VPN Tunnel Connects but No Traffic Over LTE Connection
Hi,
I'm trying to connect a windows pro 7 laptop running prosfae vpn client professional to an FVS338. The FVS338 is behind a DG834 router and I can successfully connect if I take the laptop home and use my ADSL connection there, however I would like to be able to connect using a 3G/4G LTE router, for mobile connections. It seems that the same working configuation connects over LTE but there is no traffic, I can't ping, or access anty devices behind the FVS338 (where I can from home).
I am reasonably stumped now. I have tried switching between 3g and 4g connection, which is on the giffgaff / 02 network in the UK. The connection does provide internet access and the router has VPN pass through enabled. The remote client is getting a mode config assigned IP address via both methods.
Below is the FVS338 router log which covers a successful connection over ADSL (dated May 4th) and the unsuccessful (although tunnel connected) connection from May 5th. Can anyone offer any advice on what I may try next?
- Last output repeated twice - 2017 May 5 11:28:01 [FVS338] [IKE] Received unknown Vendor ID_ 2017 May 5 11:28:01 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__ 2017 May 5 11:28:01 [FVS338] [IKE] Received unknown Vendor ID_ 2017 May 5 11:28:01 [FVS338] [IKE] Beginning Aggressive mode._ 2017 May 5 11:28:01 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.0.75[500]<=>82.132.233.187[627]_ 2017 May 5 11:28:01 [FVS338] [IKE] Remote configuration for identifier "fvs_remote.com" found_ 2017 May 5 11:28:01 [FVS338] [IKE] 192.168.30.1 IP address has been released by remote peer._ 2017 May 5 11:28:01 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.0.75[4500]-82.132.233.187[19603] with spi:c619a4cdd2e57491:fd11cdf233cfb7ee_ 2017 May 5 11:28:00 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=c619a4cdd2e57491:fd11cdf233cfb7ee._ 2017 May 5 11:27:48 [FVS338] [IKE] DPD R-U-THERE-ACK sent to "82.132.233.187[19603]"_ 2017 May 5 11:27:48 [FVS338] [IKE] DPD R-U-THERE received from "82.132.233.187[19603]"_ 2017 May 5 11:27:17 [FVS338] [IKE] DPD R-U-THERE-ACK sent to "82.132.233.187[19603]"_ 2017 May 5 11:27:17 [FVS338] [IKE] DPD R-U-THERE received from "82.132.233.187[19603]"_ 2017 May 5 11:26:49 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->19603]: ESP/Tunnel 192.168.0.75->82.132.233.187 with spi=2575272257(0x997f8941)_ 2017 May 5 11:26:49 [FVS338] [IKE] IPsec-SA established[UDP encap 19603->4500]: ESP/Tunnel 82.132.233.187->192.168.0.75 with spi=36488848(0x22cc690)_ 2017 May 5 11:26:48 [FVS338] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_ 2017 May 5 11:26:47 [FVS338] [IKE] No policy found, generating the policy : 192.168.30.1/32[0] 192.168.10.0/24[0] proto=any dir=in_ 2017 May 5 11:26:47 [FVS338] [IKE] Using IPsec SA configuration: 192.168.10.1/24<->192.168.30.0/24_ 2017 May 5 11:26:47 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.0.75[0]<=>82.132.233.187[0]_ 2017 May 5 11:26:47 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_ 2017 May 5 11:26:47 [FVS338] [IKE] ISAKMP-SA established for 192.168.0.75[4500]-82.132.233.187[19603] with spi:c619a4cdd2e57491:fd11cdf233cfb7ee_ 2017 May 5 11:26:47 [FVS338] [IKE] 192.168.30.1 IP address is assigned to remote peer 82.132.233.187[19603]_ 2017 May 5 11:26:47 [FVS338] [IKE] NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device_ 2017 May 5 11:26:47 [FVS338] [IKE] NAT-D payload does not match for 82.132.233.187[19603]_ 2017 May 5 11:26:47 [FVS338] [IKE] NAT-D payload does not match for 192.168.0.75[4500]_ 2017 May 5 11:26:47 [FVS338] [IKE] Floating ports for NAT-T with peer 82.132.233.187[19603]_ 2017 May 5 11:26:47 [FVS338] [IKE] Setting DPD Vendor ID_ 2017 May 5 11:26:46 [FVS338] [IKE] For 82.132.233.187[627], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_ 2017 May 5 11:26:46 [FVS338] [IKE] DPD is Enabled_ 2017 May 5 11:26:46 [FVS338] [IKE] Received Vendor ID: DPD_ - Last output repeated twice - 2017 May 5 11:26:46 [FVS338] [IKE] Received unknown Vendor ID_ 2017 May 5 11:26:46 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__ 2017 May 5 11:26:46 [FVS338] [IKE] Received unknown Vendor ID_ 2017 May 5 11:26:46 [FVS338] [IKE] Beginning Aggressive mode._ 2017 May 5 11:26:46 