Site to Site IPSEC VPN through 2wire BT router

watcher60 — Mon, 08 Aug 2011 14:44:54 GMT

Hi all,

not sure if anyone can help. My set up is a 2wire ADSL router (bt issue) with a netscreen firewall behind it. I have the netscreen set to pick up its IP from the 2wire adsl router via DHCP. and it gets assigned the WAN IP the router picks up. I have the Netscreen set as the DMZplus host with all applications etc allowed to it. I'm trying to set up a IPsec vpn from the netscreen to one of our other office sites.

While I can get this to work for short periods (i.e hour or so) it does fail. Looking in the system log what appears to be happening is the 2wire router is VPN capable and is taking over the IKE port which then causes the VPN from the netscreen to fail. In the log entries below I've changed the IP address so that 1.1.1.1 is the external IP I'm getting on the BT router and being used by the netscreen and 2.2.2.2 is the remote site:

When it is working I see this in the system log on the BT 2wire adsl router:

INF 2011-08-08T15:03:36+01:00 stream: sock_osr_bind: T_ERROR_ACK, TLI_error 23 UNIX_error 0

ERR 2011-08-08T15:03:37+01:00 iked: [INTERNAL_ERR]: isakmp.c:547:<unknown>(): bind(1.1.1.1[500]): Address already in use

INF 2011-08-08T15:03:37+01:00 iked: [INFO]: main.c:652:<unknown>(): starting iked for racoon2 repository

INF 2011-08-08T15:03:37+01:00 stream: sock_rput_pcproto: T_ERROR_ACK for type 1, TLI error 23, UNIX error 0

INF 2011-08-08T15:03:37+01:00 stream: sock_osr_bind: T_ERROR_ACK, TLI_error 23 UNIX_error 0

ERR 2011-08-08T15:03:37+01:00 iked: [INTERNAL_ERR]: isakmp.c:547:<unknown>(): bind(1.1.1.1 [500]): Address already in use

As I think you can see its complaining it can't use the external IP for IKE (as I presume its being used for mapping to the netscreen)

However when the VPN fails I see the following msg in the 2wire system log that seems to indiciate its taken over the IKE on the external IP and is dropping the connections as its not configured to setup a VPN to the remote host:

ERR 2011-08-08T13:42:46+01:00 iked: [PROTO_ERR]: ikev1.c:1031:<unknown>(): couldn't find configuration for remote 2.2.2.2[500] (local 1.1.1.1[500])

ERR 2011-08-08T13:42:50+01:00 iked: [INTERNAL_ERR]: cfsetup.c:3824: macro extension failed: IPSEC_DATA%peers_ip

Ideally it sounds as if I need to turn off the IKE deamon on the 2wore router but I cannot see anyway to achieve this. Does anyone have any tips etc on how to overcome this?

thanks

Matt

Re: Site to Site IPSEC VPN through 2wire BT router

markp — Mon, 08 Aug 2011 14:54:24 GMT

Hi watcher60,

What firmware if your business hub running? If it is running the .48 firmware as this might need to be updated to the .49 firmware youou will need to contact the helpdesk to get this done. Hare are the helpdesk contact options.

Regards

Markp

Re: Site to Site IPSEC VPN through 2wire BT router

watcher60 — Mon, 08 Aug 2011 14:58:54 GMT

Don't believe I'm even on .48:

Model:	2701HGV-C
Hardware Version:	2701-100630-008
Firmware Version:	6.3.9.41-plus.tm

If I'm reeading the above correctly

Thanks!

Re: Site to Site IPSEC VPN through 2wire BT router

markp — Mon, 08 Aug 2011 15:07:27 GMT

Hi watcher60,

The firmware verion .48 and .49 relates to the 2700HGV not the 2701HGV-C router. The 2701HGV-C will not need a firmware update. I would recommend contacting the helpdesk on the following contact options.

Regards

Markp

topic Re: Site to Site IPSEC VPN through 2wire BT router in Archive

Site to Site IPSEC VPN through 2wire BT router

Re: Site to Site IPSEC VPN through 2wire BT router

Re: Site to Site IPSEC VPN through 2wire BT router

Re: Site to Site IPSEC VPN through 2wire BT router