Hi,
i`ve got a problem with the lancom 3550 router..
i`m dutch and my german is not very good so i will use english.
i`ve got 3 x 3550 routers,
1 of them is the main router.
this one is connected on a DSL line.
the router LAN range i use = 192.168.1.0/255.255.255.0
the other 2 routers are both UMTS routers and they connect
via an VPN connection with the main router.
the LAN range on the first UMTS router = 192.168.3.0/255.255.255.0
i`ve got an IP camera located @ 192.168.3.50
now the VPN connection works, if i`m on the 192.168.1.x range i can access the 192.168.3.x range perfectly..but if i want to forward a port from the WAN of the main router to the 192.168.3.x network in the VPN network it doesn`t work, i get this error on the main router via lanmonitor =
No Proposal Matched (Initiator, IPSEC) 0x3102
And on the other side (UMTS router) i get the error:
No Rule Matched IDS - unknown connection or incorrect ID (e.g. IP Network definition) (Responder, IPSec) 0x3201
i`ve searched everywhere to find a solution but without any luck.
hope someone can help me here.
3550 VPN Port Forwarding problems!
Moderator: Lancom-Systems Moderatoren
-
westnettelecom
- Beiträge: 6
- Registriert: 08 Dez 2007, 22:53
3550 VPN Port Forwarding problems!
Du hast keine ausreichende Berechtigung, um die Dateianhänge dieses Beitrags anzusehen.
-
westnettelecom
- Beiträge: 6
- Registriert: 08 Dez 2007, 22:53
[IP-Router] 1900/01/01 00:04:02,290
IP-Router Rx (intern, RtgTag: 0):
DstIP: 80.xxx.133.46, SrcIP: 77.61.xxx.75, Len: 716, DSCP: CS0/BE (0), ECT: 0, C
E: 0
Prot.: UDP (17), DstPort: 58868, SrcPort: 4500
Route: WAN Tx (WAN)
[VPN-Status] 1900/01/01 00:04:02,340
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer DRIP2
[VPN-Status] 1900/01/01 00:04:02,340
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for DRIP2 (80.xxx.133.46)
[IP-Router] 1900/01/01 00:04:13,340
IP-Router Rx (intern, RtgTag: 0):
DstIP: 80.xxx.133.46, SrcIP: 77.61.xxx.75, Len: 716, DSCP: CS0/BE (0), ECT: 0, C
E: 0
Prot.: UDP (17), DstPort: 58868, SrcPort: 4500
Route: WAN Tx (WAN)
[IP-masquerading] 1900/01/01 00:04:24,120
Open: TCP 80.xxx.133.46, 61593 => 58835
[IP-Router] 1900/01/01 00:04:2
IP-Router Rx (WAN, RtgTag: 0):
DstIP: 192.168.3.50, SrcIP: 80.xxx.133.46, Len: 48, DSCP: CS0/BE (0), ECT: 0, CE
: 0
Prot.: TCP (6), DstPort: 80, SrcPort: 61593, Flags: S
Route: WAN Tx (DRIP2)
[IP-Router] 1900/01/01 00:04:24,130
IP-Router Rx (intern, RtgTag: 0):
DstIP: 80.xxx.133.46, SrcIP: 77.61.xxx.75, Len: 716, DSCP: CS0/BE (0), ECT: 0, C
E: 0
Prot.: UDP (17), DstPort: 58868, SrcPort: 4500
Route: WAN Tx (WAN)
[IP-Router] 1900/01/01 00:04:26,930
IP-Router Rx (WAN, RtgTag: 0):
DstIP: 192.168.3.50, SrcIP: 80.xxx.133.46, Len: 48, DSCP: CS0/BE (0), ECT: 0, CE
: 0
Prot.: TCP (6), DstPort: 80, SrcPort: 61593, Flags: S
Route: WAN Tx (DRIP2)
[VPN-Status] 1900/01/01 00:04:28,110
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer DRIP2
[VPN-Status] 1900/01/01 00:04:28,110
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for DRIP2 (80.xxx.133.46)
[VPN-Status] 1900/01/01 00:04:28,300
