×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Help with gateway-to-gateway VPN tunnel

Help with gateway-to-gateway VPN tunnel

Help with gateway-to-gateway VPN tunnel

(OP)
Hello,

I'm trying to set up a VPN tunnel between my home network and a friend's home network. My friend uses a 3Com OfficeConnect Secure Router, which supports up to 2 VPN tunnels, and I'm using a NETGEAR ProSafe VPN Wireless ADSL Gateway DGFV338 which supports a large number of VPN tunnels. I'm unable to get the VPN tunnel to work, and I was hoping I could get some help with this.



When we try to manually open the tunnel from my friend's side, the following is logged in the router:

Nov 24 14:58:49 localhost kernel: IKE: IKE --Start Phase 1 negotiation with peer x.x.74.185
Nov 24 14:58:49 localhost kernel: IKE: IKE -- RemoteGateway ID: IPV4_ADDR--x.x.74.185 PresharedKey:***
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Protocol -- PROTO_ISAKMP
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Transform -- KEY_IKE
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Encryption -- TRIPLEDES_CBC
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Hash -- SHA_HASH
Nov 24 14:58:49 localhost kernel: IKE: IKE -- My ID: IPV4_ADDR--x.x.188.224 PresharedKey:***
Nov 24 14:58:49 localhost kernel: IKE: IKE -- Authentication -- PRESHARED_KEY
Nov 24 14:58:49 localhost kernel: IKE: IKE -- LifeType -- SECONDS
Nov 24 14:58:49 localhost kernel: IKE: IKE -- LifeDuration -- 3600
Nov 24 14:58:49 localhost kernel: IKE: IKE -- GroupDescription -- MODP_1024
Nov 24 14:58:49 localhost kernel: IKE: IKE -- MainMode Exchange Selected
Nov 24 14:58:49 localhost kernel: IKE: IKE -- MainMode -- initiator sent out message1 to x.x.74.185, port 500->500.
Nov 24 14:58:29 localhost kernel: IKE: IKE --PHASE1_NEGOTIATION_ABORT -- peer x.x.74.185


The following is logged on my side in the router during this:

2007-11-24 14:58:48: ERROR:  Could not find configuration for x.x.188.224[45290]
2007-11-24 14:58:58: ERROR:  Could not find configuration for x.x.188.224[45290]
2007-11-24 14:59:08: ERROR:  Could not find configuration for x.x.188.224[45290]
2007-11-24 14:59:18: ERROR:  Could not find configuration for x.x.188.224[45290]



When we try to manually open the tunnel from my side, the following is logged in the router:

2007-11-24 15:07:51: INFO:  accept a request to establish IKE-SA: x.x.188.224
2007-11-24 15:07:51: INFO:  Configuration found for x.x.188.224.
2007-11-24 15:07:51: INFO:  Initiating new phase 1 negotiation: x.x.74.185[500]<=>x.x.188.224[500]
2007-11-24 15:07:51: INFO:  Beginning Identity Protection mode.
2007-11-24 15:08:22: ERROR:  Invalid SA protocol type: 0
2007-11-24 15:08:22: ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.
2007-11-24 15:08:51: ERROR:  Phase 1 negotiation failed due to time up for x.x.188.224[500]. 157f5d92b4e88b51:0000000000000000

The 3Com router at my friend's side does not seem to be logging anything at all during this (and it's setup to be logging everything).


This is the configuration on the 3Com router:
http://www.shadowheart.se/misc/vpn/3com-ipsec-config.GIF
http://www.shadowheart.se/misc/vpn/3com-vpn-tunnel-config.GIF

This is the configuration on the Netgear router:
http://www.shadowheart.se/misc/vpn/netgear-ike-policy.GIF
http://www.shadowheart.se/misc/vpn/netgear-vpn-policy.GIF


The Netgear does have far more settings than the 3Com...



Thanks in advance for any help!

RE: Help with gateway-to-gateway VPN tunnel

Sounds like they can't agree on the settings (SA's) or a firewall is blocking them from seeing the pre-shared keys. They are the same in both devices, right? They are using the same encryption, right? Same SA's?

