SnapGear SG300 Setup VPN to work with TheGeenBow Client
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: SnapGear SG300 Setup VPN to work with TheGeenBow Client

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    138

    SnapGear SG300 Setup VPN to work with TheGeenBow Client

    Hi

    I have got this scenario ,,,ADSL modem Netgear router its LAN ip address 192.168.1.1 and one of its LAN port connected to a WAN port of SnapGear SG300 (192.168.1.2)

    http://www.snapgear.com/index.cfm?skey=1556

    LAN ip address for SnapGear SG300 is 192.168.0.1

    I tried hardly to find any online documentation , the only site that I found was below

    http://quark.humbug.org.au/publicati.../msg00038.html


    I did my best to configure IPSec for SnapGear SG300 as below (I could not figure out where is my mistake):

    1- Tunnel settings
    http://img196.imageshack.us/i/tunnelsettings.jpg/


    2- Local Endpoint settings

    http://img269.imageshack.us/i/locale...tsettings.jpg/

    3- Remote Endpoint Settings
    http://img689.imageshack.us/i/remote...tsettings.jpg/


    4- Phase 1 Settings
    http://img691.imageshack.us/i/phase1settings.jpg/


    5- Phase 2 Settings
    http://img4.imageshack.us/i/phase2settings.jpg/



    I used TheGreenBow VPN client utility ,,,,,my configuration as below :

    1- Phase1advanced
    http://img33.imageshack.us/i/phase1advanced.jpg/


    2- Phase1 Authentication
    http://img269.imageshack.us/i/phase1authentication.jpg/


    3- Phase 2
    http://img269.imageshack.us/i/phase2b.jpg/


    By looking at those snapshots I would appreciate any hint or tip where I did misconfigure

    Thanks
    Last edited by zillah; November 17th, 2009 at 04:54 AM.

  2. #2
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    You havent described what the actual problem is.... I assume the VPN tunnel is not connecting.

    Is the modem or the snapgear doing the authentication with the ISP? Have you rebooted the snapgear after configuring?

    I recall doing MANY VPN's with snapgear, and I never had a problem with them. Although for all PTPP tunnels we used the same model snapgear on each end.

    What happens if you try to use an OS native vnp client? Windows built-in VPN client - does that work?

    Ensure the tunnel password meets secuirty criteriea, and do you get any kind of error message? Also, increase the timeout value to 120 and check the snapgear logs. They will inidicate how far the VPN gets before it drops out, and will indicate the problem.


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    138
    You havent described what the actual problem is.... I assume the VPN tunnel is not connecting.
    Sorry about that, Yes VPN tunnel is not connecting

    What happens if you try to use an OS native vnp client? Windows built-in VPN client - does that work?
    Yes like chram,,,,,I did configure Windows built-in VPN client on site then I tried to configure IPsec for SG300 through (remotely) via Windows built-in VPN client

    Is the modem or the snapgear doing the authentication with the ISP?
    I did not get what did u mean by that ?

    Have you rebooted the snapgear after configuring?
    No, I have not.

    Ensure the tunnel password meets secuirty criteriea,
    I did not remember that I have used a password through my configuration,,,,let me check that it again.

    Also, increase the timeout value to 120 and check the snapgear logs. They will inidicate how far the VPN gets before it drops out, and will indicate the problem.
    I will try to post the log.


    I was not sure about SG configuration ,,,,did u check that ? did u find any thing that might be wrong ?

    Thanks

  4. #4
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    There doesnt seem to be any kind of problem with the snapgear tunnel, as you said that it works perfectly with windows VPN client. (unless you meant the opposite).

    From what i gather in your posts, the problem seems to be with TheGreenBow VPN client, and since you may not have a password on the IPSec account this could be the problem. Many VPN clients require a password to connect, and a blank or null password will not work.

    Let me know how you go with the few tweaks and changes, and confirm that the VPN does work with Windows VPN client, as this will demonstrate the snapgear is configured correctly.


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    138
    There doesnt seem to be any kind of problem with the snapgear tunnel, as you said that it works perfectly with windows VPN client. (unless you meant the opposite).
    may be I misunderstood from the first place,,,,,What I meant here, is that I "configured and Enable Routing and Remote Access" on the windows 2003 server which is sitting behind the SG300, then I enabled port forwarding (PPTP: 1723) on SG300 ,,,,,and I configured an XP client to connect to the VPN server (win2003),,,,,,in that configuration I have used native microsoft VPN.

    when you would have asked me : ( What happens if you try to use an OS native vnp client? Windows built-in VPN client )) I thought you meant by using native VPN for microsoft ,,,,but you meant "Client" only.


    VPN clients require a password to connect, and a blank or null password will not work.
    I did not find such an option on SG300 as well


    Let me know how you go with the few tweaks and changes,
    Log for SG300
    Nov 16 11:12:08 Pluto[1900]: packet from x.x.234.232:500: ignoring informational payload, type INVALID_ID_INFORMATION
    Nov 16 11:12:08 Pluto[1900]: packet from x.x.234.232:500: Notification: Pid=1 SPIsz=16 Type=18 Val=\3635\235\020lt\337\356\204Vt8\373\214}\003\012

    Log for TheGreenBow
    20091117 175708 Default (SA LMAPHASE1-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
    Last edited by zillah; November 17th, 2009 at 07:04 AM.

