VMWARE image 1.2.3 connecting to a Symantec 320 appliance over IPSEC
I set up a new IPSEC connection last night. I got the tunnel up but was not able to pas traffice. I coule see that the tunnel was up, and could ping from the firewall back to the other firewall. I could not however get it to pass any traffic.
site one (me)
site two (remote)
Both sites are connected via centurylink. They no longer support bridged mode. I am grandfathered in. so that makes it a little hard because my the second site is non-bridged.
The WAN interface on the second connection is 192.168.2.x, the dsl modem has DHCP on it, and the external ip resides on it. So from there I created my tunnel and upp it came. I just can't get traffice from one site to the other. my goal is to pass icmp,ftp only at this point just to move file .. I will open the tunnel up more whe I get the tranning done.
This ustomer is a non profit and I am working with them to on backups and workstation support.
here is a section of my logs:
May 8 09:14:49 racoon: ERROR: couldn't find configuration.
May 8 09:15:19 last message repeated 2 times
May 8 09:17:24 last message repeated 5 times
May 8 09:20:48 last message repeated 8 times
May 8 09:20:50 racoon: [EPSI]: INFO: initiate new phase 2 negotiation: 63.162.xxx.xxx<=>76.3.xxx.xxx
May 8 09:20:58 racoon: ERROR: couldn't find configuration.
May 8 09:21:18 racoon: ERROR: couldn't find configuration.
May 8 09:21:20 racoon: [EPSI]: ERROR: 18.104.22.168 give up to get IPsec-SA due to time up to wait.
May 8 09:21:58 racoon: ERROR: couldn't find configuration.
May 8 09:22:28 last message repeated 2 times
May 8 09:24:51 last message repeated 6 times
May 8 09:27:11 last message repeated 6 times
May 8 09:27:23 racoon: [EPSI]: INFO: initiate new phase 2 negotiation: 63.162.xxx.xxx<=>76.3.xxx.xxx
This is from the customer side. I can ping from my side to their side of the vpn tunnel. But they can't come back accross the tunnel to my network. I am setting up a few services for them to access but only want them to get to those. Any idea what type of rules I am missing to get this running?
05/08/2010 23:54:35.24 Cartersweb - !!!: IPsec SA expired (superseded by #5)
05/08/2010 23:52:53.24 Cartersweb - STATE_QUICK_I2 sent QI2, IPsec SA established
05/08/2010 23:52:52.94 Cartersweb - STATE_QUICK_I1: initiate
05/08/2010 23:52:52.84 Cartersweb - Initiating Quick Mode
05/08/2010 23:52:52.84 Cartersweb - !!!: replacing stale IPsec SA
05/08/2010 18:26:47.99 Packet dropped because TCP flag combination 0x15 is invalid
05/08/2010 18:26:38.19 Packet dropped because TCP flag combination 0x15 is invalid
05/08/2010 15:54:32.84 Cartersweb - STATE_QUICK_I2 sent QI2, IPsec SA established
05/08/2010 15:54:32.59 Cartersweb - STATE_QUICK_I1: initiate
05/08/2010 15:54:32.44 Cartersweb - Initiating Quick Mode
05/08/2010 15:54:32.44 Cartersweb - Doing Quick Mode with xxx.xxx.xxx.xxx "Cartersweb"
05/08/2010 15:54:32.44 Cartersweb - Sending ISAKMP OAK INFO (Notification IPSEC_INITIAL_CONTACT)
05/08/2010 15:54:32.44 Cartersweb - STATE_MAIN_I4 ISAKMP SA established
05/08/2010 15:54:32.39 Cartersweb - STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3
05/08/2010 15:54:32.14 Cartersweb - STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2
05/08/2010 15:54:31.94 Cartersweb - STATE_MAIN_I1: initiate
Did you add firewall rules under Firewall > Rules on the IPsec tab to allow their traffic across the tunnel?
I have added a few and I could go to their router, but could not ping from their side to my side. I working with a major issue. It looks like I lost my domain. I trying to get that fixed and then I can work on my rules. I get back up with you when I get it straight.