To clear my head from the other L2TP \ IPSec issue, I moved to attempt to update my personal DSR-250 to use IPSec XAuth PSK, that way I can test things using newer IOS / OSX devices.
DSR Firmware 2.11_WW.
My dsr is bridged with my own surfboard modem and set to a static IP, we'll say: 173.xxx.yyy.222
Here is a log my my attempt to connect:
http://pastebin.com/hVcTctzj.
All went pretty good:
VPN Information [Wed Oct 19 13:38:20 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [NAT detected: Peer is behind a NAT device]
VPN Information [Wed Oct 19 13:38:20 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Sending Xauth request to 66.87.81.43[4526]]
VPN Information [Wed Oct 19 13:38:20 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [ISAKMP-SA established for 173.xxx.yyy.222[4500]-66.87.81.43[4526] with spi:58de8bad78431eca:07588b9d8b41a2ee]
VPN Information [Wed Oct 19 13:38:21 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received attribute type "ISAKMP_CFG_REPLY" from 66.87.81.43[4526]]
VPN Information [Wed Oct 19 13:38:21 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Login succeeded for user "hanuszewski3"]
VPN Information [Wed Oct 19 13:38:21 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [XAuthUser hanuszewski3 Logged In from IP Address 66.87.81.43]
VPN Information [Wed Oct 19 13:38:21 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Received attribute type "ISAKMP_CFG_REQUEST" from 66.87.81.43[4526]]
VPN Information [Wed Oct 19 13:38:21 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [192.168.100.2 IP address is assigned to remote peer 66.87.81.43[4526]]
VPN Information [Wed Oct 19 13:38:21 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Responding to new phase 2 negotiation: 173.xxx.yyy.222[0]<=>66.87.81.43[0]]
VPN Information [Wed Oct 19 13:38:21 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [FOUND]Then things started to look bad:
VPN Error [Wed Oct 19 13:38:21 2016(GMT)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.100.2/32 from unknown address]
VPN Information [Wed Oct 19 13:38:22 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Responding to new phase 2 negotiation: 173.xxx.yyy.222[0]<=>66.87.81.43[0]]
VPN Information [Wed Oct 19 13:38:22 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [FOUND]
VPN Error [Wed Oct 19 13:38:22 2016(GMT)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.100.2/32 from unknown address]
VPN Information [Wed Oct 19 13:38:24 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Responding to new phase 2 negotiation: 173.xxx.yyy.222[0]<=>66.87.81.43[0]]
VPN Information [Wed Oct 19 13:38:24 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [FOUND]
VPN Error [Wed Oct 19 13:38:24 2016(GMT)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.100.2/32 from unknown address]
VPN Information [Wed Oct 19 13:38:27 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Responding to new phase 2 negotiation: 173.xxx.yyy.222[0]<=>66.87.81.43[0]]
VPN Information [Wed Oct 19 13:38:27 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [FOUND]
VPN Error [Wed Oct 19 13:38:27 2016(GMT)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.100.2/32 from unknown address]
VPN Information [Wed Oct 19 13:38:33 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [Responding to new phase 2 negotiation: 173.xxx.yyy.222[0]<=>66.87.81.43[0]]
VPN Information [Wed Oct 19 13:38:33 2016(GMT)] [DSR-250] [2.11] [VPN] [Information] [IPSEC] [FOUND]
VPN Error [Wed Oct 19 13:38:33 2016(GMT)] [DSR-250] [2.11] [VPN] [Error] [IPSEC] [Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.100.2/32 from unknown address]I feel this has to just be a slightly off configuration issue.
Here is all the DSR-250 configuration details
DSR Lan: 192.168.0.1, 255.255.255.0 with DHCP enabled
User group: myXAuth with just XAuth Enabled, set to network level
User: hanuszewski3 set to use myXAuth Group
Turned on L2TP server in NAT mode, IP range 192.168.1.50 - 192.168.1.65, Auth is local user database, all auth methods are supported, secret key is turn off, idle time is 1800 seconds.
IPSec Policy
Policy Name: IPSec Mobile
Policy Type: Auto
IP Protocol: IPv4
L2TP Mode: None
IPSec Mode: Tunnel mode
Local Gateway: dedicated wan
Remote Endpoint: FQDN
IP Address: 0.0.0.0 (Note: Changing this to another IP, 192.168.100.0, results in Error, could not find configuration for peers wan ip)
Enable Mode Config: on
NetBios: off
Rollover: off
Protocol: ESP
Enable DHCP: off
Local Start IP Address: 192.168.0.0
Local Subnet mask: 255.255.255.0
Remote IP: Any
keep alive: off
Phase 1
Exchange Mode: Aggressive
Direction\type: Responder
Nat traversal: on
Nat keep alive: 20
Local Identifier: Local Wan IP
Remote Identifier type: DER ASN1 DN
remote id: myVPN
Encryption Alg: 3DES, AES128 & 256
Auth Alg: MD5, SHA1, SHA2-256
Auth Method: pre-shared key
Pre-shared Key: some-really-long-key
DH group: 2
SA-lifetime: 28800
Dead Peer detection: off
Extend Auth: edge device
Auth Type: user database
Phase 2:
SA-lifetime: 3600 seconds
Encryption Alg: 3des, aes 128 & 256
Integrity Alg: MD5, SHA-1, SHA2-256
PFS key group: off
Tunnel Mode
Full Tunnel
Start IP: 192.168.100.1
End IP: 192.168.100.254
Primary DNS: 8.8.8.8
Secondary DNS: 8.8.4.4
Android Device: (pretty sure it's not this since connection was established)
Profile Name: IPSec XAuth
Type: IPSec Xauth PSK
Server: 173.xxx.yyy.222
IpSec Identifier: myVPN
IpSec Pre-shared_key: some-really-long-key
