VPN with IPSec

[mpeniche]

I'm trying to do a VPN connection between 2 Quadros which both of them are behind a ADSL device. The remote Quadro is set as a Roadwarrior.


When I use the Local subnet <> Remote Subnet option, the connection is successful and any device in the local subnet can reach any other in the remote subnet except for the Quadros.


When I select in addition the Quadro<>Remote Subnet for the local Quadro, and Local subnet<>Remote Gateway for the remote Quadro, I get an error and the connection is not possible.


Do you have any suggestions? Thanks

[mpeniche]

These are the message I receive from the local Quadro:


"top_4-BOTH_SUBNET"[1] 189.141.159.233 #22: responding to Main Mode from unknown peer 189.141.159.233
"top_4-BOTH_SUBNET"[1] 189.141.159.233 #22: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00: both are NATed
"top_4-BOTH_SUBNET"[1] 189.141.159.233 #22: Warning: peer is NATed but source port is still udp/500. Ipsec-passthrough NAT device suspected -- NAT-T may not work.
"top_4-BOTH_SUBNET"[1] 189.141.159.233 #22: WARNING: compute_dh_shared(): for OAKLEY_GROUP_MODP1024 took 449376 usec
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: deleting connection "top_4-BOTH_SUBNET" instance with peer 189.141.159.233
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: sent MR3, ISAKMP SA established
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: cannot respond to IPsec SA request because no connection is known for 172.30.0.0/16===172.16.0.5...189.141.159.233[192.168.1.28]===172.31.0.0/16
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: sending encrypted notification INVALID_ID_INFORMATION to 189.141.159.233:500
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: cannot respond to IPsec SA request because no connection is known for 189.144.52.238/32===172.16.0.5...189.141.159.233[192.168.1.28]===172.31.0.0/16
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: sending encrypted notification INVALID_ID_INFORMATION to 189.141.159.233:500
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1ba26fa2 (perhaps this is a duplicated packet)
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: sending encrypted notification INVALID_MESSAGE_ID to 189.141.159.233:500
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb62b2260 (perhaps this is a duplicated packet)
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: sending encrypted notification INVALID_MESSAGE_ID to 189.141.159.233:500
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1ba26fa2 (perhaps this is a duplicated packet)
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: sending encrypted notification INVALID_MESSAGE_ID to 189.141.159.233:500
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb62b2260 (perhaps this is a duplicated packet)
"top_4-DESTINATION_SUBNET"[1] 189.141.159.233 #22: sending encrypted notification INVALID_MESSAGE_ID to 189.141.159.233:500
"top_4-BOTH_SUBNET": terminating SAs using this connection



ThanksEdited by: mpeniche

[ArsenD]

If both your devices are NAT-ed, then you normally cannot have a VPN connection where any of the VPN gateways is involved. So, the subnet to subnet connection you successfully created is probably the maximum you can get.