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    138
    What I did I configured the ADSL router in a bridge mode (modem only), now WAN port of sg300 has publich ip address x23.34x.6x.95 (unlike before)

    I tried to follow the instructions in the link below (because I have got similar scenario except different router, document router FVS318v3 mine is SG300)

    http://www.scribd.com/doc/3800513/Ne...-Configuration

    The new snpashots for snapgear as below

    1- Tunnel Settings
    ------------------
    For the "Remote Address" textbox there are only three options (Static IP address , Dynamic IP address and DNS hostname address) we have to choose one of these three only, I chose : "Dynamic IP address" .

    http://img697.imageshack.us/i/tunnelsettings.jpg/



    2- Local Endpoint Settings
    ----------------------------
    http://img697.imageshack.us/i/localendpointsettings.jpg/



    3- Remote Endpoint Settings
    ----------------------------
    http://img248.imageshack.us/i/remoteenpointsettings.jpg/



    4- Phase1 Settings
    -------------------
    http://img248.imageshack.us/i/phase1settings.jpg/



    5- Phase2 Settings
    ---------------------
    http://img682.imageshack.us/i/phase2settings.jpg/



    6- Finish
    ----------
    http://img249.imageshack.us/i/finishu.jpg/



    I tried to match every thing on "TheGreenBow = TGB" client to be same as the router (SA , key, ID,,,etc) but still VPN does not get established,therefore I could not find useful information from the logs

    Please see the snapshot for TheGreenBow VPN client on the laptop

    http://img81.imageshack.us/i/panoramatgb.jpg/


    Thanks
    Last edited by zillah; December 5th, 2009 at 08:27 PM.

  7. #7
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    therefore I could not find useful information from the logs
    Can you post the Snapgear logs? The information IS useful. If there is no relevant log information, then the connection is not being established at all, despite any other indications.

    Check also that the "log settings" include the required scope.
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  8. #8
    Senior Member
    Join Date
    Dec 2004
    Posts
    138
    If there is no relevant log information, then the connection is not being established at all,
    Yes there no relevant log information for the VPN connection.

    Below is only log that I can get from TheGreenBow VPN client
    [VPNCONF] TGBIKESTART received
    20091211 081638 Default (SA PHASE1-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]

  9. #9
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    659
    SEND phase 1 Aggressive Mode
    It seems the application is sending the connection, but is not getting a reply. Consider that the snapgear is not showing any log information about an incoming connection, I would have to say (without inspecting the logs myself) that the VPN connection is not being established at all.

    The application is not successfully contacting the snapgear, or the snapgear is not successfully accepting/recognising the incoming connection.

    I think someone with some experience of TheGreenBow app will have an idea on what you can look for.

    Tunnel Settings Screenshot - have you defined the 'default gateway' elsewhere in the router? Try adjusting the 'keying' to an alternate setting.

    Local & Remote Endpoint Setting Screenshot - Try using an IP address instead of the snapgear hostname. Ensure the hostname is correct if you really dont want to use the IP addy (although I recommend using IP addressing only as it is one less potential problem). internal and external IP respectively.

    According to the logs, the VPN connection is not progressing any further than this.

    Lastly, check the Snapgear capabilities as they may support PTPP VPN snapgear to snapgear only.

    Hope this helps.

    CTO


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  10. #10
    Senior Member
    Join Date
    Dec 2004
    Posts
    138
    Hi CybertecOne

    Just to update you there is a progress ,,,the problem was with Avira Firewall that was installed on the laptop (that has TheGeenBow VPN Client).

    I did not that Firewall was dropping the VPN connection.

    When I disabled Avira firewall, VPN would be to complete PHASE 1 successfully.

    But still I am trying to torubleshoot the error message in the phase 2 message : "Wrong Remote Address"

    ((20091218 171957 Default Reinitializing IKE daemon
    20091218 171957 Default IKE daemon reinitialized
    20091218 171957 Default message_recv: invalid cookie(s) 864269453a1ae12d fd688423071558ba
    20091218 171957 Default dropped message from 134.256.66.195 due to notification type INVALID_COOKIE
    20091218 171957 Default (SA <unknown>) SEND Informational [NOTIFY] with INVALID_COOKIE error
    20091218 171958 Default (SA LMAPHASE1-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
    20091218 171959 Default (SA LMAPHASE1-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [VID] [VID]
    20091218 171959 Default (SA LMAPHASE1-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
    20091218 171959 Default phase 1 done: initiator id thegreenbow, responder id 134.256.66.195
    20091218 171959 Default (SA LMAPHASE1-LMAPHASE2-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
    20091218 171959 Default (SA LMAPHASE1-P1) RECV Informational [HASH] [NOTIFY] with INVALID_ID_INFORMATION error))
    Thanks

Similar Threads

  1. Work or Prison
    By dspeidel in forum AntiOnline's General Chit Chat
    Replies: 3
    Last Post: May 21st, 2002, 05:22 PM
  2. :) do you want to have good work?
    By sun7dots in forum AntiOnline's General Chit Chat
    Replies: 6
    Last Post: April 30th, 2002, 02:04 PM
  3. Chpater 5 - Newbie Questions Answered
    By uraloony in forum The Security Tutorials Forum
    Replies: 6
    Last Post: March 25th, 2002, 07:21 AM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 08:38 AM
  5. Believe It Or Not
    By System_Overload in forum AntiOnline's General Chit Chat
    Replies: 21
    Last Post: February 12th, 2002, 05:12 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides