- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
L2TP over IPSec - route doesn't install on Windows clients
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
L2TP over IPSec - route doesn't install on Windows clients
I configured an L2TP over IPSec VPN tunnel, and the clients connect OK. The clients to get an IP in the pool assigned for the L2TP/IPSec clients, but I don't get a route installed for the network internal to the Netgear firewall. I've attached the VPN logs. 11.11.11.27 replaces the public IP of the Netgear router, and 10.10.10.167 is the public IP on my end. I am behind a Cisco ASA firewall on my end, but I do have "inspect ipsec-pass-thru" configured. Does anyone know what I might try? Thanks
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Transport 11.11.11.27->10.10.10.10.167 with spi=2975843645(0xb15fc53d)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Transport 10.10.10.10.167->11.11.11.27 with spi=183377399(0xaee1df7)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Adjusting peer's encmode 4(4)->Transport(2)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Phase 2 proposal by 10.10.10.10.167[0] did not match.
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=b15fc53d encmode=Transport reqid=4500:4500)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Local Proposal:
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=b15fc53d spi_p=00000000 encmode=Transport reqid=0:0)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Peer's Proposal:
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Phase 2 proposal by 10.10.10.10.167[0] did not match.
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=b15fc53d encmode=Transport reqid=4500:4500)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Local Proposal:
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=b15fc53d spi_p=00000000 encmode=Transport reqid=0:0)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Peer's Proposal:
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Phase 2 proposal by 10.10.10.10.167[0] did not match.
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=b15fc53d encmode=Transport reqid=4500:4500)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Local Proposal:
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=b15fc53d spi_p=00000000 encmode=Transport reqid=0:0)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Peer's Proposal:
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Adjusting peer's encmode 4(4)->Transport(2)
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: No policy found, adjusting source address for generating the policy incase of NAT-T in Transport Mode: 10.10.10.10.167/32[1701] 11.11.11.27/32[1701] proto=udp dir=in
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: No policy found, generating the policy : 172.31.1.184/32[1701] 11.11.11.27/32[1701] proto=udp dir=in
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: anonymous
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Responding to new phase 2 negotiation: 11.11.11.27[0]<=>10.10.10.10.167[0]
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Sending Informational Exchange: notify payload[608]
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: ISAKMP-SA established for 11.11.11.27[4500]-10.10.10.10.167[4500] with spi:634adf987c150368:32f400ccc5858420
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: KA list add: 11.11.11.27[4500]->10.10.10.10.167[4500]
Wed May 17 22:33:37 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Floating ports for NAT-T with peer 10.10.10.10.167[4500]
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: NAT detected: PEER
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: NAT-D payload does not match for 10.10.10.10.167[500]
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: NAT-D payload matches for 11.11.11.27[500]
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] ERROR: invalid DH group 19.
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] ERROR: invalid DH group 20.
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: For 10.10.10.10.167[500], Selected NAT-T version: RFC 3947
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received Vendor ID: RFC 3947
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Beginning Identity Protection mode.
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received request for new phase 1 negotiation: 11.11.11.27[500]<=>10.10.10.10.167[500]
Wed May 17 22:33:36 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Anonymous configuration selected for 10.10.10.10.167[500].
Wed May 17 22:33:18 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: KA remove: 11.11.11.27[4500]->10.10.10.10.167[4500]
Wed May 17 22:33:18 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: ISAKMP-SA deleted for 11.11.11.27[4500]-10.10.10.10.167[4500] with spi:6d8984d510d02846:fcb0f4a0862870d0
Wed May 17 22:33:17 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=6d8984d510d02846:fcb0f4a0862870d0.
Wed May 17 22:33:17 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] Purged IPsec-SA with proto_id=ESP and spi=2327165153(0x8ab5b8e1).
Wed May 17 22:33:17 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.
Wed May 17 22:33:17 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Deleting generated policy for 10.10.10.10.167[0]
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Transport 11.11.11.27->10.10.10.10.167 with spi=2327165153(0x8ab5b8e1)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Transport 10.10.10.10.167->11.11.11.27 with spi=26325445(0x191b1c5)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Adjusting peer's encmode 4(4)->Transport(2)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Phase 2 proposal by 10.10.10.10.167[0] did not match.
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=8ab5b8e1 encmode=Transport reqid=4500:4500)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Local Proposal:
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=8ab5b8e1 spi_p=00000000 encmode=Transport reqid=0:0)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Peer's Proposal:
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Phase 2 proposal by 10.10.10.10.167[0] did not match.
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=8ab5b8e1 encmode=Transport reqid=4500:4500)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Local Proposal:
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=8ab5b8e1 spi_p=00000000 encmode=Transport reqid=0:0)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Peer's Proposal:
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Phase 2 proposal by 10.10.10.10.167[0] did not match.
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=3DES encklen=0 authtype=hmac-sha)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=00000000 spi_p=8ab5b8e1 encmode=Transport reqid=4500:4500)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Local Proposal:
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: (proto_id=ESP spisize=4 spi=8ab5b8e1 spi_p=00000000 encmode=Transport reqid=0:0)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] WARNING: Peer's Proposal:
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Adjusting peer's encmode 4(4)->Transport(2)
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: No policy found, adjusting source address for generating the policy incase of NAT-T in Transport Mode: 10.10.10.10.167/32[1701] 11.11.11.27/32[1701] proto=udp dir=in
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: No policy found, generating the policy : 172.31.1.184/32[1701] 11.11.11.27/32[1701] proto=udp dir=in
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: anonymous
Wed May 17 22:29:32 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Responding to new phase 2 negotiation: 11.11.11.27[0]<=>10.10.10.10.167[0]
Wed May 17 22:29:31 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Sending Informational Exchange: notify payload[608]
Wed May 17 22:29:31 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: ISAKMP-SA established for 11.11.11.27[4500]-10.10.10.10.167[4500] with spi:6d8984d510d02846:fcb0f4a0862870d0
Wed May 17 22:29:31 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: KA list add: 11.11.11.27[4500]->10.10.10.10.167[4500]
Wed May 17 22:29:31 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Floating ports for NAT-T with peer 10.10.10.10.167[4500]
Wed May 17 22:29:31 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: NAT detected: PEER
Wed May 17 22:29:31 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: NAT-D payload does not match for 10.10.10.10.167[500]
Wed May 17 22:29:31 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: NAT-D payload matches for 11.11.11.27[500]
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] ERROR: invalid DH group 19.
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] ERROR: invalid DH group 20.
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: For 10.10.10.10.167[500], Selected NAT-T version: RFC 3947
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received unknown Vendor ID
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received Vendor ID: RFC 3947
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received Vendor ID: MS NT5 ISAKMPOAKLEY
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Beginning Identity Protection mode.
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Received request for new phase 1 negotiation: 11.11.11.27[500]<=>10.10.10.10.167[500]
Wed May 17 22:29:30 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Anonymous configuration selected for 10.10.10.10.167[500].
Wed May 17 22:29:19 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Adding IKE configuration with identifier "ClientVPN"
Wed May 17 22:29:19 2017 (GMT +0000): [FVS318Gv2] [IKE] INFO: Adding IPSec configuration with identifier "ClientVPN-Policy"