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer DRIP2
[VPN-Status] 1900/01/01 00:04:2
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for DRIP2 (80.xxx.133.46)
[VPN-Status] 1900/01/01 00:04:28,680
VPN: poll timeout for DRIP2 (80.xxx.133.46)
remote site answered during intervall
send poll frame to 192.168.3.254
[IP-Router] 1900/01/01 00:04:28,680
IP-Router Rx (intern, RtgTag: 0):
DstIP: 192.168.3.254, SrcIP: 192.168.1.254, Len: 84, DSCP: AF11 (10), ECT: 0, CE
: 0
Prot.: ICMP (1), echo request, id: 0x0018, seq: 0x0000
Route: WAN Tx (DRIP2)
[VPN-Status] 1900/01/01 00:04:28,770
VPN: Poll reply from DRIP2 (80.xxx.133.46)
IP-Router Rx (intern, RtgTag: 0):
DstIP: 80.xxx.133.46, SrcIP: 77.61.xxx.75, Len: 716, DSCP: CS0/BE (0), ECT: 0, C
E: 0
Prot.: UDP (17), DstPort: 58868, SrcPort: 4500
Route: WAN Tx (WAN)
[VPN-Status] 1900/01/01 00:04:02,340
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer DRIP2
[VPN-Status] 1900/01/01 00:04:02,340
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for DRIP2 (80.xxx.133.46)
[IP-Router] 1900/01/01 00:04:13,340
IP-Router Rx (intern, RtgTag: 0):
DstIP: 80.xxx.133.46, SrcIP: 77.61.xxx.75, Len: 716, DSCP: CS0/BE (0), ECT: 0, C
E: 0
Prot.: UDP (17), DstPort: 58868, SrcPort: 4500
Route: WAN Tx (WAN)
[IP-masquerading] 1900/01/01 00:04:24,120
Open: TCP 80.xxx.133.46, 61593 => 58835
[IP-Router] 1900/01/01 00:04:2
IP-Router Rx (WAN, RtgTag: 0):
DstIP: 192.168.3.50, SrcIP: 80.xxx.133.46, Len: 48, DSCP: CS0/BE (0), ECT: 0, CE
: 0
Prot.: TCP (6), DstPort: 80, SrcPort: 61593, Flags: S
Route: WAN Tx (DRIP2)
[IP-Router] 1900/01/01 00:04:24,130
IP-Router Rx (intern, RtgTag: 0):
DstIP: 80.xxx.133.46, SrcIP: 77.61.xxx.75, Len: 716, DSCP: CS0/BE (0), ECT: 0, C
E: 0
Prot.: UDP (17), DstPort: 58868, SrcPort: 4500
Route: WAN Tx (WAN)
[IP-Router] 1900/01/01 00:04:26,930
IP-Router Rx (WAN, RtgTag: 0):
DstIP: 192.168.3.50, SrcIP: 80.xxx.133.46, Len: 48, DSCP: CS0/BE (0), ECT: 0, CE
: 0
Prot.: TCP (6), DstPort: 80, SrcPort: 61593, Flags: S
Route: WAN Tx (DRIP2)
[VPN-Status] 1900/01/01 00:04:28,110
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer DRIP2
[VPN-Status] 1900/01/01 00:04:28,110
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for DRIP2 (80.xxx.133.46)
[VPN-Status] 1900/01/01 00:04:28,300
IKE info: NOTIFY received of type NO_PROPOSAL_CHOSEN for peer DRIP2
[VPN-Status] 1900/01/01 00:04:2
VPN: Error: IPSEC-I-No-proposal-matched (0x3102) for DRIP2 (80.xxx.133.46)
[VPN-Status] 1900/01/01 00:04:28,680
VPN: poll timeout for DRIP2 (80.xxx.133.46)
remote site answered during intervall
send poll frame to 192.168.3.254
[IP-Router] 1900/01/01 00:04:28,680
IP-Router Rx (intern, RtgTag: 0):
DstIP: 192.168.3.254, SrcIP: 192.168.1.254, Len: 84, DSCP: AF11 (10), ECT: 0, CE
: 0
Prot.: ICMP (1), echo request, id: 0x0018, seq: 0x0000
Route: WAN Tx (DRIP2)
[VPN-Status] 1900/01/01 00:04:28,770
VPN: Poll reply from DRIP2 (80.xxx.133.46)
Hi
I don't know about the APNs of the dutch 3g providers but in Germany they are restrictive and NAT all traffic. Often they also block IPSEC.
