Unable to connect IPSec-over-UDP (over TCP works) to VPN3000

mmelbourne · ‎09-11-2002

I am currently unable to connect to our VPN Conc (3.6.1) using IPSec over UDP (although IPSec over TCP works). No configuration changes have occurred since I last connected successfully. The event log shows:

307 09/11/2002 20:49:00.570 SEV=4 IPSEC/7 RPT=42

IPSec ESP Tunnel Inb: invalid direction in security association

308 09/11/2002 20:49:01.570 SEV=4 IPSEC/7 RPT=43

IPSec ESP Tunnel Inb: invalid direction in security association

309 09/11/2002 20:49:09.130 SEV=4 IKEDBG/0 RPT=6

QM FSM error (P2 struct &0x3fec2f4, mess id 0xa25204a2)!

310 09/11/2002 20:49:09.130 SEV=4 IKEDBG/65 RPT=8 80.195.147.83

Group [test] User [matt.melbourne]

IKE QM Responder FSM error history (struct &0x3fec2f4)

<state>, <event>:

QM_DONE, EV_ERROR

QM_WAIT_MSG3, EV_TIMEOUT

QM_WAIT_MSG3, NullEvent

QM_SND_MSG2, EV_SND_MSG

315 09/11/2002 20:49:09.140 SEV=4 IKEDBG/0 RPT=7

QM FSM error (P2 struct &0x3fecda8, mess id 0x9fe32987)!

316 09/11/2002 20:49:09.140 SEV=4 IKEDBG/65 RPT=9 80.195.147.83

Group [test] User [matt.melbourne]

IKE QM Responder FSM error history (struct &0x3fecda8)

<state>, <event>:

QM_DONE, EV_ERROR

QM_WAIT_MSG3, EV_TIMEOUT

QM_WAIT_MSG3, NullEvent

QM_SND_MSG2, EV_SND_MSG

What could be wrong? The VPN Client is 3.6.1.

john.gudmann · ‎09-18-2002

He I had a similar problem. Please check that your still have marked “Mode Configuration” in IPSec and “Allow IPSec over UDP” -> in Client Config

mmelbourne · ‎09-18-2002

Thanks for the suggestion, but after some extensive debugging it turned out to be a transient problem with the ISP. The UDP packets were reaching the Concentrator from the client, but were being blocked (somewhere in the ISPs network) on the way back. I even temporarily hooked up the Public interface to another ISP (through an ISDN router with static NAT translations for UDP 500 and UDP 10000 traffic) and successfully made an IPSec-over-UDP connection.