Hi,
I have an issue establishing an IPSec VPN gateway-to-gateway tunnel to a Symantec SGS360. I have tried several hardware appliances (Netgear, FritzBox) but to no avail. This leads me to the question - does anyone know whether an SGS can only establish gateway-to-gateway tunnels to other Symantec products? Is it somehow "incompatible" with standard IPSec?
More detailed information: I used to have another Symantec SGS 360 on my end and it worked well, but it got wrecked when moving so I had to replace it. As Symantec is not producing the SGS 360 any more, I first decided to go for a Netgear product behind a DSL router doing NAT; as this didn't work, I blamed the whole NAT thing and replaced the combo with a FritzBox which has a DSL modem and IPSec functionality built-in. On the Symantec side, the SGS is establishing the DSL connection, so there is no NAT taking place anywhere; however both connections have dynamic IP addresses and publish their IP addresses using a dynamic DNS service.
I tried using both main and aggressive mode and tried different encryption methods, but no matter what I do, the connection is not established - the log of the Symantec always only shows:
Mima - !!!: Verarbeitung des Ereignisses EVENT_RETRANSMIT f=FCr
87.154.118.14 "Mima" #0 Mima - STATE_MAIN_I1: initiieren Mima - IKE-Hauptmodus wird initiiertwhich translates to Mima - !!!: Handling event EVENT_RETRANSMIT for 87.154.118.14 "Mima" #0 Mima - STATE_MAIN_I1: initiate Mima - IKE main mode is initiated
(Mima is the name of the connection, 87.154.118.14 is the dynamic IP address of the FritzBox at that time)
I am a half-guessing when it comes to the configuration file of the FritzBox. It is actually a text file and is uploaded to the FritzBox as a whole. Here's the content: /* * C:\Users\mycfg.cfg * Mon Jun 07 19:00:18 2010 */
vpncfg { connections { enabled =3D yes; conn_type =3D conntype_lan; name =3D "mysymantec.sytes.net"; always_renew =3D no; reject_not_encrypted =3D no; dont_filter_netbios =3D yes; localip =3D 0.0.0.0; local_virtualip =3D 0.0.0.0; remoteip =3D 0.0.0.0; remote_virtualip =3D 0.0.0.0; remotehostname =3D "mysymantec.sytes.net"; localid { key_id =3D "MyFritzBoxID"; } remoteid { key_id =3D "MySymantecID"; } mode =3D phase1_mode_idp; phase1ss =3D "alt/aes/sha"; keytype =3D connkeytype_pre_shared; key =3D "VerySecretSharedKey"; cert_do_server_auth =3D no; use_nat_t =3D yes; use_xauth =3D no; use_cfgmode =3D no; phase2localid { ipnet { ipaddr =3D 10.0.1.0; mask =3D 255.255.255.0; } } phase2remoteid { ipnet { ipaddr =3D 10.0.0.0; mask =3D 255.255.255.0; } } phase2ss =3D "esp-aes-sha/ah-none/comp-all/pfs"; accesslist =3D "permit ip any 10.0.0.0 255.255.255.0"; } ike_forward_rules =3D "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; }
// EOF
On the Symantec box, the settings correspond as far as I can see: VPN preset: Encryption method: ESP AES SHA1 Lifetime: 480 Max. amount of data: 2100000 Timeout when inactive: 0 PFS:1 DH group: Active
VPN tunnel configuration: Preset as above Main mode Local gateway: ID type: Unique name (DN) ID: MySymantecID NetBIOS Broadcast: Activated Global tunnel: Deactivated Remote gateway: Gateway address: myfritz.dyndns.org ID type: Unique name (DN) ID: MyFritzBoxID Shared Key: VerySecretSharedKey Remote subnet ID: 10.0.1.0 Mask: 255.255.255.0
The Symantec only allows IP address or Unique name (DN) as ID type, no FQDN or User_FQDN. However, the Symantec also allows to configure a "static tunnel" which as far as I have read does not do the whole IKE key exchange; but I am unsure how I could possibly configure that in the FritzBox configuration file.
I'm really thankful for any hints on how to get this running... cheers!
Roland