mikelupo | 20 May 02:29 2010
Picon

Not passing SA traffic from VPN to Client.


Hi,

VPN = Netgear FVS318G. Shrew Client v 2.1.6 running on Windows XP SP3.
Does this log output scream anything that I've done incorrectly? This was previously working with no changes made to either client or VPN Router. I'm a bit baffled.

VPN Trace:
The SP tab looks good. The SA tab shows traffic from client to router but there's 0 bytes from Router to Client.
The IP address of the Remote LAN is 192.168.1.1/255.255.255.0. The Mode config DHCP range is in the 192.168.2.x subnet 255.255.255.0.
The Local LAN is 10.0.0.x/255.255.255.0 subnet.

The VPN log output:
                - Last output repeated 2 times -
2010 May 19 20:14:01 [FVS318g] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._
2010 May 19 20:14:01 [FVS318g] [IKE] Purged IPsec-SA with proto_id=ESP and spi=2557767751(0x98747047)._
2010 May 19 20:14:01 [FVS318g] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=4ffe558a9287ad0d:57a38005c87b2bca._
2010 May 19 20:14:02 [FVS318g] [IKE] ISAKMP-SA deleted for 66.30.154.165[4500]-98.216.225.129[4500] with spi:4ffe558a9287ad0d:57a38005c87b2bca_
2010 May 19 20:14:03 [FVS318g] [IKE] 192.168.2.50 IP address has been released by remote peer._
2010 May 19 20:14:08 [FVS318g] [IKE] Remote configuration for identifier "client.domain.com" found_
2010 May 19 20:14:08 [FVS318g] [IKE] Received request for new phase 1 negotiation: 66.30.154.165[500]<=>98.216.225.129[500]_
2010 May 19 20:14:08 [FVS318g] [IKE] Beginning Aggressive mode._
2010 May 19 20:14:08 [FVS318g] [IKE] Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt_
2010 May 19 20:14:08 [FVS318g] [IKE] Received unknown Vendor ID_
                - Last output repeated twice -
2010 May 19 20:14:08 [FVS318g] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2010 May 19 20:14:08 [FVS318g] [IKE] Received unknown Vendor ID_
                - Last output repeated 2 times -
2010 May 19 20:14:08 [FVS318g] [IKE] Received Vendor ID: DPD_
2010 May 19 20:14:08 [FVS318g] [IKE] Received unknown Vendor ID_
                - Last output repeated 2 times -
2010 May 19 20:14:08 [FVS318g] [IKE] Received Vendor ID: CISCO-UNITY_
2010 May 19 20:14:08 [FVS318g] [IKE] For 98.216.225.129[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2010 May 19 20:14:09 [FVS318g] [IKE] Floating ports for NAT-T with peer 98.216.225.129[4500]_
2010 May 19 20:14:09 [FVS318g] [IKE] NAT-D payload does not match for 66.30.154.165[4500]_
2010 May 19 20:14:09 [FVS318g] [IKE] NAT-D payload does not match for 98.216.225.129[4500]_
2010 May 19 20:14:10 [FVS318g] [IKE] NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device_
2010 May 19 20:14:10 [FVS318g] [IKE] Sending Xauth request to 98.216.225.129[4500]_
2010 May 19 20:14:10 [FVS318g] [IKE] ISAKMP-SA established for 66.30.154.165[4500]-98.216.225.129[4500] with spi:cdff094ce5ec83fd:b37ec0139449df85_
2010 May 19 20:14:10 [FVS318g] [IKE] purging spi=50156922._
2010 May 19 20:14:10 [FVS318g] [IKE] Received attribute type "ISAKMP_CFG_REPLY" from 98.216.225.129[4500]_
2010 May 19 20:14:10 [FVS318g] [IKE] Login succeeded for user "necb"_
2010 May 19 20:14:10 [FVS318g] [IKE] Received attribute type "ISAKMP_CFG_REQUEST" from 98.216.225.129[4500]_
2010 May 19 20:14:10 [FVS318g] [IKE] 192.168.2.50 IP address is assigned to remote peer 98.216.225.129[4500]_
2010 May 19 20:14:10 [FVS318g] [IKE] Ignored attribute 5_
2010 May 19 20:14:16 [FVS318g] [IKE] Responding to new phase 2 negotiation: 66.30.154.165[0]<=>98.216.225.129[0]_
2010 May 19 20:14:16 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.1.0/24<->192.168.2.0/24_
2010 May 19 20:14:17 [FVS318g] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_
2010 May 19 20:14:17 [FVS318g] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 98.216.225.129->66.30.154.165 with spi=1265547(0x134f8b)_
2010 May 19 20:14:17 [FVS318g] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 66.30.154.165->98.216.225.129 with spi=3340201975(0xc7176ff7)_
2010 May 19 20:14:25 [FVS318g] [IKE] Sending Informational Exchange: notify payload[10637]_

Thanks in advance,
Mike
_______________________________________________
vpn-help mailing list
vpn-help@...
http://lists.shrew.net/mailman/listinfo/vpn-help
kevin shrew-vpn | 20 May 03:34 2010
Picon

Re: Not passing SA traffic from VPN to Client.

On Wed, 19 May 2010 20:29:08 -0400
mikelupo@... wrote:

>  Hi,
> 
> VPN = Netgear FVS318G. Shrew Client v 2.1.6 running on Windows XP SP3.
> Does this log output scream anything that I've done incorrectly? This
> was previously working with no changes made to either client or VPN
> Router. I'm a bit baffled.
> 
> VPN Trace:
> The SP tab looks good. The SA tab shows traffic from client to router
> but there's 0 bytes from Router to Client. The IP address of the
> Remote LAN is 192.168.1.1/255.255.255.0. The Mode config DHCP range
> is in the 192.168.2.x subnet 255.255.255.0. The Local LAN is
> 10.0.0.x/255.255.255.0 subnet.
> 

This is a shot in the dark, but I saw something like that (bytes out,
but no bytes in) in a situation where the Shrew VPN was running in a
XP guest VMware VM (bridged networking) and the host OS (Vista) had
another VPN client installed. It seemed like the VPN shim for the host
OS was intercepting the IPsec packets destined for the guest OS. As
soon as I removed the VPN client from the host, Shrew started to work
in the guest.

Gmane