D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-330 => Topic started by: bdotson on April 05, 2010, 04:56:02 PM
-
I'm trying to set up a site-to-site IPSec VPN tunnel from a DIR-330 to a Secure Computing (now McAfee) SnapGear 300. The DIR-330 is at a branch office, and the SnapGear is at the main office. I see a session on the DIR-330 on port 500 from the SnapGear, but the SnapGear simply sits in "Negotiating Phase 1" and never gets beyond that point. There's no VPN session indicated on the DIR-330.
I can't figure out what might be wrong with the configuration -- everything seems to match on both ends, but I can't get the tunnel going. We have other IPSec VPN tunnels working with the SnapGear, so it's not like the SnapGear can't do this.
Any help is appreciated.
-
how about your IPsec settings for both sides so we can take a look see?
-
Oops, I should have anticipated that.
Here's the configuration on the SnapGear:
Tunnel Name: merriam
Enable this tunnel: [checked]
Local Interface: default gateway interface (the outside IP)
Keying: Aggressive Mode
Local address: static IP address
Remote address: DNS hostname address [this is a DSL connection using DLink DDNS]
Initiate Tunnel Negotiation: [checked]
Optional Endpoint ID: [blank]
IP Payload Compression: [not checked]
Dead Peer Detection: [not checked]
Initiate Phase 1 & 2 rekeying: [checked]
The remote party's DNS hostname: simplemoveskc.dlinkddns.com
Required Endpoint ID: merriam@simplemovesstl.com
Key lifetime (sec): 28800
Rekey margin (sec): 600
Rekey fuzz (%): 100
Preshared Secret: [secret, but the same on both ends]
Phase 1 Proposal: 3DES-MD5-Diffie-Hellman Group 2 (1024 bit)
Local Network: Network of LAN Port [192.168.207.0/24]
Remote Network: 192.168.0.0/24
Key Lifetime (sec): 3600
Phase 2 Proposal: 3DES-MD5
Perfect Forward Secrecy: [unchecked]
On the DIR-330, I have the following:
Enable: [checked]
Name: merriam
Local Net /Mask: 192.168.0.0/24
Remote IP: Site to Site 74.223.104.146
Remote Local LAN Net /Mask: 192.168.207.0/24
Authentication: Pre-shared Key [same as above]
Local ID : Custom string: merriam@simplemovesstl.com
Remote ID : Default
Phase 1 :
Aggressive mode [checked]
NAT-T Enable: [not checked]
Keep Alive / DPD: none
DH Group : 2 - modp 1024
IKE Proposal List :
Cipher Hash
#1: 3DES MD5
#2: 3DES MD5
#3: 3DES MD5
#4: 3DES MD5
IKE Lifetime : 28800 Seconds
Phase 2:
PFS Enable: [unchecked]
PFS DH Group: 2 - modp 1024-bit [this is grayed out]
IPSec Proposal List:
Cipher Hash
#1: 3DES MD5
#2: 3DES MD5
#3: 3DES MD5
#4: 3DES MD5
IPSec lifetime: 3600 seconds
I know IPSec is difficult, but this has been a complete nightmare. Seems like if everything is the same on both ends, it should just work. But maybe I'm just a dreamer.
Grateful for your help,
Bill
-
Does the tunnel work if you use default IPsec IDs instead of manual DNS IPsec IDs?
-
The SnapGear requires a remote endpoint ID except when the remote address is a static IP. Still, I just tried that setting on the DIR-330, and I get the same result -- Negotiating Phase 1 forever.
-
Is this the only install you have using a non-static IP?
Your ID should be different on each side.
-
Yes, unfortunately, this is the only install with a non-static IP. The other tunnels have static IPs. I thought the DDNS setup is supposed to get around non-static IPs.
The ID on the SnapGear side is the remote ID. That matches the Local ID on the DIR-330. Isn't that correct? The local ID on the SnapGear is optional, I guess since it has a static IP.
-
Specify both IDs on both sides.
-
That doesn't seem to make a difference.
-
Additional info: I finally was able to reach a human at SnapGear support, and they pointed me to this line in the system log:
ERROR: asynchronous network error report on eth1 for message to 68.93.177.139 port 500, complainant 68.93.177.139: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Seems that the DIR-330 is refusing the connection as not authenticated. How do I fix that? Do I need to add stl@simplemovesstl.com as a use on the DIR-330?