED_KEY,Encryption=DES3,Hash=SHA,DHGroup=2,KeyLen=0
4/12/2011 8:09:34 AM  Ike: phase1:name(GEO) - connected
4/12/2011 8:09:34 AM  SUCCESS: IKE phase 1 ready
4/12/2011 8:09:34 AM  IPSec: Phase1 is Ready - IkeIndex=42,AltRekey=1
4/12/2011 8:09:36 AM  IkeCfg: XMIT_IKECFG_REQUEST - GEO
4/12/2011 8:09:40 AM  IkeCfg: RECV_IKECFG_REPLY - GEO
4/12/2011 8:09:40 AM  IkeCfg: name <GEO> - enter state open
4/12/2011 8:09:40 AM  SUCCESS: IkeCfg ready
4/12/2011 8:09:40 AM  IPSec: Quick Mode is Ready: IkeIndex = 0000002a , VpnSrcPort = 500
4/12/2011 8:09:40 AM  IPSec: Assigned IP Address: 0.0.0.0
4/12/2011 8:09:40 AM  IkeQuick: XMIT_MSG1_QUICK - GEO
4/12/2011 8:09:40 AM  Ike: NOTIFY : GEO : RECEIVED : INVALID_ID_INFORMATION : 18
4/12/2011 8:10:00 AM  IkeQuick: phase2:name(GEO) - error - cleared by phase1
4/12/2011 8:10:00 AM  ERROR - 4037: IKE(phase2):Waiting for message2, cleared by phase1 - GEO.
4/12/2011 8:10:00 AM  IPSec: Disconnected from GEO on channel 1.


NCP Client -

*** I pulled out the Remote Peer address for client protection ***

04/12/2011 11:34:00.60 - ERR:Quick Mode message is for a non-existent (expired?) ISAKMP SA      
04/12/2011 11:33:54.65 Wan Client - Terminating connection      
04/12/2011 11:33:54.65 Wan Client - Terminating connection      
04/12/2011 11:33:54.65 Wan Client - Sending ISAKMP OAK INFO (Notification IKE SA)      
04/12/2011 11:33:54.65 Wan Client - state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION      
04/12/2011 11:33:54.65 Wan Client - (null): INVALID_ID_INFORMATION      
04/12/2011 11:33:54.60 Wan Client - STATE_TRANS_DONE ISAKMP Config done      
04/12/2011 11:33:52.95 Wan Client - STATE_AGGR_R2 ISAKMP SA established      
04/12/2011 11:33:52.85 Wan Client - STATE_AGGR_R1: from STATE_AGGR_R0; sent AR1, expecting AI2      
04/12/2011 11:33:52.55 Wan Client - ERR: unsupported OAKLEY attribute. Attribute OAKLEY_KEY_LENGTH      
04/12/2011 11:33:52.55 Wan Client - ERR: unsupported OAKLEY attribute. Attribute OAKLEY_KEY_LENGTH      
04/12/2011 11:33:52.55 Wan Client - Responding to Aggressive Mode from Remote Peer 0.0.0.0  




It appears that Phase 1 is successful, but Phase 2 gets jammed.

Note: taken from both logs - highlights

4/12/2011 8:09:40 AM  Ike: NOTIFY : GEO : RECEIVED : INVALID_ID_INFORMATION : 18
04/12/2011 11:34:00.60 - ERR:Quick Mode message is for a non-existent (expired?) ISAKMP SA      
04/12/2011 11:33:52.55 Wan Client - ERR: unsupported OAKLEY attribute. Attribute
04/12/2011 11:33:54.65 Wan Client - state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION      

What am I not seeing???
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

AllvirtualCommented:
Your configuration is incorrect. Maybe you did not match Local and Remote ID, or wrong type FQDN or U-FQDN. Why don't you contact NCP technical support. They support the product even during eval.
0
koudryCommented:
Hello,

I am sorry if you have already mentioned it, but I am wondering if you are using certificate on your VPN.  If you are, is there any chance the certificate could have expired?

