Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Pedro Marques]

I already have tried to configure the Lan to Lan IPsec tunnel but it's not working and I don't have any clue where is the problem.
Can someone help me on this configuration?

I have the following configuration:
Local (DFL-800)
lan-ip: 100.0.0.252
lan-net: 100.0.0.0/24
wan2-ip: fixed IP (public internet)

Remote (Cisco xxx)
remote-net: 10.0.15.0/20
remote-host: 10.0.15.99
remote-gw: 213.30.4.50 (Public IP)

Information from the remote member connection
My network must be NATed to 192.168.35.0/24 to reach the remote-host
Digital Certificate: None
Certificate Transmission: Identity certificate only
PreShared key: "1234567890"
Authentication: ESP/MD5/HMAC-128
Encryption: 3DES-168
IKE Proposal: IKE-3DES-MD5


Thanks in advanced for help me!!!

[danilovav]

What you see in logs? In Status > IPsec?

[Pedro Marques]

I don't see any information in Logs for this connection

It's seems that the configuration is not working.

Can you help in the configuration steps for this connection

[danilovav]

http://www.dlink.com/support/faq/default.aspx?question=DFL-800

[chechito]

Using SSH the command "ikesnoop -on -verbose" gives you good information about IKE problems

[Pedro Marques]

I have the following information with "ikesnoop -on -verbose"



2010-05-31 10:04:30: IkeSnoop: Sending IKE packet to 213.30.4.50:4500
Exchange type  : Quick mode
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0x703b3556a5a8f86c -> 0x3d34a9b55dca2de6
Message ID     : 0x72dc8b3e
Packet length  : 284 bytes
# payloads     : 5
Payloads:
  HASH (Hash)
    Payload data length : 16 bytes
  SA (Security Association)
    Payload data length : 180 bytes
    DOI : 1 (IPsec DOI)
      Proposal 1/1
        Protocol 1/1
          Protocol ID                : ESP
          SPI Size                   : 4
            SPI Value                : 0xd9e14b63
          Transform 1/6
            Transform ID             : Rijndael (aes)
            Key length               : 128
            Authentication algorithm : HMAC-MD5
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 2/6
            Transform ID             : Rijndael (aes)
            Key length               : 128
            Authentication algorithm : HMAC-SHA-1
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 3/6
            Transform ID             : 3DES
            Authentication algorithm : HMAC-MD5
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 4/6
            Transform ID             : 3DES
            Authentication algorithm : HMAC-SHA-1
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 5/6
            Transform ID             : Blowfish
            Key length               : 128
            Authentication algorithm : HMAC-MD5
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
          Transform 6/6
            Transform ID             : Blowfish
            Key length               : 128
            Authentication algorithm : HMAC-SHA-1
            SA life type             : Seconds
            SA life duration         : 3600
            Encapsulation mode       : UDP Tunnel
  NONCE (Nonce)
    Payload data length : 16 bytes
  ID (Identification)
    Payload data length : 12 bytes
    ID : ipv4_subnet(any:0,[0..7]=100.0.0.0/24)
  ID (Identification)
    Payload data length : 12 bytes
    ID : ipv4_subnet(any:0,[0..7]=10.0.0.0/20)

2010-05-31 10:04:30: IkeSnoop: Received IKE packet from 213.30.4.50:4500
Exchange type  : Informational
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0x703b3556a5a8f86c -> 0x3d34a9b55dca2de6
Message ID     : 0x75c20886
Packet length  : 84 bytes
# payloads     : 2
Payloads:
  HASH (Hash)
    Payload data length : 16 bytes
  N (Notification)
    Payload data length : 32 bytes
    Protocol ID  : ISAKMP
    Notification : Responder lifetime

2010-05-31 10:04:30: IkeSnoop: Received IKE packet from 213.30.4.50:4500
Exchange type  : Informational
ISAKMP Version : 1.0
Flags          : E (encryption)
Cookies        : 0x703b3556a5a8f86c -> 0x3d34a9b55dca2de6
Message ID     : 0xf1fb25a1
Packet length  : 76 bytes
# payloads     : 2
Payloads:
  HASH (Hash)
    Payload data length : 16 bytes
  D (Delete)
    Payload data length : 24 bytes
    Protocol ID : ISAKMP
    Delete SPIs : 0x703b3556a5a8f86c3d34a9b55dca2de6

[chechito]

What you see in logs? In Status > IPsec?

X 2

try disabling keep alive option and try one ping to some ip address (can be an inexistent) of remote lan to force the tunnel to try establishment, and check the logs

i suggest you create a more specific set of ike an ipsec algorithms according to the config you choose on cisco router to narrow the negotiation for ex, a set using only 3des/sha1 or aes/md5, and check the logs on cisco router and discuss it (on cisco forums) to progress on the trouble shooting of the problem

[Pedro Marques]

Thanks very much for your help
I already have the tunnel comunicating t«with the other end.

I had to create an IP alias to mask my local net.
I don't like very much the solution. It's not the most clean solution.

Some one have another way to do it???

Thanks

[danilovav]

One more time please

1) Do you have problems with setting up IPsec tunnel?

OR

2) Do you need to mask your network by some another IP?

[Pedro Marques]

I need to mask my internal network (100.0.0.0/24) by another IP (192.168.35.0/24) for the IPsec Tunnel