Hence, only the UMTS routers can be the initiator of a vpn connection, most reliable in aggressive mode.
Does the vpn connection work without the portforwarding in place?
I don't know about the APNs of the dutch 3g providers but in Germany they are restrictive and NAT all traffic. Often they also block IPSEC.
Hence, only the UMTS routers can be the initiator of a vpn connection, most reliable in aggressive mode.
Does the vpn connection work without the portforwarding in place?
-
westnettelecom
- Beiträge: 6
- Registriert: 08 Dez 2007, 22:53
The UMTS are located in Germany with T-Mobile.maxtek hat geschrieben:Hi
I don't know about the APNs of the dutch 3g providers but in Germany they are restrictive and NAT all traffic. Often they also block IPSEC.
Hence, only the UMTS routers can be the initiator of a vpn connection, most reliable in aggressive mode.
Does the vpn connection work without the portforwarding in place?
but the VPN connection works perfectly and on the LAN i can access all UMTS routers / IP camera`s via VPN.
so this works:
192.168.1.40 (my laptop) < VPN > 192.168.3.50
but if i want a port translation from the WAN of the main router to one of the UMTS routers via VPN it doesn`t work.
so > 77.xx.xx.75:6000 > 192.168.1.254 < VPN > 192.168.3.50:80
i think its a routing problem, because if i create a temporary TCP/HTTP Tunnel it works..but then i`m restricted to 1 IP adres on which i made the HTTP tunnel, and that is not what i want.
-
westnettelecom
- Beiträge: 6
- Registriert: 08 Dez 2007, 22:53
IP-Router Rx (intern, RtgTag: 0):
DstIP: 77.61.209.75, SrcIP: 192.168.1.73, Len: 124, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 4500, SrcPort: 4500
Route: WAN Tx (INTERNET)
[VPN-Status] 1900/01/01 00:44:45,470
IKE info: Phase-2 failed for peer HOEVELAKEN: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 192.168.10.0/255.255.255.0
IKE log: 004445 Default message_negotiate_sa: no compatible proposal found
IKE log: 004445 Default dropped message from 77.61.209.75 port 4500 due to notif
ication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer HOEVELAKEN 77.61.209.75 port 4500 due to not
ification type NO_PROPOSAL_CHOSEN
[VPN-Status] 1900/01/01 00:44:45,480
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for HOEVELAKEN (77.61.209.75)
[IP-Router] 1900/01/01 00:44:45,480
IP-Router Rx (intern, RtgTag: 0):
DstIP: 77.61.209.75, SrcIP: 192.168.1.73, Len: 92, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 4500, SrcPort: 4500
Route: WAN Tx (INTERNET)
-----------------------
it also gives me this:
[IP-Router] 1900/01/01 00:48:18,470
IP-Router Rx (INTERNET, RtgTag: 0):
DstIP: 239.255.255.250, SrcIP: 192.168.1.200, Len: 374, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 1900, SrcPort: 8008
Network unreachable (no route) => Discard
can`t really test it now with UMTS because UMTS is not available in this region, therefor i`m now using it on my own DSL line temporary but with the same problems.
and if i look at this;
IKE info: Phase-2 failed for peer HOEVELAKEN: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 192.168.10.0/255.255.255.0
it think that maybe the problem.
