Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 879 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't connect with Safenet Softremote to ASL

DaFunkyFreak
I'm having a serious Problem in getting my vpn client safenet softremote connected to my ASL.

The logfile of my client gives me the following information.

11-15: 02:57:13.134  
11-15: 02:57:13.585 My Connections\Madnet VPN - Initiating IKE Phase 1 (IP ADDR=10.1.0.1)
11-15: 02:57:13.585 My Connections\Madnet VPN - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
11-15: 02:57:13.615 My Connections\Madnet VPN - RECEIVED>>> ISAKMP OAK MM (KE, NON, NAT-D 2x, VID 3x)
11-15: 02:57:14.226 My Connections\Madnet VPN - RECEIVED>>> ISAKMP OAK MM *(ID, CERT, CERT_REQ 2x, SIG, NOTIFY:STATUS_INITIAL_CONTACT)
11-15: 02:57:14.957 My Connections\Madnet VPN - RECEIVED>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
11-15: 02:57:15.878 My Connections\Madnet VPN - RECEIVED


This thread was automatically locked due to age.
Parents
  • 0
    HI
    I`m not sure but I`think the Safenet can`t connect trough a NAT connection! 
    What does the ASL log says?
  • 0 in reply to frank75
    Hi there!

    Of course it works, Safenet Softremote support NAT-T. But i haven´t got it running using Certificates, due lack of the ID Type for Remote_Party_and_adressing.
    Here is a piece of log from a PSK Connection to ASL5:

    11-17: 21:07:58.327  
    11-17: 21:07:58.327 My Connections\dacat - Attempting to resolve Hostname (dacat.dyndns.org)
    11-17: 21:07:58.499 My Connections\dacat - Initiating IKE Phase 1 (Hostname=dacat.dyndns.org) (IP ADDR=217.80.57.108)
    11-17: 21:07:58.514 My Connections\dacat - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
    11-17: 21:07:58.655 My Connections\dacat - RECEIVED>>> ISAKMP OAK MM (KE, NON, NAT-D 2x, VID 3x)
    11-17: 21:07:58.905 My Connections\dacat - RECEIVED>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
    11-17: 21:07:59.124 My Connections\dacat - RECEIVED>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
    11-17: 21:07:59.530 My Connections\dacat - RECEIVED>>> ISAKMP OAK QM *(HASH)
    11-17: 21:07:59.545 My Connections\dacat - Loading IPSec SA (Message ID = DAB5BC1A OUTBOUND SPI = F7ACD142 INBOUND SPI = BF6DBF4)
    11-17: 21:07:59.545  

    This works fine via a broadbandrouiter forwarding ESP+ISAKMP-Traffic. But i got a problem from the same destination to another ASL5 Box:

    11-17: 21:09:47.014 My Connections\VPN-xxxxx - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
    11-17: 21:09:47.092 My Connections\VPN-xxxxx- Peer port change: 4500->500
    11-17: 21:09:47.092 My Connections\VPN-xxxxx - RECEIVED
  • 0 in reply to passi
    Is there a Safenet config option to prevent from changing the ports?

    -> Peer port change: 4500->500

    As far as I know Astaro uses udp/4500 only for IPSec data transfer and udp/500 for IKE (Phase one) only.

    Greetings
    cyclops
  • 0 in reply to cyclops
    No, there is no option to turn NAT-T off in SoftRemote. Strange thing is that the client can connect the first ASL5 Box but the second fails. Possible that the second ASL5 Box uses NAT on his side...

    Ihmo is the udp/4500 the NAT-T thingy if ESP is not availible, right?

    cu

    passi
Reply
  • 0 in reply to cyclops
    No, there is no option to turn NAT-T off in SoftRemote. Strange thing is that the client can connect the first ASL5 Box but the second fails. Possible that the second ASL5 Box uses NAT on his side...

    Ihmo is the udp/4500 the NAT-T thingy if ESP is not availible, right?

    cu

    passi
Children
No Data
Cookie Information Banner