Burt

RE: Help with gateway-to-gateway VPN tunnel

Don't know much about this, but I seem to remember that on some routers (netgear I think), if you are using 'Diffie-Hellman', then you should be using Aggressive-mode rather than Main-mode for the key exchange.  Like I say, just a hunch.

JP

RE: Help with gateway-to-gateway VPN tunnel

(OP)
burtsbees: Yes, the pre-shared key is the same on both sides (I have double checked this). The encryptions should also match. You can look at the provided screenshots if you want.

piperent: Thanks for the tip, I'll try that.

Also, the routers ARE firewalls. Any firewall/router/gateway/whatever between mine and my friend's router belongs to an ISP and is outside of our control.

RE: Help with gateway-to-gateway VPN tunnel

I meant software firewalls. Looks like you have an ethernet handoff from the ISP?
The screenshots do not show your preshared keys (for obvious reasons), but if they match...
If it can't even get past IKE phase one, you may actually have better luck trying aggressive mode, which combines IKE phase 1 and 2. There are not enough viewable settings in those screenshots to see what exactly may be going on...do you have an option for D-H group 5?

Burt

RE: Help with gateway-to-gateway VPN tunnel

Also, you may want to try a protocol analyzer to see what is and is not getting through. If they each agree on encryption types and keys, then that's IKE 1 and 2...since it terminates before getting to IKE 2 (seemingly because one can't see the other's settings, which is why I suggested firewall), then try the same manufacturer for both ends.

Burt

RE: Help with gateway-to-gateway VPN tunnel

(OP)
Looks like you have an ethernet handoff from the ISP?

I'm sorry, but what do you mean by handoff?

My router is connected directly to the wall with an Ethernet cable, and the same goes for my friend's router. Both ISPs use DHCP (mine allows for a static IP for an extra small amount per month if you want it - but I haven't applied for that, yet anyway).

There are not enough viewable settings in those screenshots to see what exactly may be going on...do you have an option for D-H group 5?

Unfortunately, those are all the possible settings for VPN on the two routers. And yes, I can choose from D-H Group 1, 2 and 5 on both ends.

Also, you may want to try a protocol analyzer to see what is and is not getting through

How would I go about doing this? I assume you mean plugging in some kind of adapter between my router and the wall?


I haven't been able to test aggressive mode yet, but I will get back when I have.

RE: Help with gateway-to-gateway VPN tunnel

No---protocol analyzer is software that captures all packets travelling in and out of your interface on your computer. Ethereal is a freeware one, so you can download it.
An ethernet handoff is a connection to the internet through some special equipment that terminates on your router so that you don't have to have any special interface (like T1, ATM, etc.). Is this adsl then? If so, you may want to sell those things on Ebay and get yourself a Cisco 837 for each of you. Of course, I am a Cisco man, so naturally I would suggest that...lol
I would also suggest trying Diffie-Hellman group 5 on both appliances, if aggressive mode does not take care of it.
One thing I forgot---some ISP's block VPN traffic, and come to think of it, that is a very likely scenario in this situation---the appliances can't negotiate on IKE phase one, so one can't read the other's settings---I would bet the ISP is blocking the IPSec traffic.

Burt

RE: Help with gateway-to-gateway VPN tunnel

One more thing---www.dyndns.org will help (for free) you to map your dynamic IP address, no matter what it is at any given time, to a static DNS name, so that you don't have to constantly change settings because of your IP address changing all the time. You can register up to 5 names with them for free!

Burt

RE: Help with gateway-to-gateway VPN tunnel

(OP)
I'm actually familiar with Ethereal (just not the term protocol analyzer), but well, how would it help me if the routers can't get the tunnel up in the first place? It's not like my personal computer is involved in the negotiation.

It's not ADSL - it's like I said, an Ethernet cable plugged directly into the wall. All apartments in this building are prepared with Ethernet wall plugs. No modems or other special equipment needed. It's fairly common here in Sweden, especially when building new apartments.

Thanks for the tip with DH group 5, I will try that. As for the ISP blocking VPN traffic, I'll look into that as well.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close