Thanks.
0
koudryCommented:
Hello,

I am not sure if the info bellow, helps:

---------------------
The error: "Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding" means the software VPN Client detected that the VPN server is not responding anymore and deleted the connection. This is caused by several different reasons, for example:

The user is behind a firewall that is blocking ports UDP 4500/500 and/or ESP.
The VPN client is using connecting on TCP and the default TCP port 10000 for NATT is blocked.
The internet connection is not stable and some packets are not reaching the VPN concentrator/server or the replies from the server/concentrator aren’t getting to the client, hence the client thinks the server is no longer available.
The VPN client is behind a NAT device and the VPN Server doesn’t have NAT-T enabled. In this case the user will not be able to send or receive traffic at all. It will be able to connect but that’s all. After some time the software client deletes the VPN tunnel.

Suggested solutions:

If you are using wireless, try to connect with cable
Turn your firewall off, then test the connection to see whether the problem still occurs. If it doesn’t then you can turn your firewall back on, add exception rules for port 500, port 4500 and the ESP protocol in your firewall
Turn on NAT-T/TCP in your profile ( remember to unblock port 10000 in your firewall)
Edit your profile with your editor and change ForceKeepAlive=0 to 1
-----------------

source: http://www.lamnk.com/blog/vpn/cisco-vpn-client-reason-412-the-remote-peer-is-no-longer-responding/

thanks.
0
GeeMoonIT ConsultantAuthor Commented:
Here's the current status.

I opted to contact Tech support from the NCP trial I installed. Very good support. Unfortunately
they were just as stuck as I was, but, managed to shed some light on the fact I needed to install
the client on a non domain server ( I was using as a test). Now a whole new list of problems are happening - still no connectivity.

I will check the firewall again on this gateway 320. It was blocking VPN access at one point - I enabled it. I don't remember what I changed - currently working on multiple items. I will get back to you

 No,  I am not using a certificate.

Thanks for all the great comments. I just wanted to let you know I am still persuing the issue and will get back to you
0
GeeMoonIT ConsultantAuthor Commented:
OK....

I went direct from an XP system (w/ internal firewall disabled) through a Optimum cable modem. I attempted to connect using the trial version of NCP client software. This is what I get:

Pulled from NCP Client Log:

4/20/2011 3:41:58 PM  IPSec: Start building connection
4/20/2011 3:41:58 PM  Ike: Outgoing connect request AGGRESSIVE mode - gateway=0.0.0.0 : GEO
4/20/2011 3:41:58 PM  Ike: XMIT_MSG1_AGGRESSIVE - GEO
4/20/2011 3:42:36 PM  ERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - Geo.
4/20/2011 3:42:36 PM  Ike: phase1:name(Eastern) - ERROR - retry timeout - max retries
4/20/2011 3:42:36 PM  IPSec: Disconnected from GEO on channel 1.

I pulled the Gateway address from above to protect the client.

Strangly enough, prior to working with NCP support, I was able to establish PHase I access.

I get nothing on the Smantec Gateway logs. It just states that the client is terminated. I performed a full Debug - nothing

I stated I didnt remember what I changed in my last message - it was opening a port for IPSec in the Symantec Gateway firewall.

I am thinking a possible  firmware upgrade on the Gateway device. Prior to that, I would like to disable the firewall on the Gateway an attempt another connection. I just don't want to try this during business hours. It seems I have to pull the Gateway out of NAT mode - scarry, derived from help files.
I am doing most of this remotely - yes I am able to access via RDP.
It appears the previous tech guy open the RDP port - proably gave up on the VPN.

How secure is RDP through windows 2003? Am I safe?

Does anybody have experience with the Symantec Gateway Security 320 VPN client setup?
0
koudryCommented:
Hello,

It is possible your Symantec software could be getting on the way of the NCP client contacting the server to establish connection. My advice is to try another machine where you do not have Symantec Security stuff.

Take a look at this post: http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Netscreen-5-GT-VPN-configuration-with-NCP-Secure-Client/td-p/79248

Thanks.
0
GeeMoonIT ConsultantAuthor Commented:
I am going to propose to the client to purchase a new Cisco firewall. It's not worth the time I have been investing. I thank you for your truly valid comments - excellent advice.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.