Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[techie007]

Hey all,

I've been tasked with hooking up a VPN tunnel via this DFL-210 to a 3rd party (who's using Cisco equipment).  I'm pretty sure I've got this all set up right based on the D-link FAQs and the info provided by the 3rd party, but it's not working and I'm at a loss looking at the logs.

Here's the log entries (latest on top):

Code: [Select]

2010-06-04 11:59:27 Info IPSEC 1803021 ipsec_sa_statistics
done=173 success=0 failed=173 

2010-06-04 11:59:27 Warning IPSEC 1800109 ike_quickmode_failed
local_ip=10.235.X.X remote_ip=208.51.X.X cookies=b5c76a3c1d0268c27b34bac2f6812c3e reason="No proposal chosen" 

2010-06-04 11:59:27 Warning IPSEC 1803020 ipsec_sa_failed no_ipsec_sa
statusmsg="No proposal chosen" 

2010-06-04 11:59:27 Info IPSEC 1800102 ipsec_event
message=" Remote Proxy ID 150.2.0.0/16 any" 

2010-06-04 11:59:27 Info IPSEC 1800102 ipsec_event
message=" Local Proxy ID 192.168.0.0/24 any" 

2010-06-04 11:59:27 Info IPSEC 1802703 ike_sa_negotiation_completed ike_sa_completed
local_peer="10.235.X.X ID 10.235.X.X" remote_peer="208.51.X.X ID 208.51.X.X" initiator_spi="b5c76a3c 1d0268c2" responder_spi="7b34bac2 f6812c3e" int_severity=6 

2010-06-04 11:59:27 Info IPSEC 1800102 ipsec_event
message="IPsec SA [Initiator] negotiation failed:" 

So I'm not sure what to make of this, could this be caused by a mismatch in the tunnel settings someplace?

Another potential suspect is the fact that this D-link is behind another router (d-link->secure network router->Internet) that is provided by the government to keep their network secured between sites.

They (the government) tell me they've opened all I need in their router to get this IPSec tunnel in place; and based on the other things they claimed to have done (opened HTTP, HTTPS ports, and allow PPTP in and out) I have to trust they did it right, since all of that other stuff works as expected.

Could this problem (according to the above logs) be caused by them not properly passing the IPSec stuff?

Also, this is being done via a PSK, which they (the 3rd party VPN techs) provided in "passphrase" form -- would a 'passphrase' created by a Cisco box be directly compatible with the PSK Passphrase field in the D-link?

Again, I'm at a loss, so any ideas are appricated.

Thanks in advance.

[Fatman]

It could certainly be caused by a mismatch of settings.

Having NAT in front of your device is not the way I would chose to run things, that is a very strong candidate for your problem.

PSKs are fine regardless of vendor, as long as they are an ASCII PSK and not a hex PSK (which would also work, but you would have to enter it differently.

[techie007]

Thanks for the responce Fatman.

Having NAT in front of my device is not my choice, as it's government issued (it's a medical situation, the route between me and the Internet is to keep inter-hospital/clinic traffic. I'm not convinced I'm actually "NAT'ed" behind that router, and (unfortunatly) getting info about its setup is like pulling teeth.

I'm a long time tech but with little to no IPSec tunnel experience, so I'm not sure on certain terminology,  like "proposal". 

To me it looks like the tunnel is connecting, but then the interface between them fails; I'm not sure if it's an authentication failure, or encryption failure, or something else?

I guess what I should ask is, WTH are these logs even telling me?  

Currently, I'm not sure where to begin looking to track down the cause?

[Fatman]

Well unless you are connected to some greater network that uses that "unrouteable" network, you are most certainly being NAT'ed.

As for what the log is saying, not terribly much, almost any misconfiguration would produce similar logs.

[techie007]

Any suggestions on how can I determine which part of the conenciton/authentication/encryption is failing?

[danilovav]

Enable NAT-T, try to set ID type = IP and value = your external address.
Check logs on other (Cisco) side.

[techie007]

Enable NAT-T, try to set ID type = IP and value = your external address.
Check logs on other (Cisco) side.

Hmm I think I did what you suggested:

In the IPSec tunnel , under the IKE settings I set NAT Traversal to "On if supported" (it WAS set to On if supported and NATed).

Under the Authentication tab (still in the tunnel settings) I changed "Local ID Type" to IP and put my Internet IP address in for the "Local ID Value" - this WAS set to just Auto/blank.

Is that what you were suggesting I do, or did I misunderstand (which wouldn't be a big surprise )?

I applied it and the tunnel still fails, with the exact same messages in the log.  

I can't check the Cisco side easily, since I don't work fo rhtat company.   But I'm currently waiting ot hear back from them with any ideas/info from their end.