Announcement

Collapse
No announcement yet.

Making a tunnel with Shrew software vpn issues with router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Making a tunnel with Shrew software vpn issues with router

    Hello, someone from work recommended I purchase a ASUS RT-AC68U because it is a great router. I don't understand 40% of the stuff it can do. I am a bit of a noob when it comes to networks and I have a problem with it. I can't connect to my work vpn using my router. If I plug the cable into my PC it works just fine. When I try it with the internet connected to it, it does not work at all. It just times out. The guys at my workplace showed me the firewall report that said something along the line of the router trying to aggressively connect and the connection being close as a result of this. I know I have to have IPSEC enabled so I did that and it still doesn't work. I can't post any screens of the firewall report but I can help with anything on my local machine.

    Any help would be appreciated, and please consider that I am a noob at this and might require further assistance in applying a fix.

    With respect,

    Nylas

  • #2
    config loaded for site 'LAN_auth4.vpn'
    attached to key daemon ...
    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    remote id configured
    pre-shared key configured
    bringing up tunnel ...
    negotiation timout occurred
    tunnel disabled
    detached from key daemon

    This is the error.

    I have windows 10. And I don't have a "Microsoft Virtual WiFi Miniport Adapter" enabled.

    Comment


    • #3
      Hello Nylas

      Could you attempt to clarify a couple of points.

      1) You said that if you have the cable plugged in it works but it does not work with the internet connected. By internet, did you mean wifi or an ISP air card. Can you explain this further.

      2) You mention that the firewall report shows the router connecting. From your description it sounds like you are using a mobile client on your PC, not a site to site VPN configured through your router. So my question is, have you made any changes on your router in an attempt to "fix" your VPN.

      In regards to the aggressive connection being seen on the firewall report, there are two methods for the VPN to negotiate the VPN. Main mode and aggressive mode. It is common for VPN clients to use aggressive mode and hardware appliances to use main mode, but this is not always the case. I've seen the opposite in both instances and this should not be a problem unless there is a mismatch between you and the firewall.

      It looks like you found the VPN trace utility which can be a great tool to troubleshoot VPN issues. Within the tool click on the File menu and select options. Here you can set the log output to "debug" which will give you more information on the failure. Please keep in mind that if you decide to post the log output, you should not include identifiable information like IP addresses.

      Comment


      • #4
        To clarify 1. - If the internet cable is inserted into the router and I attempt to make the tunnel using the vpn program "VPN access manager (shrew software)" it times out. If I plug the internet cable into my personal computer and set up a PPoE connection using the credentials my ISP gave me it works fine.

        2. - I activated IPSEC from off to on. I also disabled NAT Acceleration what ever that is.

        Comment


        • #5
          This is the complete log aparently it dies at phase 1 for some reason ... i just love my router... It must be a setting on it blocking something otherwise why would it work with the cable plugged directly into my pc...