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.0.75[500]<=>82.132.233.187[627]_ 2017 May 5 11:26:46 [FVS338] [IKE] Remote configuration for identifier "fvs_remote.com" found_ 2017 May 5 11:05:57 [FVS338] [IKE] Could not find configuration for 71.6.167.142[500]_ 2017 May 5 01:42:32 [FVS338] [IKE] Could not find configuration for 216.218.206.66[62517]_ 2017 May 5 00:48:15 [FVS338] [IKE] 192.168.30.1 IP address has been released by remote peer._ 2017 May 5 00:48:15 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.0.75[4500]-82.132.244.237[49809] with spi:03a55f0cdcead227:febb7dc817284e05_ 2017 May 5 00:48:14 [FVS338] [IKE] Sending Informational Exchange: delete payload[]_ 2017 May 5 00:48:14 [FVS338] [IKE] ISAKMP-SA expired 192.168.0.75[4500]-82.132.244.237[49809] spi:03a55f0cdcead227:febb7dc817284e05_
2017 May 4 18:57:37 [FVS338] [IKE] IPsec-SA expired: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=97374627(0x5cdd1a3)_ 2017 May 4 18:54:22 [FVS338] [IKE] IPsec-SA expired: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=43099881(0x291a6e9)_ 2017 May 4 18:41:52 [FVS338] [IKE] 192.168.30.2 IP address has been released by remote peer._ 2017 May 4 18:41:52 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.0.75[4500]-95.145.99.146[4500] with spi:62bd7c46892d0fe9:e806e79130c7e000_ 2017 May 4 18:41:51 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=62bd7c46892d0fe9:e806e79130c7e000._ 2017 May 4 18:41:51 [FVS338] [IKE] Purged IPsec-SA with proto_id=ESP and spi=1865101597(0x6f2b311d)._ 2017 May 4 18:41:51 [FVS338] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._ 2017 May 4 18:41:51 [FVS338] [IKE] Deleting generated policy for 95.145.99.146[0]_ 2017 May 4 18:41:36 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.0.75->95.145.99.146 with spi=1865101597(0x6f2b311d)_ 2017 May 4 18:41:36 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=97374627(0x5cdd1a3)_ 2017 May 4 18:41:36 [FVS338] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_ 2017 May 4 18:41:35 [FVS338] [IKE] No policy found, generating the policy : 192.168.30.2/32[0] 192.168.10.0/24[0] proto=any dir=in_ 2017 May 4 18:41:35 [FVS338] [IKE] Using IPsec SA configuration: 192.168.10.1/24<->192.168.30.0/24_ 2017 May 4 18:41:35 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.0.75[0]<=>95.145.99.146[0]_ 2017 May 4 18:41:35 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_ 2017 May 4 18:41:35 [FVS338] [IKE] ISAKMP-SA established for 192.168.0.75[4500]-95.145.99.146[4500] with spi:62bd7c46892d0fe9:e806e79130c7e000_ 2017 May 4 18:41:35 [FVS338] [IKE] 192.168.30.2 IP address is assigned to remote peer 95.145.99.146[4500]_ 2017 May 4 18:41:35 [FVS338] [IKE] NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device_ 2017 May 4 18:41:35 [FVS338] [IKE] NAT-D payload does not match for 95.145.99.146[4500]_ 2017 May 4 18:41:35 [FVS338] [IKE] NAT-D payload does not match for 192.168.0.75[4500]_ 2017 May 4 18:41:35 [FVS338] [IKE] Floating ports for NAT-T with peer 95.145.99.146[4500]_ 2017 May 4 18:41:35 [FVS338] [IKE] Setting DPD Vendor ID_ 2017 May 4 18:41:34 [FVS338] [IKE] For 95.145.99.146[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_ 2017 May 4 18:41:34 [FVS338] [IKE] DPD is Enabled_ 2017 May 4 18:41:34 [FVS338] [IKE] Received Vendor ID: DPD_ - Last output repeated twice -
thanks in advance!
Model: FVS338|Cable/DSL ProSafe VPN Firewall with 8-port switch with Dial Backup
Re: VPN Tunnel Connects but No Traffic Over LTE Connection
Hi brianstorm,
Welcome to the community! 🙂
Kindly answer the questions below:
a. As I understand your initial post, I assume that the FVS338 behind the DG834 is located somewhere (possibly at work) and you are able to established VPN connection just fine using your laptop with your ADSL connection at home, am I correct?
b. Since you mentioned that the FVS338 is behind the DG834, is the DG834 set as a modem-only device (configured as bridge mode) making the FVS338 the main router?
c. Is the internet service provider (ISP) on your 3G/4G LTE router the same as the ISP on the where the FVS338 is deployed?
d. Is the LAN subnet on the FVS338 different from the LAN subnet on the 3G/4G LTE router? For example: the LAN subnet on the FVS338 is 192.168.1.0 and the LAN subnet on the 3G/4G LTE router is 10.10.10.0.
