Problems connecting to Company Network

[JordanR]

Hello,
I have been trying for the longest time to VPN to my home network using the Symantec Firewall/VPN 200R. I have followed all the setup steps but still not able to connect. My Firewall has the following message in its log even when I have not tried to connect.

"connectionname - ERR: connection must specify host IP address for our side"

Can anyone help me on this?
TIA

 

[apeasecpc]

Are you using the remote software? If not, both ends require either a static public IP address, or a domain name reference (use dynamic dns if it isn't a static address).

You also probably won't have much luck connecting to non-Symantec vpn devices such as sysco.

 

[JordanR]

I am using the Symantec Enterprise VPN Client and have it setup the way the tutorial from their site suggest.

After the VPN/Firewall there is a cisco router and switch.

 

[JordanR]

Here is what shows up in the SEVPN Client Log when I try to connect.

Apr 05 22:55:18.605 mycomputername emapi[2664]: 301 Internal warning: accept fails (Invalid argument.)
Apr 05 22:55:39.204 mycomputername isakmpd[3488]: 117 isakmpd Info: Daemon starting
Apr 05 22:55:39.284 mycomputername vpnd[3172]: 117 Daemon starting
Apr 05 22:55:39.324 mycomputername isakmpd[3488]: 120 isakmpd Info: Not waiting for Mobile
Apr 05 22:55:40.336 mycomputername isakmpd[3488]: 120 isakmpd Info: Reloading tunnels to vpnd with 3 sec wait.
Apr 05 22:55:40.336 mycomputername isakmpd[3488]: 120 isakmpd Info: Reloading tunnels to RaptorMobile with 3 sec wait.
Apr 05 22:55:41.598 mycomputername emapi[1372]: 100 Symantec Enterprise VPN Client Info: Entering EMAPI initial wait state.
Apr 05 22:55:43.771 mycomputername isakmpd[3488]: 120 isakmpd Info: Cannot find entrust config file C:\Program Files\Symantec\VPNClient\entrust.cf. Will use default configuration.
Apr 05 22:55:44.963 mycomputername isakmpd[3488]: 120 isakmpd Info: IKMPLogin: Switched to lite mode, cannot access CA directory
Apr 05 22:55:44.963 mycomputername isakmpd[3488]: 120 isakmpd Info: Try to turn off crl validation...
Apr 05 22:55:44.963 mycomputername isakmpd[3488]: 120 isakmpd Info: Successfully logged into the ISAKMP engine with a default profile which has no Certificate support
Apr 05 22:55:44.963 mycomputername isakmpd[3488]: 120 isakmpd Info: Reconfiguring Isakmp tunnels
Apr 05 22:55:44.973 mycomputername emapi[1372]: 100 Symantec Enterprise VPN Client Info: Continue operation.
Apr 05 22:55:44.973 mycomputername isakmpd[3488]: 120 isakmpd Info: Reloading tunnels to RaptorMobile with 15 sec wait.
Apr 05 22:59:53.049 mycomputername emapi[1372]: 400 Symantec Enterprise VPN Client Error: Invalid netmask.
Apr 05 23:00:05.247 mycomputername isakmpd[3488]: 120 isakmpd Info: Reconfiguring Isakmp tunnels
Apr 05 23:00:10.344 mycomputername emapi[1372]: 100 nsetup Trace: Session Notification enabled.
Apr 05 23:00:10.354 mycomputername emapi[1372]: 100 nsetup Trace: Connecting security gateway publicipaddress
Apr 05 23:00:10.354 mycomputername emapi[1372]: 100 nsetup Trace: Connecting tunnel to privateipaddress
Apr 05 23:04:49.453 mycomputername isakmpd[3488]: 343 isakmpd Warning: RETRY LIMIT REACHED for the remote security gateway publicipaddress
Apr 05 23:04:49.453 mycomputername emapi[1372]: 400 Symantec Enterprise VPN Client Error: Communications with the ISAKMP daemon failed.
Apr 05 23:05:04.659 mycomputername emapi[1372]: 100 nsetup Trace: Error connecting tunnel to privateipaddress. RC=1. Terminating connect operation.
Apr 05 23:07:42.785 mycomputername emroute[360]: 710 FATAL: IP Helper Loop: 5
Apr 05 23:08:22.375 mycomputername emapi[1372]: 301 Internal warning: accept fails (Socket operation on non-socket.)
Apr 05 23:09:06.202 mycomputername kernel: 301 Internal warning: TCP session [state: 2, inactive for 83 seconds] between privateipaddress/389 and 192.168.100.73/1117 timed out due to inactivity
Apr 05 23:09:51.291 mycomputername vpnd[3576]: 117 Daemon starting
Apr 05 23:09:51.281 mycomputername isakmpd[2552]: 117 isakmpd Info: Daemon starting
Apr 05 23:09:51.341 mycomputername isakmpd[2552]: 120 isakmpd Info: Not waiting for Mobile
Apr 05 23:09:52.373 mycomputername isakmpd[2552]: 120 isakmpd Info: Reloading tunnels to vpnd with 3 sec wait.
Apr 05 23:09:52.373 mycomputername isakmpd[2552]: 120 isakmpd Info: Reloading tunnels to RaptorMobile with 3 sec wait.
Apr 05 23:09:54.166 mycomputername emapi[3968]: 100 Symantec Enterprise VPN Client Info: Entering EMAPI initial wait state.
Apr 05 23:09:56.339 mycomputername isakmpd[2552]: 120 isakmpd Info: Cannot find entrust config file C:\Program Files\Symantec\VPNClient\entrust.cf. Will use default configuration.
Apr 05 23:09:57.581 mycomputername isakmpd[2552]: 120 isakmpd Info: IKMPLogin: Switched to lite mode, cannot access CA directory
Apr 05 23:09:57.581 mycomputername isakmpd[2552]: 120 isakmpd Info: Try to turn off crl validation...
Apr 05 23:09:57.581 mycomputername isakmpd[2552]: 120 isakmpd Info: Successfully logged into the ISAKMP engine with a default profile which has no Certificate support
Apr 05 23:09:57.591 mycomputername isakmpd[2552]: 120 isakmpd Info: Reconfiguring Isakmp tunnels
Apr 05 23:09:57.591 mycomputername emapi[3968]: 100 Symantec Enterprise VPN Client Info: Continue operation.
Apr 05 23:09:57.591 mycomputername isakmpd[2552]: 120 isakmpd Info: Reloading tunnels to RaptorMobile with 15 sec wait.

