VMWARE image 1.2.3 connecting to a Symantec 320 appliance over IPSEC



  • I set up a new IPSEC connection last night.  I got the tunnel up but was not able to pas  traffice.  I coule see that the tunnel was up, and could ping from the firewall back to the other firewall.  I could not however get it to pass any traffic.

    site one (me)
    bridge connection

    site two (remote)
    DHCP

    Both sites are connected via centurylink.  They no longer support bridged mode.  I am grandfathered in. so that makes it a little hard because my the second site is non-bridged.

    The WAN interface on the second connection is 192.168.2.x, the dsl modem has DHCP on it, and the external ip resides on it.  So from there I created my tunnel and upp it came.  I just can't get traffice from one site to the other.  my goal is to pass icmp,ftp only at this point just to move file ..  I will open the tunnel up more whe I get the tranning done.

    This ustomer is a non profit and I am working with them to on backups and workstation support.

    here is a section of my logs:

    May 8 09:14:49 racoon: ERROR: couldn't find configuration.
    May 8 09:15:19 last message repeated 2 times
    May 8 09:17:24 last message repeated 5 times
    May 8 09:20:48 last message repeated 8 times
    May 8 09:20:50 racoon: [EPSI]: INFO: initiate new phase 2 negotiation: 63.162.xxx.xxx[0]<=>76.3.xxx.xxx[0]
    May 8 09:20:58 racoon: ERROR: couldn't find configuration.
    May 8 09:21:18 racoon: ERROR: couldn't find configuration.
    May 8 09:21:20 racoon: [EPSI]: ERROR: 76.3.117.52 give up to get IPsec-SA due to time up to wait.
    May 8 09:21:58 racoon: ERROR: couldn't find configuration.
    May 8 09:22:28 last message repeated 2 times
    May 8 09:24:51 last message repeated 6 times
    May 8 09:27:11 last message repeated 6 times
    May 8 09:27:23 racoon: [EPSI]: INFO: initiate new phase 2 negotiation: 63.162.xxx.xxx[0]<=>76.3.xxx.xxx[0]



  • This is from the customer side.  I can ping from my side to their side of the vpn tunnel.  But they can't come back accross the tunnel to my network.  I am setting up a few services for them to access but only want them to get to those.  Any idea what type of rules I am missing to get this running?

    05/08/2010 23:54:35.24 Cartersweb - !!!: IPsec SA expired (superseded by #5)     
    05/08/2010 23:52:53.24 Cartersweb - STATE_QUICK_I2 sent QI2, IPsec SA established     
    05/08/2010 23:52:52.94 Cartersweb - STATE_QUICK_I1: initiate     
    05/08/2010 23:52:52.84 Cartersweb - Initiating Quick Mode     
    05/08/2010 23:52:52.84 Cartersweb - !!!: replacing stale IPsec SA     
    05/08/2010 18:26:47.99 Packet dropped because TCP flag combination 0x15 is invalid     
    05/08/2010 18:26:38.19 Packet dropped because TCP flag combination 0x15 is invalid     
    05/08/2010 15:54:32.84 Cartersweb - STATE_QUICK_I2 sent QI2, IPsec SA established     
    05/08/2010 15:54:32.59 Cartersweb - STATE_QUICK_I1: initiate     
    05/08/2010 15:54:32.44 Cartersweb - Initiating Quick Mode     
    05/08/2010 15:54:32.44 Cartersweb - Doing Quick Mode with xxx.xxx.xxx.xxx "Cartersweb"     
    05/08/2010 15:54:32.44 Cartersweb - Sending ISAKMP OAK INFO (Notification IPSEC_INITIAL_CONTACT)     
    05/08/2010 15:54:32.44 Cartersweb - STATE_MAIN_I4 ISAKMP SA established     
    05/08/2010 15:54:32.39 Cartersweb - STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3     
    05/08/2010 15:54:32.14 Cartersweb - STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2     
    05/08/2010 15:54:31.94 Cartersweb - STATE_MAIN_I1: initiate


  • Rebel Alliance Developer Netgate

    Did you add firewall rules under Firewall > Rules on the IPsec tab to allow their traffic across the tunnel?



  • I have added a few and I could go to their router, but could not ping from their side to my side.  I working with a major issue.  It looks like I lost my domain.  I trying to get that fixed and then I can work on my rules.  I get back up with you when I get it straight.
    RC


Locked