Solved

VPN Phase 2 fails - Netgear Prosafe client with Netgear FVS-318 VPN Firewall

Posted on 2004-04-01
7
3,085 Views
Last Modified: 2007-12-19
I am trying to get my VPN Connection into my office from my home computer.  

Home PC is running XP with Prosafe VPN client.  Home is connected to the Internet via a shared Cable modem connection. Office is connected to the Internet via Sprint DSL connection.  I have three FVS-318 VPN Firewalls, each with their own static WAN IP address.

I have been over the configurations several times and cannot seem to find the problem.  The symptoms are:

- Successful Phase 1 completion
- Unsuccessful Phase 2 completion.

Log from the VPN Client Software:

My Connections\FVS318 - Initiating IKE Phase 1 (IP ADDR=XXX.XXX.XXX.XXX) (changed for security)
My Connections\FVS318 - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
My Connections\FVS318 - RECEIVED<<< ISAKMP OAK MM (SA)
My Connections\FVS318 - SENDING>>>> ISAKMP OAK MM (KE, NON, VID 3x)
My Connections\FVS318 - RECEIVED<<< ISAKMP OAK MM (KE, NON)
My Connections\FVS318 - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
My Connections\FVS318 - RECEIVED<<< ISAKMP OAK MM *(ID, HASH)
My Connections\FVS318 - Established IKE SA
  MY COOKIE f2 8b eb 4c 14 b4 b7 61
  HIS COOKIE d2 6e 47 59 7c de 67 61
My Connections\FVS318 - Initiating IKE Phase 2 with Client IDs (message id: 7FCED417)
 Initiator = IP ADDR=192.168.1.100, prot = 0 port = 0
 Responder = IP RANGE TO/FROM=192.168.0.20/192.168.0.100, prot = 0 port = 0
My Connections\FVS318 - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)

From the Firewall:

FVS318 IKE:[VPN Client_tmp22] RX << QM_I1 : XXX.XXX.XXX.XXX (changed for security)
FVS318 IPsec:cannot respond to IPsec SA request because no connection is known for 192.168.0.20/192.168.0.100-65.40.146.34=====192.168.1.100

I am pretty new to VPN, but I do not understand why the Firewall has no connection to the client IP, if it has already exchanged the key in Phase 1.

Any help is appreciated!
0
Comment
Question by:dlafever
7 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10738475
Hi dlafever,


It appears you have to configure you VPN/Firewall server to accept in coming calls from clients.
Here's some guide that may help out:
http://www.netgear.com/pdf_docs/FVS318_FAQ.pdf
http://kbserver.netgear.com/kb_web_files/n100757.asp

0
 

Author Comment

by:dlafever
ID: 10738882
what90,

Thanks for the reply.  I have indeed set up a VPN connection on my FVS-318 using the instructions I found here:

ftp://downloads.netgear.com/files/vpn_client2fvs.pdf



0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10742556
2 things I would check is to make sure the 2 networks are not using the same ip addressing scheme. And see if the client has some udp encapsulation or another form of NAT traversal.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 10783313
I found the Netgear manual to be complete utter crud.......

Safenet (who makes Softremote - repackaged as Netgear) produce a much better document for connecting to that router.

http://support.safenet-inc.com/technotes/SR__NetGear_FVS318v1.4.pdf
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10809369
Glad it worked. :)
0
 

Author Comment

by:dlafever
ID: 10809375
OK, points go to diggisaur, thanks much for you reply.  I am now able to VPN into two of the three routers I have.  The third is still a puzzle to me, but I will research farther before posting another question.

To ewtaylor, your thoughts are appreciated as well, I had checked this prior to posting however.

Off to the net...

Regards,

-Dennis
0
 

Author Comment

by:dlafever
ID: 10809398
OK, so I am an idiot, posting no helpful information for anyone else to find!  :((

The trick for me was in the remote client's My Identity section.  The Netgear manual is miserable about describing this area, they just give ONE example of how to use it and unfortunately it did not apply to me.  This router is not associated with an internal or external domain, so I had to make one up and put it in this field.  Then I had to fabricate a remote IP address to use and enter it here as well as on the router VPN config screen.  After that, VPN Nirvana was achieved.

Again, thanks for the replys!  And Diggisaur, thanks for the HELPFUL manual.

-Dennis
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now