Symantec VPN problem

[GeSuN]

Hi, I'm trying to configure a Symantec 100 to connect to a Symantec 200R but I'm having the following problem (taken from the Log File) :

08/08/2003 11:45:34.21 session_name - Initiating IKE Main Mode
08/08/2003 11:45:34.21 session_name - STATE_MAIN_I1: initiate
08/08/2003 11:45:44.21 session_name - !!!: handling event EVENT_RETRANSMIT for 123.123.123.123 "session_name " #11
08/08/2003 11:46:04.21 session_name - !!!: handling event EVENT_RETRANSMIT for 123.123.123.123 "session_name " #11
08/08/2003 11:46:44.21 session_name - !!!: handling event EVENT_RETRANSMIT for 123.123.123.123 "session_name " #11
08/08/2003 11:46:44.21 session_name - !!!: max number of retransmissions (2) reached STATE_MAIN_I1
08/08/2003 11:46:44.21 session_name - !!!: starting keying attempt 3d of at most 3d
08/08/2003 11:46:44.21 session_name - Initiating IKE Main Mode

It keeps going and going like that, but doesnt seems to really connect.

I'm trying to connect with a dynamic key (that's the only thing I setted up except the Static IP and the DHCP settings).
Maybe I'm missing something somewhere... Can someone help me?

 

[wlee]

First thing is to check if you have the correct encryption type set on both sides. ( E.G., are They BOTH set for ESP DES MD5 , SA Lifetime 480, Data Volume Limit 0 , Inactivity Timeout 0 )
What are you running on? DSL or Cable ? Try reducing the MTU on both boxes to 1472 or 1452. Do you have Static WAN IP or running Dynamic on one or both? Also, make sure you have firmware v1.5T . Also, do not try to run box<--->box VPN endpoint and Raptor Mobile Client concurrent on the same interface. This causes keying failures. Try to post a few more details of you setup. ( BTW, I use 2 200R boxes )

 

[GeSuN]

First thing is to check if you have the correct encryption type set on both sides. ( E.G., are They BOTH set for ESP DES MD5 , SA Lifetime 480, Data Volume Limit 0 , Inactivity Timeout 0 )

Yep, they have the same settings on both sides.

What are you running on? DSL or Cable ? Try reducing the MTU on both boxes to 1472 or 1452. Do you have Static WAN IP or running Dynamic on one or both?

We have both DSL internet access with Static IP, although, my ISP is natting my WAN IP (I have a WAN IP in the 10.180.x.x range wich changes to something in the 142.x.x.x range outside my ISP ) and the other one's not.

Also, make sure you have firmware v1.5T .

Yep, flashed the firmware as soon as I got the new VPN.

Also, do not try to run box<--->box VPN endpoint and Raptor Mobile Client concurrent on the same interface.

No I'm not trying to do this. I'm just trying to set a Gateway-to-Gateway connection.

Try to post a few more details of you setup.

Well actually, I made a quick search yesterday, and saw that NAT and VPN doesn't get allong very well... Could that be my problem?? If so, I'm not sure I'll be able to make it work as it's my ISP that is natting and not me...

 

[wlee]

Well I would say that ISP NAT is your prob. For it to work with a NAT WAN IP, your ISP would have to allow IPSEC pass-thru and/or forward all Port 500 traffic to you. The real solution here is to have them take you off NAT and give you a REAL unfiltered Global IP.