This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site with Astaro 6.2 + Netgear FVS 338

Hello Community,

we recently exchanged the Netgear Router in our main office with an astaro 610 appliance. We have two small remote offices (Netgear FVS 338 / other Router) which are connected via vpn to our main office.
I don't seem to be able to set up the astaro box to enable those vpn-tunnels.
Any help would be greatly appreciated.

main office:
Astaro ASG 610 v6.2
ADSL 16Mbit/1Mbit
dyn. ip (dynds already set up)
192.168.1.0/24

office 1:
Netgear FVS 338
ADSL 6Mbit/0,5Mbit
dyn. ip (dynds already set up)
192.168.16.0/24

office 2:
ALLNET ALL1294VPN
ADSL 6Mbit/0,5Mbit
dyn. ip (dynds already set up)
192.168.0.0/24

All three offices were set up to maintain site-to-site vpn-tunnels utilising PSK.

In order to re-enable vpn, I added the two remote gateways as dns-hosts (on the "definitions"-page) as well as the remote networks.
I then added the preshared key as remote key.
I created a new vpn-policy according to the encryption settings of the remote gateways.
A new VPN-connection is created using my policy. local endpoint: astaro external interface, remote endpoint: remote gateway. vpn-declaration local / remote lan as defined earlier. the connection uses the previously entered psk.

As far as I know, this should do the trick. Still, my local vpn-log reads:

##############################################
000
000 "S_K-A-PTP-VPN_0": 192.168.1.0/24===80.135.28.24...84.144.95.19===192.168.16.0/24; unrouted; eroute owner: #0
000 "S_K-A-PTP-VPN_0":     srcip=unset; dstip=unset; srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_K-A-PTP-VPN_0":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "S_K-A-PTP-VPN_0":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: ppp0;
000 "S_K-A-PTP-VPN_0":   dpd: action:restart; delay:30; timeout:120;
000 "S_K-A-PTP-VPN_0":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "S_K-A-PTP-VPN_0":   IKE algorithms wanted: 5_000-2-2, flags=-strict
000 "S_K-A-PTP-VPN_0":   IKE algorithms found:  5_192-2_160-2,
000 "S_K-A-PTP-VPN_0":   ESP algorithms wanted: 3_000-2, ; pfsgroup=2; flags=-strict
000 "S_K-A-PTP-VPN_0":   ESP algorithms loaded: 3_000-2, ; pfsgroup=2; flags=-strict
000
000 #1: "S_K-A-PTP-VPN_0":500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 31s; lastdpd=-1s(seq in:0 out:0)
000 #1: pending Phase 2 for "S_K-A-PTP-VPN_0" replacing #0
################################################

The remote log reads:

################################################
time="2006-08-29 14:37:01"   INFO :: Started phase-I negotiation
time="2006-08-29 14:37:01"   ID PAYLOAD :: Mismatching ID type (ID_IPV4_ADDR) and ID: 80.135.28.24 with the configured IKE policy
time="2006-08-29 14:37:01"   INFO :: Sending phase-I notify of type INVALID_ID_INFORMATION
time="2006-08-29 14:37:01"   INFO :: Phase-I negotiation failed
time="2006-08-29 14:37:01"   INFO :: Deleting the IsakmpSA
time="2006-08-29 14:38:11"   INFO :: Started phase-I negotiation
time="2006-08-29 14:38:12"   ID PAYLOAD :: Mismatching ID type (ID_IPV4_ADDR) and ID: 80.135.28.24 with the configured IKE policy
time="2006-08-29 14:38:12"   INFO :: Sending phase-I notify of type INVALID_ID_INFORMATION
time="2006-08-29 14:38:12"   INFO :: Phase-I negotiation failed
time="2006-08-29 14:38:12"   INFO :: Deleting the IsakmpSA
################################################

So obviously, the remote box wants a FQDN as identifier while the psk on the astaro box is connected to IPv4 as identifier (which I cannot change, there are no options).
As both sides use dynamic IPs, using IPs as identifiers is not an option.
Why can't I use my dyndns-hostnames as identifiers on the astaro box just like on the other gateways?

A second thing I noticed in the astaro logs is a ike-algorithm mismatch. does anyone know, which algorithms the numbers correspond to?

I would be very glad if someone could help me. I am really thinking about "downgrading" back to my old Netgear Router....

If I should post any other information, please let me know.

Thanks in advance,

DiePlage

This thread was automatically locked due to age.

0 DiePlage over 19 years ago

Well, it looks like I have to use X.509 certificates instead of PSK.

Now the identity type error has vanished as expected but I got a new problem.
The Netgear box refuses to connect with the response:
#####
CERT PAYLOAD :: No CRL available to verify the Revocation status of the Received certificate in IKE phase-1 msg
#####
It looks like strict CRL-policy is by default enabled on the Netgear Firewall and there is no way to turn it of. The ASG doesn't manage a CRL so I just don't see any way right now to make this connection work.

Of course any help is greatly apreciated...

DiePlage
Cancel
Vote Up 0 Vote Down

Cancel