Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[bdotson]

I'm trying to set up a site-to-site IPSec VPN tunnel from a DIR-330 to a Secure Computing (now McAfee) SnapGear 300.  The DIR-330 is at a branch office, and the SnapGear is at the main office.  I see a session on the DIR-330 on port 500 from the SnapGear, but the SnapGear simply sits in "Negotiating Phase 1" and never gets beyond that point.  There's no VPN session indicated on the DIR-330. 

I can't figure out what might be wrong with the configuration -- everything seems to match on both ends, but I can't get the tunnel going.  We have other IPSec VPN tunnels working with the SnapGear, so it's not like the SnapGear can't do this. 

Any help is appreciated. 

[Fatman]

how about your IPsec settings for both sides so we can take a look see?

[bdotson]

Oops, I should have anticipated that.

Here's the configuration on the SnapGear:

Tunnel Name: merriam     
Enable this tunnel: [checked]   
Local Interface: default gateway interface (the outside IP)   
Keying: Aggressive Mode
Local address: static IP address
Remote address: DNS hostname address [this is a DSL connection using DLink DDNS]
Initiate Tunnel Negotiation: [checked]     
Optional Endpoint ID: [blank]   
IP Payload Compression: [not checked]   
Dead Peer Detection: [not checked]
Initiate Phase 1 & 2 rekeying: [checked]
The remote party's DNS hostname: simplemoveskc.dlinkddns.com
Required Endpoint ID: merriam@simplemovesstl.com
Key lifetime (sec): 28800
Rekey margin (sec): 600
Rekey fuzz (%): 100
Preshared Secret: [secret, but the same on both ends]      
Phase 1 Proposal: 3DES-MD5-Diffie-Hellman Group 2 (1024 bit)
Local Network: Network of LAN Port [192.168.207.0/24]
Remote Network:    192.168.0.0/24
Key Lifetime (sec): 3600
Phase 2 Proposal: 3DES-MD5
Perfect Forward Secrecy: [unchecked]

On the DIR-330, I have the following:

Enable: [checked]
Name:  merriam
Local Net /Mask: 192.168.0.0/24
Remote IP:    Site to Site  74.223.104.146
Remote Local LAN Net /Mask: 192.168.207.0/24
Authentication:  Pre-shared Key [same as above]
Local ID : Custom string:  merriam@simplemovesstl.com
Remote ID :  Default
Phase 1 :
Aggressive mode [checked]
NAT-T Enable: [not checked]     
Keep Alive / DPD: none   
DH Group :   2 - modp 1024   
IKE Proposal List :   
  Cipher         Hash
#1:  3DES      MD5
#2:  3DES      MD5
#3:  3DES      MD5
#4:  3DES      MD5
IKE Lifetime :   28800  Seconds 
Phase 2:
PFS Enable:  [unchecked]
PFS DH Group: 2 - modp 1024-bit  [this is grayed out]
IPSec Proposal List:
  Cipher         Hash
#1:  3DES      MD5
#2:  3DES      MD5
#3:  3DES      MD5
#4:  3DES      MD5
IPSec lifetime: 3600 seconds

I know IPSec is difficult, but this has been a complete nightmare.  Seems like if everything is the same on both ends, it should just work.  But maybe I'm just a dreamer. 

Grateful for your help,

Bill

[Fatman]

Does the tunnel work if you use default IPsec IDs instead of manual DNS IPsec IDs?

[bdotson]

The SnapGear requires a remote endpoint ID except when the remote address is a static IP.  Still, I just tried that setting on the DIR-330, and I get the same result -- Negotiating Phase 1 forever. 

[Fatman]

Is this the only install you have using a non-static IP?

Your ID should be different on each side.

[bdotson]

Yes, unfortunately, this is the only install with a non-static IP.  The other tunnels have static IPs.  I thought the DDNS setup is supposed to get around non-static IPs.   

The ID on the SnapGear side is the remote ID.  That matches the Local ID on the DIR-330.  Isn't that correct?  The local ID on the SnapGear is optional, I guess since it has a static IP. 

[Fatman]

Specify both IDs on both sides.

[bdotson]

That doesn't seem to make a difference. 

[bdotson]

Additional info:  I finally was able to reach a human at SnapGear support, and they pointed me to this line in the system log:

ERROR: asynchronous network error report on eth1 for message to 68.93.177.139 port 500, complainant 68.93.177.139: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Seems that the DIR-330 is refusing the connection as not authenticated.   How do I fix that?  Do I need to add stl@simplemovesstl.com as a use on the DIR-330?