|
|||||||
|
|
|
 |
|
|
Strumenti |
15-02-2012, 15:29
|
#1 |
|
Junior Member
Iscritto dal: Feb 2012
Messaggi: 3
|
VPN fra ShrewSoft VPN Client e NETGEAR FVS338
Salve a tutti, come potete intuire dal titolo mi sono imbattuto nella configurazione di una connessione VPN Client fra un PC e il Firewall NETGEAR FVS338.
Vi faccio un riassunto di come è strutturata la rete aziendale: Router NETGEAR DG834 con ip 192.168.100.250 Firewall NETGEAR FVS338 con ip 192.168.100.253 lato router e 192.168.1.250 con DHCP server attivato verso la rete pc. Per attivare la vpn ho fatto quanto segue: 1- Sul DG834 dal menu "Regole del Firewall" ho aggiunto sia in ingresso che in uscita il servizio VPN-IPSEC come CONSENTI SEMPRE specificando nel servizio in ingressi l'indirizzo ip del Firewall come Indirizzo IP server LAN. 2- Sul firewall FVS338: VPN -> VPN Wizard assegnati nome connessione e pre-shared key, inseriti il Remote e Local ID Information 3- Avviato Client ShrewSoft VPN Access Manager e configurato come segue: n:version:4 n:network-ike-port:500 n:network-mtu-size:1380 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:0 n:network-notify-enable:1 n:client-wins-used:0 n:client-wins-auto:1 n:client-dns-used:0 n:client-dns-auto:0 n:client-splitdns-used:0 n:client-splitdns-auto:0 n  hase1-dhgroup:2n hase1-life-secs:86400n hase1-life-kbytes:0n:vendor-chkpt-enable:0 n hase2-life-secs:3600n hase2-life-kbytes:0n olicy-nailed:0n olicy-list-auto:0n:client-dns-suffix-auto:1 n:client-addr-auto:1 s:network-host:IPPubblico s:client-auto-mode:disabled s:client-iface:direct s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk s:ident-client-type:fqdn s:ident-server-type:fqdn s:ident-client-data:fvx_remote.com s:ident-server-data:fvx_local.com b:auth-mutual-psk:bXlwcmVzaGFyZWRrZXk= s hase1-exchange:aggressives hase1-cipher:autos hase1-hash:autos hase2-transform:autos hase2-hmac:autos:ipcomp-transform:disabled n hase2-pfsgroup:0s olicy-level:uniques olicy-list-include:192.168.1.0 / 255.255.255.0Quando clicco su connect sembra che parta tutto correttamente: ""...config loaded for site 'NETGEAR_fvx.vpn' attached to key daemon ... peer configured iskamp proposal configured esp proposal configured client configured local id configured remote id configured pre-shared key configured bringing up tunnel ... network device configured tunnel enabled..." invece dopo qualche decina di secondi si disconnette e mi da questo messaggio: "...negotiation timout occurred tunnel disabled detached from key daemon..." Sono andato anche a controllare il logVPN presente sul Firewall, ve lo riporto di seguito per completezza: 2012 Feb 15 16:24:56 [FVS338] [IKE] Remote configuration for identifier "fvx_remote.com" found_ 2012 Feb 15 16:24:56 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.100.253[500]<=>192.168.100.250[500]_ 2012 Feb 15 16:24:56 [FVS338] [IKE] Beginning Aggressive mode._ 2012 Feb 15 16:24:56 [FVS338] [IKE] Received unknown Vendor ID_ - Last output repeated twice - 2012 Feb 15 16:24:56 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__ 2012 Feb 15 16:24:56 [FVS338] [IKE] Received unknown Vendor ID_ - Last output repeated 3 times - 2012 Feb 15 16:24:56 [FVS338] [IKE] Received Vendor ID: DPD_ 2012 Feb 15 16:24:56 [FVS338] [IKE] Received unknown Vendor ID_ - Last output repeated 2 times - 2012 Feb 15 16:24:56 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_ 2012 Feb 15 16:24:56 [FVS338] [IKE] For 192.168.100.250[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_ 2012 Feb 15 16:25:57 [FVS338] [IKE] Phase 1 negotiation failed due to time up for 192.168.100.250[500]. 077cc5a0e32cf327:c839665dbaf18034_ Non so cosa controllare per far funzionare il tutto, se qualcuno potesse aiutarmi o indicarmi qualche guida o tutorial... Grazie in anticipo, Ric |
|
|
|
16-02-2012, 09:19
|
#2 | |
|
Junior Member
Iscritto dal: Feb 2012
Messaggi: 3
|
Quote:
2012 Feb 16 10:11:30 [FVS338] [IKE] Remote configuration for identifier "fvx_remote.com" found_ 2012 Feb 16 10:11:30 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.100.253[500]<=>2.45.132.32[500]_ 2012 Feb 16 10:11:30 [FVS338] [IKE] Beginning Aggressive mode._ 2012 Feb 16 10:11:30 [FVS338] [IKE] Received unknown Vendor ID_ - Last output repeated 3 times - 2012 Feb 16 10:11:30 [FVS338] [IKE] Received Vendor ID: DPD_ 2012 Feb 16 10:11:30 [FVS338] [IKE] Received unknown Vendor ID_ - Last output repeated 2 times - 2012 Feb 16 10:11:30 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_ 2012 Feb 16 10:11:31 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_ 2012 Feb 16 10:11:31 [FVS338] [IKE] ISAKMP-SA established for 192.168.100.253[500]-2.45.132.32[500] with spi:a842b27e0ac55872:04aa241a27547842_ 2012 Feb 16 10:11:31 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_ 2012 Feb 16 10:11:37 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_ 2012 Feb 16 10:11:37 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_ 2012 Feb 16 10:11:37 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_ 2012 Feb 16 10:11:37 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_ 2012 Feb 16 10:11:42 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_ 2012 Feb 16 10:11:42 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_ 2012 Feb 16 10:11:42 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_ 2012 Feb 16 10:11:42 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_ 2012 Feb 16 10:11:48 [FVS338] [IKE] packet shorter than isakmp header size._ 2012 Feb 16 10:11:48 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_ 2012 Feb 16 10:11:48 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_ 2012 Feb 16 10:11:48 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_ 2012 Feb 16 10:11:48 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_ 2012 Feb 16 10:11:53 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_ 2012 Feb 16 10:11:53 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_ 2012 Feb 16 10:11:53 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.100.253[0]<=>2.45.132.32[0]_ 2012 Feb 16 10:11:53 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.43.18/32 from fvx_remote.com_ 2012 Feb 16 10:12:04 [FVS338] [IKE] packet shorter than isakmp header size._ 2012 Feb 16 10:12:20 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_ 2012 Feb 16 10:12:21 [FVS338] [IKE] packet shorter than isakmp header size._ 2012 Feb 16 10:12:31 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_ 2012 Feb 16 10:12:34 [FVS338] [IKE] packet shorter than isakmp header size._ 2012 Feb 16 10:12:38 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=a842b27e0ac55872:04aa241a27547842._ 2012 Feb 16 10:12:39 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.100.253[500]-2.45.132.32[500] with spi:a842b27e0ac55872:04aa241a27547842_ 2012 Feb 16 10:12:42 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.168.1.0/24<->192.168.43.18/32_ |
|
|
|
|
|
16-02-2012, 10:22
|
#3 | |
|
Junior Member
Iscritto dal: Feb 2012
Messaggi: 3
|
Quote:
|
|
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 21:00.
