VMWARE image 1.2.3 connecting to a Symantec 320 appliance over IPSEC

fastcon68

I set up a new IPSEC connection last night.  I got the tunnel up but was not able to pas  traffice.  I coule see that the tunnel was up, and could ping from the firewall back to the other firewall.  I could not however get it to pass any traffic.

site one (me)
bridge connection

site two (remote)
DHCP

Both sites are connected via centurylink.  They no longer support bridged mode.  I am grandfathered in. so that makes it a little hard because my the second site is non-bridged.

The WAN interface on the second connection is 192.168.2.x, the dsl modem has DHCP on it, and the external ip resides on it.  So from there I created my tunnel and upp it came.  I just can't get traffice from one site to the other.  my goal is to pass icmp,ftp only at this point just to move file ..  I will open the tunnel up more whe I get the tranning done.

This ustomer is a non profit and I am working with them to on backups and workstation support.

here is a section of my logs:

May 8 09:14:49 racoon: ERROR: couldn't find configuration.
May 8 09:15:19 last message repeated 2 times
May 8 09:17:24 last message repeated 5 times
May 8 09:20:48 last message repeated 8 times
May 8 09:20:50 racoon: [EPSI]: INFO: initiate new phase 2 negotiation: 63.162.xxx.xxx[0]<=>76.3.xxx.xxx[0]
May 8 09:20:58 racoon: ERROR: couldn't find configuration.
May 8 09:21:18 racoon: ERROR: couldn't find configuration.
May 8 09:21:20 racoon: [EPSI]: ERROR: 76.3.117.52 give up to get IPsec-SA due to time up to wait.
May 8 09:21:58 racoon: ERROR: couldn't find configuration.
May 8 09:22:28 last message repeated 2 times
May 8 09:24:51 last message repeated 6 times
May 8 09:27:11 last message repeated 6 times
May 8 09:27:23 racoon: [EPSI]: INFO: initiate new phase 2 negotiation: 63.162.xxx.xxx[0]<=>76.3.xxx.xxx[0]

fastcon68

This is from the customer side.  I can ping from my side to their side of the vpn tunnel.  But they can't come back accross the tunnel to my network.  I am setting up a few services for them to access but only want them to get to those.  Any idea what type of rules I am missing to get this running?

05/08/2010 23:54:35.24 Cartersweb - !!!: IPsec SA expired (superseded by #5)     
05/08/2010 23:52:53.24 Cartersweb - STATE_QUICK_I2 sent QI2, IPsec SA established     
05/08/2010 23:52:52.94 Cartersweb - STATE_QUICK_I1: initiate     
05/08/2010 23:52:52.84 Cartersweb - Initiating Quick Mode     
05/08/2010 23:52:52.84 Cartersweb - !!!: replacing stale IPsec SA     
05/08/2010 18:26:47.99 Packet dropped because TCP flag combination 0x15 is invalid     
05/08/2010 18:26:38.19 Packet dropped because TCP flag combination 0x15 is invalid     
05/08/2010 15:54:32.84 Cartersweb - STATE_QUICK_I2 sent QI2, IPsec SA established     
05/08/2010 15:54:32.59 Cartersweb - STATE_QUICK_I1: initiate     
05/08/2010 15:54:32.44 Cartersweb - Initiating Quick Mode     
05/08/2010 15:54:32.44 Cartersweb - Doing Quick Mode with xxx.xxx.xxx.xxx "Cartersweb"     
05/08/2010 15:54:32.44 Cartersweb - Sending ISAKMP OAK INFO (Notification IPSEC_INITIAL_CONTACT)     
05/08/2010 15:54:32.44 Cartersweb - STATE_MAIN_I4 ISAKMP SA established     
05/08/2010 15:54:32.39 Cartersweb - STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3     
05/08/2010 15:54:32.14 Cartersweb - STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2     
05/08/2010 15:54:31.94 Cartersweb - STATE_MAIN_I1: initiate

jimp

Did you add firewall rules under Firewall > Rules on the IPsec tab to allow their traffic across the tunnel?

fastcon68

I have added a few and I could go to their router, but could not ping from their side to my side.  I working with a major issue.  It looks like I lost my domain.  I trying to get that fixed and then I can work on my rules.  I get back up with you when I get it straight.
RC