200r & enterprise Client INVALID_ID_INFOIRMATION

[psvialli]

I have been trying to resole this for about 3 days now and just do not know what next to do:-

PN client - Win2000pro SP4

I am using the network card for my ADSL and have set it to obtain IP /DNS otherwise I get a problem ADSL using (NTL) (not sure if this is the problem ?

I have also tried an additional network card , but still no joy.

I am getting
Apr 13 16:41:49.252 quantum isakmpd[1820]: 120 isakmpd Info: Isakmp SA with peer xx.xxx.48.193 expired. Will renegotiate.
Apr 13 16:41:50.624 quantum isakmpd[1820]: 120 isakmpd Info: Initiator, Established ISAKMP SA (Lsg=xx.xx.5.210, Rsg=81.137.48.193), [tunTemplate=SP1]
Apr 13 16:41:50.788 quantum isakmpd[1820]: 120 isakmpd Info: Error while processing data rcvd from peer xx.xxx.48.193: (-3366) Unexpected payload was received in request.
Apr 13 16:41:50.792 quantum isakmpd[1820]: 120 isakmpd Info: Error during isakmp sa negotiation with peer xx.xxx.48.193, status=IKMP_ERROR err=(-3366) Unexpected payload was received in request.
Apr 13 16:41:50.795 quantum isakmpd[1820]: 120 isakmpd Info: Initiator, Failed to establish IPSEC SA with peer xx.xxx.48.193 [tunTemplate=SP1]

And from the 200R I am getting INVALID_ID_INFOIRMATION

I have all the latest updates / firmware etc..

Please Help!

Paul

 

[SefLogic]

This error is due to a mismatch in the Client -> 200/R VPN, 90% of the time it is the Phase 1 ID / pre-shared keys. Make sure you follow the below document to the letter and you will be able to get your VPN up and running again. Go to the symantec support site and search for the following KB number.

2002121708585054

If your 200/R has a Dymanic IP then checkout this KB, because if the IP address changes on the 200/R then the Phase 1 ID is going to be screwed.

2002081313235154

One last thing, if you are using NAT eg: the 200/R is behind a DSL modem, make sure that the 200/R gets the public IP. Alot of the time you can setup your DSL modem in bridge mode. If you are unable to do bridge mode then you are going to have to play with the phase 1 id on both the 200/R and the client.

Good Luck.


SefLogic

tips on fixing any problem in the world
1. Check google / google-groups
2. check the vendor support page
3. get a book on the topic

 

[psvialli]

Many thanks,

I have followed to the letter the example but still get the same message; I have also reinstalled the client but still the same.

Not sure what you mean on your last point, sorry new to this!

I have set the 200r with the static IP, is this what you mean ?

Paul

 

[psvialli]

Sorry forgot to say you mention phase 1 ID , but on the example it says leave them blank , which is what I have done , and set the Gateway address to 0.0.0.0 is this correct ?

I have set the tunnel to 192.168.0.1 sub 255.255.255.255

Also I have set the 200r unit LAN IP to 192.168.0.254 will this affect what I am doing ?

 

[apeasecpc]

In the VPN Client software, make sure you do the following:

Create your own IKE policy with your own name. Don't use any of the default policies that have already been set up.

Create your own VPN policy with your own name. Don't use any of the default policies that have already been set up.

Make sure you are using "Diffie Hellman" group 1 for both the IKE and VPN policies.

Make sure "Symantec Enterprise Gateway" is NOT checked.

Make sure your encryption and timeout settings match between the client and the VPN appliance. Be sure to check all the tabs under the VPN policy.

Make sure the "client ID" and "shared secret" match what was set up for the "Client Identity" on the VPN appliance.

For suggested appliance and client configurations, please see thread754-730829

Also please note that you need to obtain a patch from Symantec before the client will work on XP you need to update the client to version 7.0.1. See the link

http://service1.symantec.com/SUPPOR...56bc1005cd7ca&dtype=&prod=&ver=&osv=&osv_lvl=

.