D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: Pedro Marques on May 27, 2010, 10:36:10 AM

Title: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: Pedro Marques on May 27, 2010, 10:36:10 AM

I already have tried to configure the Lan to Lan IPsec tunnel but it's not working and I don't have any clue where is the problem.
Can someone help me on this configuration?

I have the following configuration:
Local (DFL-800)
lan-ip: 100.0.0.252
lan-net: 100.0.0.0/24
wan2-ip: fixed IP (public internet)

Remote (Cisco xxx)
remote-net: 10.0.15.0/20
remote-host: 10.0.15.99
remote-gw: 213.30.4.50 (Public IP)

Information from the remote member connection
My network must be NATed to 192.168.35.0/24 to reach the remote-host
Digital Certificate: None
Certificate Transmission: Identity certificate only
PreShared key: "1234567890"
Authentication: ESP/MD5/HMAC-128
Encryption: 3DES-168
IKE Proposal: IKE-3DES-MD5


Thanks in advanced for help me!!!

Title: Re: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: danilovav on May 27, 2010, 07:17:18 PM

What you see in logs? In Status > IPsec?

Title: Re: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: Pedro Marques on May 28, 2010, 04:10:47 AM

I don't see any information in Logs for this connection

It's seems that the configuration is not working.

Can you help in the configuration steps for this connection

Title: Re: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: danilovav on May 28, 2010, 01:45:04 PM

http://www.dlink.com/support/faq/default.aspx?question=DFL-800

Title: Re: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: chechito on May 30, 2010, 09:08:57 AM

Using SSH the command "ikesnoop -on -verbose" gives you good information about IKE problems

Title: Re: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: Pedro Marques on May 31, 2010, 02:06:10 AM

I have the following information with "ikesnoop -on -verbose"



2010-05-31 10:04:30: IkeSnoop: Sending IKE packet to 213.30.4.50:4500
Exchange type  : Quick mode
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0x703b3556a5a8f86c -> 0x3d34a9b55dca2de6
Message ID     : 0x72dc8b3e
Packet length  : 284 bytes
# payloads     : 5
Payloads:
  HASH (Hash)
    Payload data length : 16 bytes
  SA (Security Association)
    Payload data length : 180 bytes
    DOI : 1 (IPsec DOI)
      Proposal 1/1
        Protocol 1/1
          Protocol ID                : ESP
          SPI Size                   : 4
            SPI Value                : 0xd9e14b63
          Transform 1/6
            Transform ID             : Rijndael (aes)
            Key length               : 128
            Authentication algorithm : HMAC-MD5
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 2/6
            Transform ID             : Rijndael (aes)
            Key length               : 128
            Authentication algorithm : HMAC-SHA-1
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 3/6
            Transform ID             : 3DES
            Authentication algorithm : HMAC-MD5
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 4/6
            Transform ID             : 3DES
            Authentication algorithm : HMAC-SHA-1
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 5/6
            Transform ID             : Blowfish
            Key length               : 128
            Authentication algorithm : HMAC-MD5
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 6/6
            Transform ID             : Blowfish
            Key length               : 128
            Authentication algorithm : HMAC-SHA-1
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
  NONCE (Nonce)
    Payload data length : 16 bytes
  ID (Identification)
    Payload data length : 12 bytes
    ID : ipv4_subnet(any:0,[0..7]=100.0.0.0/24)
  ID (Identification)
    Payload data length : 12 bytes
    ID : ipv4_subnet(any:0,[0..7]=10.0.0.0/20)

2010-05-31 10:04:30: IkeSnoop: Received IKE packet from 213.30.4.50:4500
Exchange type  : Informational
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0x703b3556a5a8f86c -> 0x3d34a9b55dca2de6
Message ID     : 0x75c20886
Packet length  : 84 bytes
# payloads     : 2
Payloads:
  HASH (Hash)
    Payload data length : 16 bytes
  N (Notification)
    Payload data length : 32 bytes
    Protocol ID  : ISAKMP
    Notification : Responder lifetime

2010-05-31 10:04:30: IkeSnoop: Received IKE packet from 213.30.4.50:4500
Exchange type  : Informational
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0x703b3556a5a8f86c -> 0x3d34a9b55dca2de6
Message ID     : 0xf1fb25a1
Packet length  : 76 bytes
# payloads     : 2
Payloads:
  HASH (Hash)
    Payload data length : 16 bytes
  D (Delete)
    Payload data length : 24 bytes
    Protocol ID : ISAKMP
    Delete SPIs : 0x703b3556a5a8f86c3d34a9b55dca2de6

Title: Re: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: chechito on May 31, 2010, 07:49:10 PM

Quote from: danilovav on May 27, 2010, 07:17:18 PM

What you see in logs? In Status > IPsec?

X 2

try disabling keep alive option and try one ping to some ip address (can be an inexistent) of remote lan to force the tunnel to try establishment, and check the logs

i suggest you create a more specific set of ike an ipsec algorithms according to the config you choose on cisco router to narrow the negotiation for ex, a set using only 3des/sha1 or aes/md5, and check the logs on cisco router and discuss it (on cisco forums) to progress on the trouble shooting of the problem

Title: Re: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: Pedro Marques on June 01, 2010, 12:58:58 AM

Thanks very much for your help
I already have the tunnel comunicating t«with the other end.

I had to create an IP alias to mask my local net.
I don't like very much the solution. It's not the most clean solution.

Some one have another way to do it???

Thanks

Title: Re: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: danilovav on June 01, 2010, 11:10:31 AM

One more time please

1) Do you have problems with setting up IPsec tunnel?

OR

2) Do you need to mask your network by some another IP?

Title: Re: Need help to configure IPsec Tunnel Lan to Lan using DFL-800
Post by: Pedro Marques on June 01, 2010, 11:17:28 AM

I need to mask my internal network (100.0.0.0/24) by another IP (192.168.35.0/24) for the IPsec Tunnel