1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEFSX41 & TheGreenBow VPN Problems

Discussion in 'Cisco/Linksys Wireless Routers' started by chrisrico, Oct 5, 2005.

  1. chrisrico

    chrisrico Network Guru Member

    I'm having some problems getting my VPN working with GreenBow and a BEFSX41. The network is simple. I've got a WRT54G connected to the BEFSX41 (which also has 2 PCs attached), which is connected to the cable modem. One of the PCs is my roomate's, and the other one is my file server. My main computer is my laptop, and I want to be able to access my server from anywhere that I have internet. Now, one thing I'm kind of curious about is, would I be able to tunnel to the router while I'm using my access point inside of the VPN?

    Other configuration information:
    BEFSX41
    Subnet: 192.168.2.0
    DDNS is set up
    Newest beta firmware (1.52.5_beta4)

    WRT54G
    Subnet: 192.168.1.0
    All passthroughs set up under the VPN tab
    Newest official Linksys firmware (4.20.7)

    This is the log of what I get when I click Open Tunnel in GreenBow. It seems to just transmit out once, but it never receives anything back.

    Short version:
    Code:
    224850 Default (SA Home-P1) SEND phase 1 Main Mode  [SA] [VID] [VID] [VID]
    Long version:
    Code:
    224933 Misc 95 conf_get_str: [Home-Home-P2]:ISAKMP-peer->Home-P1
    224933 SA   90 sa_find: no SA matched query
    224933 SA   90 sa_find: no SA matched query
    224935 SA   90 sa_find: no SA matched query
    224935 SA   90 sa_find: no SA matched query
    224935 Timr 10 timer_handle_expirations: event exchange_free_aux(00C9C300)
    224935 Exch 20 exchange_free_aux: freeing exchange 00C9C300
    224935 Mesg 20 message_free: freeing 00C9C458
    224935 Timr 10 timer_remove_event: removing event message_send_expire(00C9C458)
    224935 Trpt 95 transport_release: transport 00C9C2B8 had 1 references
    224935 Trpt 70 transport_release: freeing 00C9C2B8
    224935 SA   80 sa_release: SA 00C9C558 had 3 references
    224935 Exch 20 exchange_establish_finalize: finalizing exchange 00C9C300 with arg 00CAE6A0 (Home-Home-P2) & fail = 1
    224935 SA   90 sa_find: no SA matched query
    224935 SA   80 sa_release: SA 00C9C558 had 2 references
    224935 SA   70 sa_remove: SA 00C9C558 removed from SA list
    224935 SA   80 sa_release: SA 00C9C558 had 1 references
    224936 SA   60 sa_release: freeing SA 00C9C558
    224936 Misc 90 proto_free: freeing 00C35FA8
    224936 SA   90 sa_find: no SA matched query
    224936 Sdep 70 sysdep_connection_check: SA for Home-Home-P2 missing
    224936 Misc 95 conf_get_str: [Home-Home-P2]:Phase->2
    224936 Misc 95 conf_get_str: [Home-Home-P2]:ISAKMP-peer->Home-P1
    224936 SA   90 sa_find: no SA matched query
    224936 Misc 95 conf_get_str: [Home-P1]:Phase->1
    224936 Misc 95 conf_get_str: [Home-P1]:Phase->1
    224936 Misc 95 conf_get_str: [Home-P1]:Transport->udp
    224936 Misc 95 conf_get_str: configuration value not found [Home-P1]:Port
    224936 Misc 95 conf_get_str: [Home-P1]:Address->chrisrico.dyndns.org
    224936 Misc 95 conf_get_str: configuration value not found [Home-P1]:Local-address
    224936 Misc 95 conf_get_str: configuration value not found [General]:Listen-on
    224936 Trpt 70 transport_add: adding 00C9C2B8
    224936 Misc 95 conf_get_str: [Home-P1]:Configuration->Home-main-mode
    224936 Misc 95 conf_get_str: [Home-main-mode]:DOI->IPSEC
    224936 Misc 95 conf_get_str: [Home-main-mode]:EXCHANGE_TYPE->ID_PROT
    224936 Misc 95 conf_get_str: [General]:Exchange-max-time->5
    224936 Timr 10 timer_add_event: event exchange_free_aux(00C9C300) added last, expiration in 5s
    224936 Misc 95 conf_get_str: [Home-P1]:Configuration->Home-main-mode
    224936 Misc 95 conf_get_str: configuration value not found [Home-P1]:Xauth
