RV220W - IPsec - No Tx packets from gateway

mikeatroundhere · ‎06-13-2012

I have tried to get devices to connect to my RV220W using IPsec for quite some time now. I have all the settings matched on the clients however will not see Tx traffic going from the gateway to the devices (including DNS lookups):

This is generally what I see under the IPsec connection status view on the RV220W 1.0.3.5:

Policy Name        Endpoint       Packets   KBytes        State Action
                                  Rx   Tx   Rx     Tx
192.168.0.113*     192.168.0.113 358 0    24.00 0.00   IPsec SA Established     (Tablet)
192.168.0.137*     192.168.0.137 358 0    24.00 0.00   IPsec SA Established     (Smartphone)

I have tried connecting now from many different locations but fail to see traffic make it back to my device when trying to access a resource on the 10.0.0.0 subnet. I have toggled many settings including PFS/DPD. The clients are matched up with the exact IKE/VPN policy options.

I have included all I can think of below and would appreciate any help:

Gateway logs for BlackBerry PlayBook OS 2.1 connection:
2012-06-12 23:29:37: [gateway][IKE] INFO: Remote configuration for identifier "<host.domain.tld>" found
2012-06-12 23:29:37: [gateway][IKE] INFO: Received request for new phase 1 negotiation: <WAN IP>[500]<=>192.168.0.113[500]
2012-06-12 23:29:37: [gateway][IKE] INFO: Beginning Aggressive mode.
2012-06-12 23:29:37: [gateway][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:29:37: [gateway][IKE] INFO: Received Vendor ID: DPD
2012-06-12 23:29:37: [gateway][IKE] INFO: For 192.168.0.113[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:29:38: [gateway][IKE] INFO: NAT-D payload matches for <WAN IP>[500]
2012-06-12 23:29:38: [gateway][IKE] INFO: NAT-D payload matches for 192.168.0.113[500]
2012-06-12 23:29:38: [gateway][IKE] WARNING: Ignore INITIAL-CONTACT notification from 192.168.0.113[500] because it is only accepted after phase1.
2012-06-12 23:29:38: [gateway][IKE] INFO: NAT not detected
2012-06-12 23:29:38: [gateway][IKE] INFO: ISAKMP-SA established for <WAN IP>[500]-192.168.0.113[500] with spi:8252c2ebcdb0ce11:4cee64e0debe6f68
2012-06-12 23:29:38: [gateway][IKE] INFO: Responding to new phase 2 negotiation: <WAN IP>[0]<=>192.168.0.113[0]
2012-06-12 23:29:38: [gateway][IKE] INFO: Using IPsec SA configuration: anonymous
2012-06-12 23:29:38: [gateway][IKE] INFO: Re-using previously generated policy: 192.168.0.113/32[0] 10.0.0.0/24[0] proto=any dir=in
2012-06-12 23:29:38: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel 192.168.0.113-><WAN IP> with spi=240351098(0xe53777a)
2012-06-12 23:29:38: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel <WAN IP>->192.168.0.113 with spi=2475748592(0x9390ecf0)

Gateway logs for BlackBerry Smartphone OS 7.1 connection:
2012-06-12 23:30:17: [gateway][IKE] INFO: Remote configuration for identifier "<host.domain.tld>" found
2012-06-12 23:30:17: [gateway][IKE] INFO: Received request for new phase 1 negotiation: <WAN IP>[500]<=>192.168.0.137[500]
2012-06-12 23:30:17: [gateway][IKE] INFO: Beginning Aggressive mode.
2012-06-12 23:30:17: [gateway][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:30:17: [gateway][IKE] INFO: Received Vendor ID: DPD
2012-06-12 23:30:17: [gateway][IKE] INFO: For 192.168.0.137[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-06-12 23:30:18: [gateway][IKE] INFO: NAT-D payload matches for <WAN IP>[500]
2012-06-12 23:30:18: [gateway][IKE] INFO: NAT-D payload matches for 192.168.0.137[500]
2012-06-12 23:30:18: [gateway][IKE] WARNING: Ignore INITIAL-CONTACT notification from 192.168.0.137[500] because it is only accepted after phase1.
2012-06-12 23:30:18: [gateway][IKE] INFO: NAT not detected
2012-06-12 23:30:18: [gateway][IKE] INFO: ISAKMP-SA established for <WAN IP>[500]-192.168.0.137[500] with spi:2f948888fbe0dd0d:571b0688dfaad0c5
2012-06-12 23:30:18: [gateway][IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2012-06-12 23:30:18: [gateway][IKE] INFO: Responding to new phase 2 negotiation: <WAN IP>[0]<=>192.168.0.137[0]
2012-06-12 23:30:18: [gateway][IKE] INFO: Using IPsec SA configuration: anonymous
2012-06-12 23:30:18: [gateway][IKE] INFO: No policy found, generating the policy : 10.0.0.200/32[0] 10.0.0.0/24[0] proto=any dir=in
2012-06-12 23:30:18: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel 192.168.0.137-><WAN IP> with spi=198507592(0xbd4fc48)
2012-06-12 23:30:18: [gateway][IKE] INFO: IPsec-SA established: ESP/Tunnel <WAN IP>->192.168.0.137 with spi=1946521442(0x74058f62)

IKE Policy:
Direction / Type:                    Responder
Exchange Mode:                       Aggressive
Local Identifier Type:               Local WAN (Internet) IP
Local Identifier:                    <WAN IP>
Remote Identifier                    Type: FQDN
Remote Identifier:                   <host.domain.tld>
IKE Encryption Algorithm:            AES-128
IKE Authentication Algorithm:        SHA-1
IKE Authentication Method:           Pre-Shared Key
IKE Pre-Shared Key:                  <PSK>
IKE Diffie-Hellman (DH) Group:       Group2 (1024 bit)
IKE SA-Lifetime:                     28800 Seconds
IKE Dead Peer Detection:             Checked
IKE Detection Period:                999
IKE Reconnect after Failure Count:   3
XAUTH Type:                          NONE

VPN Policy:
Policy Type:                         Auto Policy
Remote Endpoint:                     FQDN
                                     <host.domain.tld>
NETBIOS:                             Greyed/Unchecked
Local IP:                            Subnet
Local Start Address:                 10.0.0.0
Local Subnet Mask:                   255.255.255.0
Remote IP:                           Any
Split DNS:                           Unchecked
Auto Policy SA-Lifetime:             3600 Seconds
Auto Policy Encryption Algorithm:    AES-128
Auto Policy Integrity Algorithm:     SHA-1
PFS Key Group:                       Checked
                                     DH-Group2 (1024 bit)