DstIP: 77.61.209.75, SrcIP: 192.168.1.73, Len: 124, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 4500, SrcPort: 4500
Route: WAN Tx (INTERNET)
[VPN-Status] 1900/01/01 00:44:45,470
IKE info: Phase-2 failed for peer HOEVELAKEN: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 192.168.10.0/255.255.255.0
IKE log: 004445 Default message_negotiate_sa: no compatible proposal found
IKE log: 004445 Default dropped message from 77.61.209.75 port 4500 due to notif
ication type NO_PROPOSAL_CHOSEN
IKE info: dropped message from peer HOEVELAKEN 77.61.209.75 port 4500 due to not
ification type NO_PROPOSAL_CHOSEN
[VPN-Status] 1900/01/01 00:44:45,480
VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for HOEVELAKEN (77.61.209.75)
[IP-Router] 1900/01/01 00:44:45,480
IP-Router Rx (intern, RtgTag: 0):
DstIP: 77.61.209.75, SrcIP: 192.168.1.73, Len: 92, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 4500, SrcPort: 4500
Route: WAN Tx (INTERNET)
-----------------------
it also gives me this:
[IP-Router] 1900/01/01 00:48:18,470
IP-Router Rx (INTERNET, RtgTag: 0):
DstIP: 239.255.255.250, SrcIP: 192.168.1.200, Len: 374, DSCP/TOS: 0x00
Prot.: UDP (17), DstPort: 1900, SrcPort: 8008
Network unreachable (no route) => Discard
can`t really test it now with UMTS because UMTS is not available in this region, therefor i`m now using it on my own DSL line temporary but with the same problems.
and if i look at this;
IKE info: Phase-2 failed for peer HOEVELAKEN: no rule matches the phase-2 ids 0
.0.0.0/0.0.0.0 <-> 192.168.10.0/255.255.255.0
it think that maybe the problem.
Hi westnettelecom,
your problem is, that you only use the automatically created VPN rules. With this rules only the traffic between the 192.168.1.x and 192.168.3.x networks is allowed. If you want to access your camera from the internet you need rules that allow traffic beween your camera and the internet (192.168.3.0/255.255.255.0 <-> 0.0.0.0/0.0.0.0). For this the default route at the camera's router must point to the VPN tunnel and the main router needs an extra firwall rule:
The problem is, that if the default route points to the VPN tunnel, you have something like a hen and egg problem: You also need a default route to reach the main router via the internet...
For this you set the routing tag of router's existing defaut route to 1 and you set the VPN-Connection's routing tag (VPN -> General -> Connection list -> VPN-Connection -> Routing tag) to 1, too.
regards
Backslash
your problem is, that you only use the automatically created VPN rules. With this rules only the traffic between the 192.168.1.x and 192.168.3.x networks is allowed. If you want to access your camera from the internet you need rules that allow traffic beween your camera and the internet (192.168.3.0/255.255.255.0 <-> 0.0.0.0/0.0.0.0). For this the default route at the camera's router must point to the VPN tunnel and the main router needs an extra firwall rule:
Code: Alles auswählen
[x] This rule is used to create VPN-Rules
Actions: Immediatel Transfer
Source: all stations
Destination: Network 192.168.3.0/255.255.255.0
Service: all services/protocolsFor this you set the routing tag of router's existing defaut route to 1 and you set the VPN-Connection's routing tag (VPN -> General -> Connection list -> VPN-Connection -> Routing tag) to 1, too.
regards
Backslash
-
westnettelecom
- Beiträge: 6
- Registriert: 08 Dez 2007, 22:53
Hi,
This should not be any problem, because newer LCOS Versions are to big to fit twice into flash memory of a LANCOM 3550. So you will need to use the MiniFirmwareanyway, to get newer LCOS Versions running.
Ciao
LoUiS
it is not possible to erase the MiniFirmware. Once it is installed in flash memory, it will remain there.how do i delete the converter firmware from the router after upgrading to a new firmware?
This should not be any problem, because newer LCOS Versions are to big to fit twice into flash memory of a LANCOM 3550. So you will need to use the MiniFirmwareanyway, to get newer LCOS Versions running.
Ciao
LoUiS
Dr.House hat geschrieben:Dr. House: Du bist geheilt. Steh auf und wandle.
Patient: Sind Sie geisteskrank?
Dr. House: In der Bibel sagen die Leute schlicht "Ja, Herr" und verfallen dann ins Lobpreisen.