    224936 Misc 95 conf_get_str: configuration value not found [Home-P1]:Flags
    224936 Cryp 60 hash_get: requested algorithm 1
    224936 Exch 10 exchange_establish_p1: 00C9C300 Home-P1 Home-main-mode policy initiator phase 1 doi 1 exchange 2 step 0
    224936 Exch 10 exchange_establish_p1: icookie 91ab21971b8a68f1 rcookie 0000000000000000
    224936 Exch 10 exchange_establish_p1: msgid 00000000 
    224936 Trpt 95 transport_reference: transport 00C9C2B8 now has 1 references
    224936 Mesg 90 message_alloc: allocated 00C9C458
    224936 SA   80 sa_reference: SA 00C9C558 now has 1 references
    224936 SA   70 sa_enter: SA 00C9C558 added to SA list
    224936 SA   80 sa_reference: SA 00C9C558 now has 2 references
    224936 SA   60 sa_create: sa 00C9C558 phase 1 added to exchange 00C9C300 (Home-P1)
    224936 SA   80 sa_reference: SA 00C9C558 now has 3 references
    224936 SA   90 sa_find: no SA matched query
    224936 Misc 95 conf_get_str: [Home-main-mode]:Transforms->3DES-SHA-GRP2
    224936 Misc 95 conf_get_str: [3DES-SHA-GRP2]:ENCRYPTION_ALGORITHM->3DES_CBC
    224936 Misc 95 conf_get_str: [3DES-SHA-GRP2]:HASH_ALGORITHM->SHA
    224936 Misc 95 conf_get_str: [3DES-SHA-GRP2]:AUTHENTICATION_METHOD->PRE_SHARED
    224936 Misc 95 conf_get_str: [3DES-SHA-GRP2]:GROUP_DESCRIPTION->MODP_1024
    224936 Misc 95 conf_get_str: [3DES-SHA-GRP2]:Life->LIFE_MAIN_MODE
    224936 Misc 95 conf_get_str: [LIFE_MAIN_MODE]:LIFE_TYPE->SECONDS
    224936 Misc 95 conf_get_str: [LIFE_MAIN_MODE]:LIFE_DURATION->1800,360:28800
    224936 Misc 95 conf_get_str: configuration value not found [3DES-SHA-GRP2]:PRF
    224936 Misc 70 attribute_set_constant: no PRF in the 3DES-SHA-GRP2 section
    224936 Misc 95 conf_get_str: configuration value not found [3DES-SHA-GRP2]:KEY_LENGTH
    224936 Misc 95 conf_get_str: configuration value not found [3DES-SHA-GRP2]:FIELD_SIZE
    224936 Misc 95 conf_get_str: configuration value not found [3DES-SHA-GRP2]:GROUP_ORDER
    224936 Cryp 60 hash_get: requested algorithm 1
    224936 Exch 90 exchange_validate: checking for required SA
    224936 Mesg 70 message_send: message 00C9C458
    224936 Mesg 70 ICOOKIE: 0x91ab21971b8a68
    224936 Mesg 70 RCOOKIE: 0x00000000000000
    224936 Mesg 70 NEXT_PAYLOAD: SA
    224936 Mesg 70 VERSION: 16
    224936 Mesg 70 EXCH_TYPE: ID_PROT
    224936 Mesg 70 FLAGS: [ ]
    224936 Mesg 70 MESSAGE_ID: 0x000000
    224936 Mesg 70 LENGTH: 140
    224936 Mesg 70 message_send: 91ab2197 1b8a68f1 00000000 00000000 01100200 00000000 0000008c 0d000034
    224936 Mesg 70 message_send: 00000001 00000001 00000028 01010001 00000020 00010000 80010005 80020002
    224936 Mesg 70 message_send: 80030001 80040002 800b0001 800c0708 0d000014 4485152d 18b6bbcd 0be8a846
    224936 Mesg 70 message_send: 9579ddcc 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 00000014 7d9419a6
    224936 Mesg 70 message_send: 5310ca6f 2c179d92 15529d56 
    224936 Default (SA Home-P1) SEND phase 1 Main Mode  [SA] [VID] [VID] [VID]
    224936 Exch 40 exchange_run: exchange 00C9C300 finished step 0, advancing...
    224936 Exch 90 exchange_lookup_by_name: Home-P1 == Home-P1 && 1 == 1?
    224936 Trpt 95 transport_reference: transport 00C9C2B8 now has 2 references
    224936 Trpt 95 transport_reference: transport 00C85FA0 now has 2 references
    224936 Trpt 95 transport_reference: transport 0099B830 now has 2 references
    224936 Misc 95 conf_get_str: [General]:retransmits->5
    224936 Trpt 30 transport_send_messages: message 00C9C458 scheduled for retransmission 1 in 7 secs
    224936 Timr 10 timer_add_event: event message_send_expire(00C9C458) added last, expiration in 7s
    224936 Trpt 95 transport_release: transport 00C9C2B8 had 2 references
    224936 Trpt 95 transport_release: transport 00C85FA0 had 2 references
    224936 Trpt 95 transport_release: transport 0099B830 had 2 references
    Settings:
    [​IMG]

