-
November 17th, 2009, 04:28 AM
#1
Senior Member
SnapGear SG300 Setup VPN to work with TheGeenBow Client
Hi
I have got this scenario ,,,ADSL modem Netgear router its LAN ip address 192.168.1.1 and one of its LAN port connected to a WAN port of SnapGear SG300 (192.168.1.2)
http://www.snapgear.com/index.cfm?skey=1556
LAN ip address for SnapGear SG300 is 192.168.0.1
I tried hardly to find any online documentation , the only site that I found was below
http://quark.humbug.org.au/publicati.../msg00038.html
I did my best to configure IPSec for SnapGear SG300 as below (I could not figure out where is my mistake):
1- Tunnel settings
http://img196.imageshack.us/i/tunnelsettings.jpg/
2- Local Endpoint settings
http://img269.imageshack.us/i/locale...tsettings.jpg/
3- Remote Endpoint Settings
http://img689.imageshack.us/i/remote...tsettings.jpg/
4- Phase 1 Settings
http://img691.imageshack.us/i/phase1settings.jpg/
5- Phase 2 Settings
http://img4.imageshack.us/i/phase2settings.jpg/
I used TheGreenBow VPN client utility ,,,,,my configuration as below :
1- Phase1advanced
http://img33.imageshack.us/i/phase1advanced.jpg/
2- Phase1 Authentication
http://img269.imageshack.us/i/phase1authentication.jpg/
3- Phase 2
http://img269.imageshack.us/i/phase2b.jpg/
By looking at those snapshots I would appreciate any hint or tip where I did misconfigure
Thanks
Last edited by zillah; November 17th, 2009 at 05:54 AM.
-
November 17th, 2009, 05:04 AM
#2
You havent described what the actual problem is.... I assume the VPN tunnel is not connecting.
Is the modem or the snapgear doing the authentication with the ISP? Have you rebooted the snapgear after configuring?
I recall doing MANY VPN's with snapgear, and I never had a problem with them. Although for all PTPP tunnels we used the same model snapgear on each end.
What happens if you try to use an OS native vnp client? Windows built-in VPN client - does that work?
Ensure the tunnel password meets secuirty criteriea, and do you get any kind of error message? Also, increase the timeout value to 120 and check the snapgear logs. They will inidicate how far the VPN gets before it drops out, and will indicate the problem.
CTO
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
November 17th, 2009, 05:21 AM
#3
Senior Member
You havent described what the actual problem is.... I assume the VPN tunnel is not connecting.
Sorry about that, Yes VPN tunnel is not connecting
What happens if you try to use an OS native vnp client? Windows built-in VPN client - does that work?
Yes like chram,,,,,I did configure Windows built-in VPN client on site then I tried to configure IPsec for SG300 through (remotely) via Windows built-in VPN client
Is the modem or the snapgear doing the authentication with the ISP?
I did not get what did u mean by that ?
Have you rebooted the snapgear after configuring?
No, I have not.
Ensure the tunnel password meets secuirty criteriea,
I did not remember that I have used a password through my configuration,,,,let me check that it again.
Also, increase the timeout value to 120 and check the snapgear logs. They will inidicate how far the VPN gets before it drops out, and will indicate the problem.
I will try to post the log.
I was not sure about SG configuration ,,,,did u check that ? did u find any thing that might be wrong ?
Thanks
-
November 17th, 2009, 06:19 AM
#4
There doesnt seem to be any kind of problem with the snapgear tunnel, as you said that it works perfectly with windows VPN client. (unless you meant the opposite).
From what i gather in your posts, the problem seems to be with TheGreenBow VPN client, and since you may not have a password on the IPSec account this could be the problem. Many VPN clients require a password to connect, and a blank or null password will not work.
Let me know how you go with the few tweaks and changes, and confirm that the VPN does work with Windows VPN client, as this will demonstrate the snapgear is configured correctly.
CTO
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
November 17th, 2009, 08:02 AM
#5
Senior Member
There doesnt seem to be any kind of problem with the snapgear tunnel, as you said that it works perfectly with windows VPN client. (unless you meant the opposite).
may be I misunderstood from the first place,,,,,What I meant here, is that I "configured and Enable Routing and Remote Access" on the windows 2003 server which is sitting behind the SG300, then I enabled port forwarding (PPTP: 1723) on SG300 ,,,,,and I configured an XP client to connect to the VPN server (win2003),,,,,,in that configuration I have used native microsoft VPN.
when you would have asked me : ( What happens if you try to use an OS native vnp client? Windows built-in VPN client )) I thought you meant by using native VPN for microsoft ,,,,but you meant "Client" only.
VPN clients require a password to connect, and a blank or null password will not work.
I did not find such an option on SG300 as well
Let me know how you go with the few tweaks and changes,
Log for SG300
Nov 16 11:12:08 Pluto[1900]: packet from x.x.234.232:500: ignoring informational payload, type INVALID_ID_INFORMATION
Nov 16 11:12:08 Pluto[1900]: packet from x.x.234.232:500: Notification: Pid=1 SPIsz=16 Type=18 Val=\3635\235\020lt\337\356\204Vt8\373\214}\003\012
Log for TheGreenBow
20091117 175708 Default (SA LMAPHASE1-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
Last edited by zillah; November 17th, 2009 at 08:04 AM.
