Hi, I am attempting to connect an OpenSUSE 42.1 client to my SRX5308.
Followed the instructions here: https://www.shrew.net/support/Howto_Netgear with the following exceptions: NAS: Mode config: IP Pool Address range: 192.168.128.1 - 192.168.128.16 Local IP Address: 192.168.0.0/255.255.252.0 IKE Policy: XAuth Authentication Type: Radius - PAP Shrew: Policy: include 192.168.0.0/255.255.252.0 When I attempt to connect, the VPN client states that the tunnel established, however, the NAS states that the IPSec SA is NOT established. Assuming: remote.client.com = FQDN of remote client USER = user id of XAuth authenticating user XXX.XXX.XXX.XXX = external address of remote client YYY.YYY.YYY.YYY = external IP address of SRX5308 The logs from the NAS are as follows (first entry at bottom): Fri Mar 17 14:41:38 2017 (GMT -0400): [SRX5308] [IKE] INFO: 192.168.128.1 IP address has been released by remote peer. Fri Mar 17 14:41:37 2017 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA deleted for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with spi:8ae7e3cde8560bbb:bb87af718d22be29 Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO: XAuthUser USER Logged Out from IP Address XXX.XXX.XXX.XXX Fri Mar 17 14:41:36 2017 (GMT -0400): [SRX5308] [IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=8ae7e3cde8560bbb:bb87af718d22be29. Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored attribute 28680 Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored attribute 28677 Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Cannot open "/etc/motd" Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] ERROR: Ignored attribute 28674 Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] WARNING: Ignored attribute 5 Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: 192.168.128.1 IP address is assigned to remote peer XXX.XXX.XXX.XXX[34224] Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from XXX.XXX.XXX.XXX[34224] Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: XAuthUser USER Logged In from IP Address XXX.XXX.XXX.XXX Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Login succeeded for user "USER" Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Contacting RADIUS for authenticating user "USER" using PAP Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from XXX.XXX.XXX.XXX[34224] Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: ISAKMP-SA established for YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[34224] with spi:8ae7e3cde8560bbb:bb87af718d22be29 Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Sending Xauth request to XXX.XXX.XXX.XXX[34224] Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT-D payload does not match for XXX.XXX.XXX.XXX[34224] Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: NAT-D payload does not match for YYY.YYY.YYY.YYY[4500] Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: For XXX.XXX.XXX.XXX[63293], Selected NAT-T version: RFC 3947Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Floating ports for NAT-T with peer XXX.XXX.XXX.XXX[34224] Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: DPD Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: DPD Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: RFC 3947 Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received unknown Vendor ID Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Beginning Aggressive mode. Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[63293] Fri Mar 17 14:40:46 2017 (GMT -0400): [SRX5308] [IKE] INFO: Remote configuration for identifier "remote.client.com" found Additionally, the routing table on the client contains an entry for the external IP address of the NAS (which I was not expecting) but contains no entry for 192.168.0.0/22. Any help would be greatly appreciated. -- /jona. _______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
