Tunnel from HW Client 3002 to 3020

mtruetsch · ‎12-13-2004

It is not possible get the tunnel up and running between the VPN Concentrator 3020 and Hardware Client 3002. It seems to be a problem with the network extension mode.

Following is an extract from the Reporting:

53251 12/13/2004 16:45:39.530 SEV=4 IKE/49 RPT=2793 xx.xx.xx.xx

Group [VPN_yyy_yyy] User [yyy_yyy]

Security negotiation complete for User (yyy_yyy)

Responder, Inbound SPI = 0x1132a684, Outbound SPI = 0x4c889fd2

53254 12/13/2004 16:45:39.530 SEV=4 IKE/125 RPT=795 xx.xx.xx.xx

Group [VPN_yyy_yyy] User [yyy_yyy]

Failed to validate remote network for network extension mode

53256 12/13/2004 16:45:39.530 SEV=4 AUTH/60 RPT=795

Remote Network Address (10.67.234.0) does not matched

framed IP address (194.40.160.128)

53258 12/13/2004 16:45:39.530 SEV=4 IKEDBG/97 RPT=806 xx.xx.xx.xx

Group [VPN_yyy_yyy] User [yyy_yyy]

QM FSM error (P2 struct &0xb178854, mess id 0x85142b95)!

53260 12/13/2004 16:45:39.550 SEV=4 AUTH/28 RPT=795 xx.xx.xx.xx

User [yyy_yyy] Group [VPN_yyy_yyy] disconnected:

Session Type: IPSec

Duration: 0:00:02

Bytes xmt: 0

Bytes rcv: 0

Reason: User Requested

Thanks very much for your help.

Markus

gfullage · ‎12-13-2004

This usually occurs when you're doing Radius authentication on the 30xx for the 3002 user, and the Radius user profile is returning an IP address (Framed IP address) to the 3020. With the 3002 in NEM you can't have the Radius server return an IP address, so check the user profile on the Radius server and make sure it is not sending an IP address back in its return attributes.

To verify set up a test account on the Radius server without any attributes, just a username and password, then configure that username on the 3002 and see what happens.

mtruetsch · ‎12-14-2004

Thanks very much.

But we don't use RADIUS for authentication, instead we use internal Authentication on both sides.