Hello,

I am trying to set up an incoming LAN - LAN IPSec VPN profile on a Vigor 3300V+ for a supplier that requires a VPN connection for support purposes. They are using a Nokia IP390 running Checkpoint R75.10.

We are having to use Aggressive Mode with PFS as the connection is an EFM line, with a router supplied by the ISP between the Vigor and the Internet.

We are having problems getting the VPN to connect. When my contact at the other end tries he gets 'No response from peer'. I get the following entries in the VPN syslog (doctored to remove IP Addresses for security reasons):

---

receive ISAKMP packet: src:{xxx.xxx.xxx.xxx}, dst:{nnn.nnn.nnn.nnn}, MsgID:{0x00000000}, Ci:{E8 2B C2 E4 2C 4B 94 84}, Cr:{00 00 00 00 00 00 00 00}
ignoring Vendor ID payload [f4ed19e0c114eb51...]
{36_RP}:receive AggrI1
Aggressive mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
no suitable connection for peer 'xxx.xxx.xxx.xxx'
initial Aggressive Mode packet claiming to be from @xxx.xxx.xxx.xxx on xxx.xxx.xxx.xxx but no connection has been authorized

---

This suggests to me that the problem is with the Peer ID provided by Checkpoint not matching the one set on the Vigor.

My contact tells me that there is no setting for Peer ID in Checkpoint, but it is mandatory for Aggressive Mode on the Vigor. So I asked him to try connecting and had a look in the log to see if I could figure out what I should use as the Peer ID from details of the failed connection. I tried the following entries, all with no success,

xxx.xxx.xxx.xxx (i.e. the source IP as shown above)
@xxx.xxx.xxx.xxx
ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'

I have managed to successfully set up an Aggressive Mode IPSec tunnel from a Vigor 2800 at a remote location to the 3300V+ here using all the same settings, but this router allows you to specify a Peer ID, which again points to the Peer ID being the problem.

Can anyone tell me what the Peer ID should be? Is this the cause of the problem or is there some other issue?

Any advice would be gratefully received.

Regards,

Matt Pemberton.

Hello, could you confirm what the WAN IP details are shown on the Vigor on the EFM line?

I realise you've xxx'ed out all all the IP's - but I'm trying to see which IP's are internal 192.168.n.n and which are external 78.56.34.12 etc. could you mask a little less please?

Thanks and regards, Neal

Hi Neal,

Thanks for replying. The log entries with the IP addresses partially restored are below. 178.239.102.nnn is the WAN IP of the EFM line connected to the Vigor here. 212.62.7.xxx is the IP address of the Checkpoint at the other end.

---

receive ISAKMP packet: src:{212.62.7.xxx}, dst:{178.239.102.nnn}, MsgID:{0x00000000}, Ci:{E8 2B C2 E4 2C 4B 94 84}, Cr:{00 00 00 00 00 00 00 00}
ignoring Vendor ID payload [f4ed19e0c114eb51...]
{36_RP}:receive AggrI1
Aggressive mode peer ID is ID_IPV4_ADDR: '212.62.7.xxx'
no suitable connection for peer '212.62.7.xxx'
initial Aggressive Mode packet claiming to be from @212.62.7.xxx on 212.62.7.xxx but no connection has been authorized

---

The Peer IDs I tried were:

212.62.7.xxx
@212.62.7.xxx
ID_IPV4_ADDR: '212.62.7.xxx'

Thanks.

Regards,

Matt.

If the Vigor is seeing 178.239.102.nnn as it's WAN IP address then I don't think that it is required to use aggressive mode and Peer ID's

Regards, Neal

We started out using Main Mode, but we couldn't get it to work. So I tried setting up a connection from a Vigor 2800 at a remote location as a test. This didn't work either, so after a bit of hunting around on the board here I found this post:

http://www.forum.draytek.co.uk/viewtopic.php?f=8&t=17084&p=71686&hilit=3300V#p71686

Not exactly the same situation but it gave me the idea to try Aggressive Mode and PFS, and when I did this on my test connection it started working. So that's why we are using Aggressive Mode. The ISP's router has an adjacent IP address in the same subnet if that gives you any clues as to why this is necessary.

The only thing I can think of is that I have set a different Peer ID to what Checkpoint is sending, but the supplier says he has no setting for a Peer ID and none of the ones I tried to derive from the log files worked.

Thanks.

Regards,

Matt.

(bump)

Nobody got any idea what the Peer ID should be then?

Is it called something different in Checkpoint?

Regards,

Matt.