 

[apeasecpc]

Is the Cisco router on the lan or wan side of the 200R?

Does the 200R have a public IP address?

If you are running 2000 or XP, Have you installed the VPN Client patches from

http://www.symantec.com/techsupp/enterprise/products/sym_vpn_client/sym_ent_vpn_client_7/files.html

?

Are you set to Diffie Hellman Group 1 on the client? Is the Symantec Enterprise Gateway option unchecked on the client?

From my experience, problems are usually either related to mismatched settings, or unpatched software.

 

[JordanR]

the cisco router is on the lan side of the firewall.
there is a public ip address using PPPoE.
I have installed the patches.
The Diffie Hellman Group is set and the SE Gateway option is unchecked.

 

[apeasecpc]

In the client software, make sure you define and link to custom VPN and IKE policies, not the default ones. Here are the settings that work for me:

On the 200R -

Phase 1 Negotiation=Agressive
Encryption and Authentication Method=ESP 3DES MD5
SA Lifetime=720
Data Volume Limit=100000
Inactivity Timeout=0
Perfect Forward Secrecy=Enabled

Your User Pre-Shared keys should be at least 20 digits long.


On the Enterprise VPN Client -

Create a custom IKE Policy with:
Integrety=MD5
Privacy=3DES
Diffie Hellman=Group 1
Expire=720 Minutes

Create a custom VPN Policy with:
Integrity=MD5
Privacy=3DES
Compression=None
Encapsulation=Tunnel
Data Integrity=ESP
Perfect Forward Secrecy=Checked
Diffie Hellman=Group 1
Volume Limit=100000 KB
Lifetime=720 Minutes
Inactivity=0

Define the Gateway with:
Symantec Enterprise Gateway=Unchecked
IKE Policy=Name of Custom Policy
Tunnel VPN Policy=Name of Custom Policy