(Sorry for the failed posting)


Hi,

I am trying to set up a BM 3.8 VPN since two weeks.

Our configuration is as follows (sorry for my poor english):

Private net now with 4 Netware-Servers. One of them is an existing NW6.0 /
BM 3.7 Server
(BORDER1). This machine makes our connection to the internet (default gateway,
HTTP-Proxy, no VPN).

The newest machine is a Netware 6.5/ BM 3.8 Server (BORDER2). We would like
to use it for our WLAN-Clients. I have only installed VPN. All patches as
recommended
by Craig Johnson.

Private Net: 10.191.32.0/20

PUBLIC Board BORDER2: 172.16.0.211/21

VPTUNNEL at BORDER2: 192.168.254.254/24

VPN-Address Pool at BORDER2: 1.0.0.0/8


Our test client is attached direct to the Public-Interface of BORDER2. IP is
172.16.0.2.

When I try to do a connection, everything looks fine (the first three
points in
VPN Client are done quickly), but I'm not able to ping anything in the
private net.

I have placed two static routes at our default gateway BORDER1: One route for
172.16.0.0/21, another one for 1.0.0.0/8. Nothing did help.

When I also install Novell Client 4.91 at the client, I get a timeout at
the netware
login. It is not possible to see/browse the tree.

It seems that the VPTUNNEL logical interface is not used at all. There are no
transmitted or received packets. Also the VPN client statistics tells, that no
encrypted packets have been sent or received.

default traffic rule is set to 'bypass tunnel'.
auth rule for all users is NMAS.

On the other hand, the Log File (CSAUDIT/Audit Trail, see below) says, the
connection is okay!


Does anyone have any suggestions?

regards

Erhard Gruber (Austria)



; -----------------------------------------------------------

Log file:


05/11/2005 05:53:24 PM IKE ESP-SA is deleted mySPI=5AFCB5F5
peerSPI=9E97D503 dst :172.16.0.2
05/11/2005 05:53:24 PM IKE PFS NOT ENABLED - DELETING ALL IPSEC SA
05/11/2005 05:53:24 PM VPN Control Client Admin.HTL_NT removed from IPSEC.
05/11/2005 05:53:22 PM IKE Received isakmp sa delete msg from 172.16.0.2
COOKIES are [F875E9FE06436A60 - 725188F97C58A755]
05/11/2005 05:38:24 PM IKE ESP SA was created successfully with 172.16.0.2
05/11/2005 05:38:24 PM IKE Sending proxy id :Type 4 0.0.0.0/0.0.0.0
05/11/2005 05:38:24 PM IKE Sending proxy id: Type 1 172.16.0.2
05/11/2005 05:38:24 PM IKE Received proxy Id : IPV4 SUBNET 0.0.0.0/0.0.0.0
05/11/2005 05:38:24 PM IKE Received proxy id ID_IPV4_ADDR 172.16.0.2
05/11/2005 05:38:24 PM IKE IPSEC SA NEGOTIATION - Peer lifetime is: 7200
My lifetime is: 7200
05/11/2005 05:38:24 PM IKE Proposal Mismatch - Quick Mode : ESP -
transform mismatch mine : esp des his : esp null dst: 172.16.0.2 src:
172.16.0.211 cookies my-his :725188F97C58A755 - F875E9FE06436A60
05/11/2005 05:38:24 PM IKE Proposal Mismatch - Quick Mode : ESP -
transform mismatch mine : esp des his : esp rc5 dst: 172.16.0.2 src:
172.16.0.211 cookies my-his :725188F97C58A755 - F875E9FE06436A60
05/11/2005 05:38:24 PM IKE Proposal Mismatch - Quick Mode : ESP -
transform mismatch mine : esp des his : esp 3des dst: 172.16.0.2 src:
172.16.0.211 cookies my-his :725188F97C58A755 - F875E9FE06436A60
05/11/2005 05:38:24 PM IKE Proposal Mismatch - Quick Mode : ESP - esp
desHASH Algorithm mismatch mine : SHA his : MD5 dst: 172.16.0.2 src:
172.16.0.211 cookies my-his :725188F97C58A755 - F875E9FE06436A60
05/11/2005 05:38:24 PM IKE IPSEC SA NEGOTIATION - Peer lifetime is: 7200
My lifetime is: 1000
05/11/2005 05:38:24 PM IKE Received proxy Id : IPV4 SUBNET 0.0.0.0/0.0.0.0
05/11/2005 05:38:24 PM IKE Received proxy id ID_IPV4_ADDR 172.16.0.2
05/11/2005 05:38:24 PM IKE IKE SA was created successfully with
172.16.0.2, encr = 3DES, SA lifetime = 28800 sec
05/11/2005 05:38:24 PM IKE Final IKE SA (phase 1) lifetime is 28800 secs
05/11/2005 05:38:24 PM IKE Nmas user check authentication and traffic rule
05/11/2005 05:38:24 PM IKE Recieved INITIAL_CONTACT notify from
172.16.0.2 deleting all old sa's to 172.16.0.2
05/11/2005 05:38:24 PM IKE Received notify message of type IPSEC_CONTACT
: 24578 from 172.16.0.2
05/11/2005 05:38:24 PM IKE Received MM ID type: 1 protocol : 0 portnum:
0 length 8
05/11/2005 05:38:24 PM VPN Control Client Admin.HTL_NT added to IPSEC.
05/11/2005 05:38:24 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800
My lifetime is: 28800
05/11/2005 05:38:24 PM IKE Negotiating for an NMAS user 172.16.0.2
05/11/2005 05:38:24 PM AUTH Gateway Connection closed for the VPN client
at address 172.16.0.2.
05/11/2005 05:38:24 PM AUTH Gateway VPN client NMAS user Admin.HTL_NT at
address 172.16.0.2 has been authenticated.
05/11/2005 05:38:24 PM VPN Control VPN Client licenses have been acquired.
05/11/2005 05:38:24 PM AUTH Gateway Process NMAS request: NMAS
authentication successful.
05/11/2005 05:38:22 PM AUTH Gateway A connection was opened for a VPN
client at address 172.16.0.2.
05/11/2005 05:38:22 PM AUTH Gateway Connection closed for the VPN client
at address 172.16.0.2.
05/11/2005 05:38:22 PM AUTH Gateway A connection was opened for a VPN
client at address 172.16.0.2.
05/11/2005 05:33:04 PM VPN Control Send update cfg to 2 for type of mask
= 31, typeofcfg = 1
05/11/2005 05:33:04 PM VPN Control Send update cfg to 1 for type of mask
= 7, typeofcfg = 1
05/11/2005 05:33:04 PM VPN Control VPNGetRootCert: Read trusted root
certs from TRC - BORDER2.HTL_NT
05/11/2005 05:33:04 PM VPN Control The configured server certificate is
ServerCert - BORDER2.HTL_NT
05/11/2005 05:33:04 PM VPN Control The trusted root container of this
VPN server is TRC - BORDER2.HTL_NT