06-13-2012 06:26 AM
I have tried to get devices to connect to my RV220W using IPsec for quite some time now. I have all the settings matched on the clients however will not see Tx traffic going from the gateway to the devices (including DNS lookups):
This is generally what I see under the IPsec connection status view on the RV220W 1.0.3.5:
Policy Name Endpoint Packets KBytes State Action
Rx Tx Rx Tx
192.168.0.113* 192.168.0.113 358 0 24.00 0.00 IPsec SA Established (Tablet)
192.168.0.137* 192.168.0.137 358 0 24.00 0.00 IPsec SA Established (Smartphone)
I have tried connecting now from many different locations but fail to see traffic make it back to my device when trying to access a resource on the 10.0.0.0 subnet. I have toggled many settings including PFS/DPD. The clients are matched up with the exact IKE/VPN policy options.
I have included all I can think of below and would appreciate any help:
Gateway logs for BlackBerry PlayBook OS 2.1 connection:
2012-06-12 23:29:37: [gateway][IKE] INFO: Remote configuration for identifier "<host.domain.tld>" found
2012-06-12 23:29:37: [gateway][IKE] INFO: Received request for new phase 1 negotiation: <WAN IP>[500]<=>192.168.0.113[500]
2012-06-12 23:29:37: [gateway][IKE] INFO: Beginning Aggressive mode.
2012-06-12 23:29:37: [gateway][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:29:37: [gateway][IKE] INFO: Received Vendor ID: DPD
2012-06-12 23:29:37: [gateway][IKE] INFO: For 192.168.0.113[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:29:38: [gateway][IKE] INFO: NAT-D payload matches for <WAN IP>[500]
2012-06-12 23:29:38: [gateway][IKE] INFO: NAT-D payload matches for 192.168.0.113[500]
2012-06-12 23:29:38: [gateway][IKE] WARNING: Ignore INITIAL-CONTACT notification from 192.168.0.113[500] because it is only accepted after phase1.
2012-06-12 23:29:38: [gateway][IKE] INFO: NAT not detected
2012-06-12 23:29:38: [gateway][IKE] INFO: ISAKMP-SA established for <WAN IP>[500]-192.168.0.113[500] with spi:8252c2ebcdb0ce11:4cee64e0debe6f68
2012-06-12 23:29:38: [gateway][IKE] INFO: Responding to new phase 2 negotiation: <WAN IP>[0]<=>192.168.0.113[0]
2012-06-12 23:29:38: [gateway][IKE] INFO: Using IPsec SA configuration: anonymous
2012-06-12 23:29:38: [gateway][IKE] INFO: Re-using previously generated policy: 192.168.0.113/32[0] 10.0.0.0/24[0] proto=any dir=in
2012-06-12 23:29:38: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel 192.168.0.113-><WAN IP> with spi=240351098(0xe53777a)
2012-06-12 23:29:38: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel <WAN IP>->192.168.0.113 with spi=2475748592(0x9390ecf0)
Gateway logs for BlackBerry Smartphone OS 7.1 connection:
2012-06-12 23:30:17: [gateway][IKE] INFO: Remote configuration for identifier "<host.domain.tld>" found
2012-06-12 23:30:17: [gateway][IKE] INFO: Received request for new phase 1 negotiation: <WAN IP>[500]<=>192.168.0.137[500]
2012-06-12 23:30:17: [gateway][IKE] INFO: Beginning Aggressive mode.
2012-06-12 23:30:17: [gateway][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:30:17: [gateway][IKE] INFO: Received Vendor ID: DPD
2012-06-12 23:30:17: [gateway][IKE] INFO: For 192.168.0.137[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:30:18: [gateway][IKE] INFO: NAT-D payload matches for <WAN IP>[500]
2012-06-12 23:30:18: [gateway][IKE] INFO: NAT-D payload matches for 192.168.0.137[500]
2012-06-12 23:30:18: [gateway][IKE] WARNING: Ignore INITIAL-CONTACT notification from 192.168.0.137[500] because it is only accepted after phase1.
2012-06-12 23:30:18: [gateway][IKE] INFO: NAT not detected
2012-06-12 23:30:18: [gateway][IKE] INFO: ISAKMP-SA established for <WAN IP>[500]-192.168.0.137[500] with spi:2f948888fbe0dd0d:571b0688dfaad0c5
2012-06-12 23:30:18: [gateway][IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2012-06-12 23:30:18: [gateway][IKE] INFO: Responding to new phase 2 negotiation: <WAN IP>[0]<=>192.168.0.137[0]
2012-06-12 23:30:18: [gateway][IKE] INFO: Using IPsec SA configuration: anonymous
2012-06-12 23:30:18: [gateway][IKE] INFO: No policy found, generating the policy : 10.0.0.200/32[0] 10.0.0.0/24[0] proto=any dir=in
2012-06-12 23:30:18: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel 192.168.0.137-><WAN IP> with spi=198507592(0xbd4fc48)
2012-06-12 23:30:18: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel <WAN IP>->192.168.0.137 with spi=1946521442(0x74058f62)
IKE Policy:
Direction / Type: Responder
Exchange Mode: Aggressive
Local Identifier Type: Local WAN (Internet) IP
Local Identifier: <WAN IP>
Remote Identifier Type: FQDN
Remote Identifier: <host.domain.tld>
IKE Encryption Algorithm: AES-128
IKE Authentication Algorithm: SHA-1
IKE Authentication Method: Pre-Shared Key
IKE Pre-Shared Key: <PSK>
IKE Diffie-Hellman (DH) Group: Group2 (1024 bit)
IKE SA-Lifetime: 28800 Seconds
IKE Dead Peer Detection: Checked
IKE Detection Period: 999
IKE Reconnect after Failure Count: 3
XAUTH Type: NONE
VPN Policy:
Policy Type: Auto Policy
Remote Endpoint: FQDN
<host.domain.tld>
NETBIOS: Greyed/Unchecked
Local IP: Subnet
Local Start Address: 10.0.0.0
Local Subnet Mask: 255.255.255.0
Remote IP: Any
Split DNS: Unchecked
Auto Policy SA-Lifetime: 3600 Seconds
Auto Policy Encryption Algorithm: AES-128
Auto Policy Integrity Algorithm: SHA-1
PFS Key Group: Checked
DH-Group2 (1024 bit)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: