NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
VPN tp client light connetion failure SRX5308
Having trouble making a VPN client light connection. I've followed the online help pages and still no luck. Below is the log from the VPN Box.
ERROR: Failed to get proposal for responder.
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] ERROR: failed to create saprop.
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] ERROR: Not supported nested SA. Peer IP 96.28.160.58[0] does not match SA End Point
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Using IPsec SA configuration: 192.168.1.0/24<->0.0.0.0/0 from remote.com
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Responding to new phase 2 negotiation: 96.28.171.108[0]<=>74.138.151.101[0]
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: ISAKMP-SA established for 96.28.171.108[4500]-74.138.151.101[4500] with spi:e51002cf0b131909:9cef731829ed2e1a
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: NAT-D payload does not match for 74.138.151.101[4500]
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: NAT-D payload does not match for 96.28.171.108[4500]
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: For 74.138.151.101[500], Selected NAT-T version: RFC 3947Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Floating ports for NAT-T with peer 74.138.151.101[4500]
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Received Vendor ID: DPD
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Received Vendor ID: RFC 3947
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Beginning Aggressive mode.
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: 96.28.171.108[500]<=>74.138.151.101[500]
Wed Jan 31 09:49:54 2018 (GMT -0500): [SRX5308] [IKE] INFO: Remote configuration for identifier "remote.com" found
4 Replies
Hi dewdiehl,
I suggest you to delete the existing IKE and VPN policies in the SRX5308. Then, read the following articles below and use it as your guide in setting up client-to-box IPSec VPN:
ProSAFE VPN Client: Client to Box Configuration
Configure IPSec VPN Tunnels With the Wizard - read pages 8-15
Notes:
a. Make sure that the local IP address of the PC (where the VPN Client Lite software is installed) is on a different LAN subnet than what is indicated on the LAN subnet of SRX5308. For example, if the existing LAN subnet of the SRX5308 is on 192.168.1.x network, then the LAN IP address of the PC where you are using the VPN Client Lite software should be on a different LAN subnet such 10.10.10.x or 192.168.9.x network. As reference, check the image below:
b. You might need to disable the anti-virus or software firewall installed on the PC where the ProSAFE VPN Client Lite software is installed.
Regards,
DaneA
NETGEAR Community Team
I just want to follow-up on this. Were you able to try my suggestions and follow the notes? If yes, what is the result?
If ever your concern has been addressed or resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!
Regards,
DaneA
NETGEAR Community Team
Hello. Yes I was able to get it working. Found that one of my other VPN connections was using the same ip address as the new connection I was trying to set up. Once I changed the DHCP scheme on the new connection all worked great.
Thanks again.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