    [​IMG]

    [​IMG]

    [​IMG] [​IMG]
     
  2. chrisrico

    chrisrico Network Guru Member

    Come on... I couldn't have given more information about my problem... somebody help me out.
     
  3. coordes

    coordes Network Guru Member

    hi,
    i didn´t have the answer, but i think i have some hints:

    at the phase 2 config:
    - your VPN Client Address should not be of one of your intranet-addresses because of routing problems
    - your Remote LAN Address is 192.168.2.1 with submask 255.255.255.0; this doesn´t point at one or more subnet(s)!
    e.g.: i have 2 subnets behind the router (befsx41)
    a) 192.168.1.0 (the last 0 means the whole net)
    b) 192.168.2.0
    in order to reach both nets i have to put in 192.168.0.0 with the submask 255.255.0.0 (or 255.255.128.0)

    i hope this helps
     
  4. dgvandal

    dgvandal Network Guru Member

    >>> - your VPN Client Address should not be of one of your
    >>> intranet-addresses because of routing problems

    The statement above is incorrect. After the tunnel is brought up on the PC that's using the TheGreenBow VPN client software, you'll want to be able to talk to the other computers on the remote subnet (192.168.2.0/24). The way this is made possible is to assign an address on the same subnet. When the VPN Tunnel is up, your client should route all packets for the 192.168.2.0 subnet over the Tunnel. Unfortunately windows does not show TheGreenBow routes in it’s routing table (netstat –rn), so it’s hard to tell if it’s working. However, once your tunnel is up you should be able to PING the BEFSX41 LAN interface 192.168.2.1.

    I actually have almost the EXACT same setup configured. The only difference I have is that I set the Phase 1 & Phase 2 Default Lifetime on the TheGreenBow client to 3600 secs. Then set the same on the BEFSX41.

    My Tunnel comes up. I can ping the BEFSX41 LAN Network address (192.168.2.1) when the Tunnel is up. I can even manage the BEFSX41 through the tunnel using http://192.168.2.1. My problem is connecting to OTHER hosts on the network. I have a PC with 192.168.2.4 and when I try to ping that address, I get no response. So I installed Ethereal on that computer in an attempt to figure out what’s going on. Ethereal shows that when I ping from the PC using TheGreenBow VPN Client and the Tunnel is up, the ICMP request do reach 192.168.2.4. That PC then ARPs back out for the VPN client at 192.168.1.100, but the ARP request does not make it back over the Tunnel to the VPN client. This makes me think that there is a problem with NAT-T translation on the BEFSX41.

    I have a question for crisrico:

    Did you ever get this working???

    Does anyone know how to make sure NAT-T is enabled and running on the BEFSX41?

    The thread below suggests that the username and FQDN must be filled in the advanced field? Is this true? Where?

    http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=11646&p=50223
     

Share This Page