VPN between 2x 200r 1

[pjsummerfield]

I am trying to create a VPN between two 200R's, but am having a problem, and would appreciate some help.

The setup is both have static IP's 81.xx.xx.xx, 80.xx.xx.xx

UK. 200r IP is set to 192.168.0.254 and all computers are using 192.168.0.1 - 100

Spain. Router is 192.168.0.2 and sends all ports to the 200r the LAN IP of the firewall is 192.168.1.1 and all the pc are using 192.168.1.2-100

I have tried to set up a dynamic key but I can not get the VPN working. should i set a static key ?

What should the settings be to get the VPN working

Many thanks

 

[apeasecpc]

1st, make sure you have the alive indicator on both devices set to the IP address of something out on the web (I use Altavista's IP address). Symantec appliances are notorious for dropping connection if they can't get a regular ping response from something back through their wan port.

2nd, make sure your log settings are configured to give you the most information they can. Under "Expert Level" set the "Log Level" to "Debug Level" and save. Under "Log Settings" select every "Log Type" except "Detect Attack" and save. (Note: All "Detect Attack" does is clutter your log with warning messages whenever someone pings you.) I recommend you clear the logs between attempts to connect so you don't get confused by previous messages.

3rd, make sure all of the appropriate settings match between the two devices. I recommend:
"Aggressive Mode" for phase 1
"ESP 3DES MD5" for encryption and authentication
"480" for SA lifetime (the symantec will never go longer than 480 without a re-key even if it is set for higher)
"100000" for data volume limit
"6" for inactivity timeout (setting a short limit for this appears to make the appliance reconnect more quickly if a connection is lost)
"IP Address" for Local Security Gateway ID Type
Blank for Local Phase 1 ID
The public IP address of the destination appliance for the Remote Gateway Address
"IP Address" for the Remote ID Type
Make sure Phase 1 ID and Key match for both appliances, and make sure your key is at least 20 characters long.
Use "NetBIOS" for the tunnel if you prefer, but I don't recommend global tunneling.
Make sure you use the correct starting address and netmask for the remote subnets.

4th, If an attempt to VPN fails you will need to reset the VPN on both ends to get it to reattempt (after making any needed corrections to the settings). You can do this either by powering the appliances down and back up, or if by disabling and then reenabling the broken VPN connection.

 

[psvialli]

Thanks,

I think i have a problem with the correct starting address and netmask, from Spain the router is set to 192.168.0.2 and the WAN is set to 192.168.0.5 , but when i try and put 192.168.0.0 in the remote i get a range conflict in destination Network 1.

But i have to put 192.168.0.0 because UK is using this range i.e all computers are running 192.168.0.1 -100

Is this my problem , should i change the UK to omething else i.e 192.168.2.0 - 100 ?

Thanks

 

[pjsummerfield]

I am now getting the following error in the UK:-

04/27/2004 11:23:54.15 Harrow - responding to Aggressive Mode
04/27/2004 11:23:54.15 Harrow - ERR: no suitable connection for peer '192.168.0.5'
04/27/2004 11:23:54.15 Harrow - STATE_AGGR_R1: INVALID_ID_INFORMATION
04/27/2004 11:23:54.15 Harrow - state transition function for STATE_AGGR_R0 failed: INVALID_ID_INFORMATION
04/27/2004 11:23:54.15 Harrow - Sending ISAKMP OAK INFO (Notification IKE SA)
04/27/2004 11:23:54.15 Harrow - Terminating connection

and the followingin Spain:-

xx.137.48.xxx "Spain" #27
04/27/2004 11:23:54.29 - ERR:size (300) differs from size specified in ISAKMP HDR (40)
04/27/2004 11:23:54.29 Spain - !!!: handling event EVENT_RETRANSMIT for 192.168.0.5 "Spain" #29
04/27/2004 11:23:56.29 Spain - !!!: handling event EVENT_RETRANSMIT for 192.168.0.5 "Spain" #28

192.168.0.5 is the WAN port

Any Any suggestions?

Thanks

Paul

 

[apeasecpc]

The range conflict in the destination network means that you have a remote subnet (possibly for another VPN connection) that has IP addresses in that same range. You need to change to a different subnet on the remote end so that you don't get the range conflict.

Note: It is also possible to get this error if the VPN appliance memory has been corrupted. If you don't have any other subnets that are causing the conflict you need to clear out the VPN memory by doing a fresh firmware upload to the device using the latest "ALL" firmware set from Symantec's website. (The corrupt memory will not be cleared out with an "APP" firmware set)

About your error log messages, you said your WAN is set to 192.168.0.5. That is not a public IP address, so I assume your internet router is converting traffic to the private net. Your local Phase 1 ID's and Gateway Addresses need to be set to the public IP addresses (or DDNS domain names) for the respective ends of the VPN, in order for the VPN traffic to be able to reach the appropriate destination.