-
December 5th, 2009, 12:21 PM
#6
Senior Member
What I did I configured the ADSL router in a bridge mode (modem only), now WAN port of sg300 has publich ip address x23.34x.6x.95 (unlike before)
I tried to follow the instructions in the link below (because I have got similar scenario except different router, document router FVS318v3 mine is SG300)
http://www.scribd.com/doc/3800513/Ne...-Configuration
The new snpashots for snapgear as below
1- Tunnel Settings
------------------
For the "Remote Address" textbox there are only three options (Static IP address , Dynamic IP address and DNS hostname address) we have to choose one of these three only, I chose : "Dynamic IP address" .
http://img697.imageshack.us/i/tunnelsettings.jpg/
2- Local Endpoint Settings
----------------------------
http://img697.imageshack.us/i/localendpointsettings.jpg/
3- Remote Endpoint Settings
----------------------------
http://img248.imageshack.us/i/remoteenpointsettings.jpg/
4- Phase1 Settings
-------------------
http://img248.imageshack.us/i/phase1settings.jpg/
5- Phase2 Settings
---------------------
http://img682.imageshack.us/i/phase2settings.jpg/
6- Finish
----------
http://img249.imageshack.us/i/finishu.jpg/
I tried to match every thing on "TheGreenBow = TGB" client to be same as the router (SA , key, ID,,,etc) but still VPN does not get established,therefore I could not find useful information from the logs
Please see the snapshot for TheGreenBow VPN client on the laptop
http://img81.imageshack.us/i/panoramatgb.jpg/
Thanks
Last edited by zillah; December 5th, 2009 at 09:27 PM.
-
December 10th, 2009, 06:36 PM
#7
therefore I could not find useful information from the logs
Can you post the Snapgear logs? The information IS useful. If there is no relevant log information, then the connection is not being established at all, despite any other indications.
Check also that the "log settings" include the required scope.
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
December 10th, 2009, 10:28 PM
#8
Senior Member
If there is no relevant log information, then the connection is not being established at all,
Yes there no relevant log information for the VPN connection.
Below is only log that I can get from TheGreenBow VPN client
[VPNCONF] TGBIKESTART received
20091211 081638 Default (SA PHASE1-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
-
December 12th, 2009, 01:29 PM
#9
SEND phase 1 Aggressive Mode
It seems the application is sending the connection, but is not getting a reply. Consider that the snapgear is not showing any log information about an incoming connection, I would have to say (without inspecting the logs myself) that the VPN connection is not being established at all.
The application is not successfully contacting the snapgear, or the snapgear is not successfully accepting/recognising the incoming connection.
I think someone with some experience of TheGreenBow app will have an idea on what you can look for.
Tunnel Settings Screenshot - have you defined the 'default gateway' elsewhere in the router? Try adjusting the 'keying' to an alternate setting.
Local & Remote Endpoint Setting Screenshot - Try using an IP address instead of the snapgear hostname. Ensure the hostname is correct if you really dont want to use the IP addy (although I recommend using IP addressing only as it is one less potential problem). internal and external IP respectively.
According to the logs, the VPN connection is not progressing any further than this.
Lastly, check the Snapgear capabilities as they may support PTPP VPN snapgear to snapgear only.
Hope this helps.
CTO
CTO
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
December 19th, 2009, 12:54 PM
#10
Senior Member
Hi CybertecOne
Just to update you there is a progress ,,,the problem was with Avira Firewall that was installed on the laptop (that has TheGeenBow VPN Client).
I did not that Firewall was dropping the VPN connection.
When I disabled Avira firewall, VPN would be to complete PHASE 1 successfully.
But still I am trying to torubleshoot the error message in the phase 2 message : "Wrong Remote Address"
((20091218 171957 Default Reinitializing IKE daemon
20091218 171957 Default IKE daemon reinitialized
20091218 171957 Default message_recv: invalid cookie(s) 864269453a1ae12d fd688423071558ba
20091218 171957 Default dropped message from 134.256.66.195 due to notification type INVALID_COOKIE
20091218 171957 Default (SA <unknown>) SEND Informational [NOTIFY] with INVALID_COOKIE error
20091218 171958 Default (SA LMAPHASE1-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20091218 171959 Default (SA LMAPHASE1-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [VID] [VID]
20091218 171959 Default (SA LMAPHASE1-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20091218 171959 Default phase 1 done: initiator id thegreenbow, responder id 134.256.66.195
20091218 171959 Default (SA LMAPHASE1-LMAPHASE2-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20091218 171959 Default (SA LMAPHASE1-P1) RECV Informational [HASH] [NOTIFY] with INVALID_ID_INFORMATION error))
Thanks
Similar Threads
-
By dspeidel in forum AntiOnline's General Chit Chat
Replies: 3
Last Post: May 21st, 2002, 05:22 PM
-
By sun7dots in forum AntiOnline's General Chit Chat
Replies: 6
Last Post: April 30th, 2002, 02:04 PM
-
By uraloony in forum The Security Tutorials Forum
Replies: 6
Last Post: March 25th, 2002, 08:21 AM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
-
By System_Overload in forum AntiOnline's General Chit Chat
Replies: 21
Last Post: February 12th, 2002, 06:12 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|