Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Site to Site IPSEC VPN through 2wire BT router

watcher60
Member

on ‎08-08-2011 03:44 PM

Hi all,

  not sure if anyone can help. My set up is a 2wire ADSL router (bt issue) with a netscreen firewall behind it. I have the netscreen set to pick up its IP from the 2wire adsl router via DHCP. and it gets assigned the WAN IP the router picks up. I have the Netscreen set as the DMZplus host with all applications etc allowed to it. I'm trying to set up a IPsec vpn from the netscreen to one of our other office sites.

 

While I can get this to work for short periods (i.e hour or so) it does fail. Looking in the system log what appears to be happening is the 2wire router is VPN capable and is taking over the IKE port which then causes the VPN from the netscreen to fail. In the log entries below I've changed the IP address so that 1.1.1.1 is the external IP I'm getting on the BT router and being used by the netscreen and 2.2.2.2 is the remote site:

 

When it is working I see this in the  system log on the BT 2wire adsl router:

 

INF 2011-08-08T15:03:36+01:00 stream: sock_osr_bind: T_ERROR_ACK, TLI_error 23 UNIX_error 0
 
ERR 2011-08-08T15:03:37+01:00 iked: [INTERNAL_ERR]: isakmp.c:547:<unknown>(): bind(1.1.1.1[500]): Address already in use
 
INF 2011-08-08T15:03:37+01:00 iked: [INFO]: main.c:652:<unknown>(): starting iked for racoon2 repository
 
INF 2011-08-08T15:03:37+01:00 stream: sock_rput_pcproto: T_ERROR_ACK for type 1, TLI error 23, UNIX error 0
 
INF 2011-08-08T15:03:37+01:00 stream: sock_osr_bind: T_ERROR_ACK, TLI_error 23 UNIX_error 0
 
ERR 2011-08-08T15:03:37+01:00 iked: [INTERNAL_ERR]: isakmp.c:547:<unknown>(): bind(1.1.1.1 [500]): Address already in use

 

As I think you can see its complaining it can't use the external IP for IKE (as I presume its being used for mapping to the netscreen)

 

However when the VPN fails I see the following msg in the 2wire system log that seems to indiciate its taken over the IKE on the external IP and is dropping the connections as its not configured to setup a VPN to the remote host:

 

ERR 2011-08-08T13:42:46+01:00 iked: [PROTO_ERR]: ikev1.c:1031:<unknown>(): couldn't find configuration for remote 2.2.2.2[500] (local 1.1.1.1[500])
 
ERR 2011-08-08T13:42:50+01:00 iked: [INTERNAL_ERR]: cfsetup.c:3824: macro extension failed: IPSEC_DATA%peers_ip
 

Ideally it sounds as if I need to turn off the IKE deamon on the 2wore router but I cannot see anyway to achieve this. Does anyone have any tips etc on how to overcome this?

 

thanks

Matt

 

 

0 Kudos
3 REPLIES 3

markp
Grand Guru

on ‎08-08-2011 03:54 PM

Hi watcher60,

 

What firmware if your business hub running? If it is running the .48 firmware as this might need to be updated to the .49 firmware youou will need to contact the helpdesk to get this done. Hare are the helpdesk contact options.

 

 

 

Regards

 

Markp

0 Kudos

watcher60
Member
In response to markp

on ‎08-08-2011 03:58 PM

Don't believe I'm even on .48:

 

 

Model:2701HGV-C
Hardware Version:2701-100630-008
Firmware Version:6.3.9.41-plus.tm

If I'm reeading  the above correctly

 

Thanks!

0 Kudos

markp
Grand Guru
In response to watcher60

on ‎08-08-2011 04:07 PM

Hi watcher60,

 

The firmware verion .48 and .49 relates to the 2700HGV not the 2701HGV-C router. The 2701HGV-C will not need a firmware update. I would recommend contacting the helpdesk on the following contact options.

 

 

Regards

 

Markp

0 Kudos