Re: VPN Tunnel Connects but No Traffic Over LTE Connection
Hi,
thanks for the response, I've added my answers below your questions...
a. As I understand your initial post, I assume that the FVS338 behind the DG834 is located somewhere (possibly at work) and you are able to established VPN connection just fine using your laptop with your ADSL connection at home, am I correct?
** Yes, the FVS338 is at work, and I was able to establish a vpn connection from my home over an adsl connection
b. Since you mentioned that the FVS338 is behind the DG834, is the DG834 set as a modem-only device (configured as bridge mode) making the FVS338 the main router?
** the DG834 is our main office modem/router and I have setup the FVS338 behind it, with the WAn port connected to the DG834 system. I had to open an extra port on the DG834 to get the connection working, vpn traffic is passed onto the FVS338
c. Is the internet service provider (ISP) on your 3G/4G LTE router the same as the ISP on the where the FVS338 is deployed?
** the LTE, my home ADSL, and work ADSL all use different ISP's (giffgaff on 02, ee, and bt respectively)
d. Is the LAN subnet on the FVS338 different from the LAN subnet on the 3G/4G LTE router? For example: the LAN subnet on the FVS338 is 192.168.1.0 and the LAN subnet on the 3G/4G LTE router is 10.10.10.0.
** the dhcp lan side of the LTE router is assigning addresses in te range 192.168.1.x
the fvs338 dhcp lan addresses are in the range 192.168.10.x
the mode config setup of the fvs338 is assigning addresses 192.168.30.x and it appears that the laptop receives an address in this range when the vpn connects
Re: VPN Tunnel Connects but No Traffic Over LTE Connection
I've had a look at the log files comparing a successful connectiuon, and an open vpn with no traffic and it seems that this (marked with asterisks) is where the logs differ, the successful adsl connection moves into a DPD _R-U-THERE series of acknowlodgements
2017 May 4 18:54:22 [FVS338] [IKE] IPsec-SA expired: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=43099881(0x291a6e9)_ 2017 May 4 18:41:52 [FVS338] [IKE] 192.168.30.2 IP address has been released by remote peer._ 2017 May 4 18:41:52 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.0.75[4500]-95.145.99.146[4500] with spi:62bd7c46892d0fe9:e806e79130c7e000_ 2017 May 4 18:41:51 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=62bd7c46892d0fe9:e806e79130c7e000._ 2017 May 4 18:41:51 [FVS338] [IKE] Purged IPsec-SA with proto_id=ESP and spi=1865101597(0x6f2b311d)._ 2017 May 4 18:41:51 [FVS338] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._ **********2017 May 4 18:41:51 [FVS338] [IKE] Deleting generated policy for 95.145.99.146[0]_ ************************** 2017 May 4 18:41:36 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.0.75->95.145.99.146 with spi=1865101597(0x6f2b311d)_ 2017 May 4 18:41:36 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=97374627(0x5cdd1a3)_ 2017 May 4 18:41:36 [FVS338] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_ 2017 May 4 18:41:35 [FVS338] [IKE] No policy found, generating the policy : 192.168.30.2/32[0] 192.168.10.0/24[0] proto=any dir=in_
Based from your answers, the problem is isolated because the client-to-box VPN works fine between the FVS338 located at work and your laptop when you are using the ADSL connection at your home. It seemed that the problem is in the LTE connection.
Kindly try the steps below:
a. On the ProSAFE VPN Client Professional installed on your laptop, kindly set the VPN Client address to a different IP range such as 172.16.1.2. Refer to the image below as reference:
b. Check if you will be able to establish the VPN tunnel between the FVS338 at work and your laptop using the LTE connection.
I just want to follow-up on this. Were you able to try my suggestion about setting the VPN Client address to a different IP range on the ProSAFE VPN Client Professional software installed on your laptop? If yes, what is the result?
Since the problem is isolated because the client-to-box VPN works fine between the FVS338 located at work and your laptop when you are using the ADSL connection at your home. Thus, it seemed that the problem is within the giffgaff LTE connection. I did a research online and found some forum links from the giffgaff community.
I know the forum links below are not exactly the same or similar to your concern. However, kindly access and read each forum link below then try the steps indicated and it might help:
I just want to follow-up on this. Were you able to read and try the steps indicated in the forum links I've shared to you from the giffgaff community? If yes, what are your observations?