          16/05/13 09:01:26 ## : IKE Daemon, ver 2.2.2
          16/05/13 09:01:26 ## : Copyright 2013 Shrew Soft Inc.
          16/05/13 09:01:26 ## : This product linked OpenSSL 1.0.1c 10 May 2012
          16/05/13 09:01:26 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
          16/05/13 09:01:26 ii : rebuilding vnet device list ...
          16/05/13 09:01:26 ii : device ROOT\VNET\0000 disabled
          16/05/13 09:01:26 ii : network process thread begin ...
          16/05/13 09:01:26 ii : pfkey process thread begin ...
          16/05/13 09:01:26 ii : ipc server process thread begin ...
          16/05/13 09:01:42 ii : ipc client process thread begin ...
          16/05/13 09:01:42 <A : peer config add message
          16/05/13 09:01:42 <A : proposal config message
          16/05/13 09:01:42 <A : proposal config message
          16/05/13 09:01:42 <A : client config message
          16/05/13 09:01:42 <A : xauth username message
          16/05/13 09:01:42 <A : xauth password message
          16/05/13 09:01:42 <A : local id 'vpnclient_ph1bis' message
          16/05/13 09:01:42 <A : remote id 'gw_shrew_bis' message
          16/05/13 09:01:42 <A : preshared key message
          16/05/13 09:01:42 <A : remote resource message
          16/05/13 09:01:42 <A : peer tunnel enable message
          16/05/13 09:01:42 DB : peer added ( obj count = 1 )
          16/05/13 09:01:42 ii : local address MY IP selected for peer
          16/05/13 09:01:42 DB : tunnel added ( obj count = 1 )
          16/05/13 09:01:42 DB : new phase1 ( ISAKMP initiator )
          16/05/13 09:01:42 DB : exchange type is aggressive
          16/05/13 09:01:42 DB : MY IP <-> WORK IP I THINK
          16/05/13 09:01:42 DB : A key for cookies methinks
          16/05/13 09:01:42 DB : phase1 added ( obj count = 1 )
          16/05/13 09:01:42 >> : security association payload
          16/05/13 09:01:42 >> : - proposal #1 payload
          16/05/13 09:01:42 >> : -- transform #1 payload
          16/05/13 09:01:42 >> : key exchange payload
          16/05/13 09:01:42 >> : nonce payload
          16/05/13 09:01:42 >> : identification payload
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local supports XAUTH
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local supports nat-t ( draft v00 )
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local supports nat-t ( draft v01 )
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local supports nat-t ( draft v02 )
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local supports nat-t ( draft v03 )
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local supports nat-t ( rfc )
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local supports FRAGMENTATION
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local is SHREW SOFT compatible
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local is NETSCREEN compatible
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local is SIDEWINDER compatible
          16/05/13 09:01:42 >> : vendor id payload
          16/05/13 09:01:42 ii : local is CISCO UNITY compatible
          16/05/13 09:01:42 >= : cookies A key for cookies methinks
          16/05/13 09:01:42 >= : message 00000000
          16/05/13 09:01:42 -> : send IKE packet MY IP -> WORK IP ( 516 bytes )
          16/05/13 09:01:42 DB : phase1 resend event scheduled ( ref count = 2 )
          16/05/13 09:01:47 -> : resend 1 phase1 packet(s) [0/2] MY IP -> WORK IP
          16/05/13 09:01:52 -> : resend 1 phase1 packet(s) [1/2] MY IP -> WORK IP
          16/05/13 09:01:57 -> : resend 1 phase1 packet(s) [2/2] MY IP -> WORK IP
          16/05/13 09:02:02 ii : resend limit exceeded for phase1 exchange
          16/05/13 09:02:02 ii : phase1 removal before expire time
          16/05/13 09:02:02 DB : phase1 deleted ( obj count = 0 )
          16/05/13 09:02:02 DB : policy not found
          16/05/13 09:02:02 DB : policy not found
          16/05/13 09:02:02 DB : policy not found
          16/05/13 09:02:02 DB : policy not found
          16/05/13 09:02:02 DB : policy not found
          16/05/13 09:02:02 DB : policy not found
          16/05/13 09:02:02 DB : removing tunnel config references
          16/05/13 09:02:02 DB : removing tunnel phase2 references
          16/05/13 09:02:02 DB : removing tunnel phase1 references
          16/05/13 09:02:02 DB : tunnel deleted ( obj count = 0 )
          16/05/13 09:02:02 DB : removing all peer tunnel references
          16/05/13 09:02:02 DB : peer deleted ( obj count = 0 )
          16/05/13 09:02:02 ii : ipc client process thread exit ...





          My ip is shown as a local IP if that matters.

          Comment


          • #6
            Since you have a working Mobile client as seen when you connect directly into your modem, the issue should not be within the client itself.

            First thing, disable any IPSec options you configured on the router. Multiple IPSec connections from the same location can conflict with each other if not configured correctly.
            In regards to NAT acceleration, this seems to be a feature to help with fast ISP connections over 100Mbps. For this issue, I doubt this setting matters.

            Once the above has been done, I would connect the router to the modem and power cycle both systems, if this has not been done already. I would like to focus on your router. While connected to your router are you able to connect to the internet? Did you configure your PPPoE credentials into your router?

            Comment


            • #7
              Ok I disabled the IPSEC passthrew as instructed . And yes the internet works fine and I have created the PPoE connection.
              http://s32.postimg.org/cotz08rb5/nat_thing.jpg

              Comment


              • #8
                After writing this response I will apologize because its a bit lengthy.
                -------------------------------------------------------------
                Short and to the point version (tl;dr) :
                Open your Shrewsoft Access manager and modify your VPN profile. Go to the "Client" tab and check the NAT Traversal setting, this should be set to enable.
                -------------------------------------------------------------

                Long version :
                How odd, I was under the impression that the IPSec option had something to do with the router itself making the IPSec connection. Now that I see what it is, it looks like its meant for ESP support.

                Open your Shrewsoft Access manager and modify your VPN profile. Go to the "Client" tab and check the NAT Traversal setting, this should be set to enable.

                During IPSec negotiation, the client/firewall should notice that you are behind a NAT device (your router) and automatically switch to NAT Traversal which encapsulates the ESP Packet. So truthfully if the negotiation is being done properly, you shouldn't need "IPSec passthrough". I wish I knew more on what exactly Asus does to the packet when IPSec passthrough is enabled. Without more information, I would recommend leaving it off. IPSec works well enough on its own and shouldn't need any help. (This is assuming both ends are configured correctly)

                If I were to make a guess to the cause of your problem, it would be NAT-T not being negotiated correctly. I would recommend asking your firewall admin to force NAT-T for Mobile client connections.

                Your firewall admin should also be able to look at the VPN Preferences section on the firewall and set logging to debug. This should give them more info on exactly where the failure is occurring from the firewall's point of view. This is assuming that they are on the latest 6.2 version.

                Hopefully this helps. Let me know how it goes.

                Comment


                • #9
                  Hello, I will talk with them monday. The setting you are referring to was already enabled.

                  Comment

                  Working...
                  X