Solved

Netgear FVX538 Client VPN cannot connect

Posted on 2006-11-17
12
6,328 Views
Last Modified: 2011-09-28
After having followed the netgear instructions to the letter, several times, i still cannot establish a client VPN connection using the netgear VPN client to my FVX538.

the log for the client is like this:

11-17: 18:19:23.797 My Connections\office - Initiating IKE Phase 1 (IP ADDR=nnn.nnn.nnn.nnn)
11-17: 18:19:23.984 My Connections\office - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
11-17: 18:19:38.984 My Connections\office - message not received! Retransmitting!
11-17: 18:19:38.984 My Connections\office - SENDING>>>> ISAKMP OAK AG (Retransmission)
11-17: 18:19:53.984 My Connections\office - message not received! Retransmitting!
11-17: 18:19:53.984 My Connections\office - SENDING>>>> ISAKMP OAK AG (Retransmission)
11-17: 18:20:09.983 My Connections\office - message not received! Retransmitting!
11-17: 18:20:09.983 My Connections\office - SENDING>>>> ISAKMP OAK AG (Retransmission)
11-17: 18:20:24.983 My Connections\office - Exceeded 3 IKE SA negotiation attempts

and for the FVX538:

2006-11-17 18:19:22: ERROR:  Could not find configuration for nnn.nnn.nnn.nnn[500]
2006-11-17 18:19:37: ERROR:  Could not find configuration for nnn.nnn.nnn.nnn[500]
2006-11-17 18:19:52: ERROR:  Could not find configuration for nnn.nnn.nnn.nnn[500]
2006-11-17 18:20:08: ERROR:  Could not find configuration for nnn.nnn.nnn.nnn[500]


I have spotted several people across various fora on the net with the same problem. no-one has managed to solve it. Can you?!
0
Comment
Question by:sc0tty2h0tty
  • 6
  • 5
12 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17971386
The Netgear client can be difficult, or at least frustrating to set up, if you are no familiar with it. Following sites may be of some help if you haven't seen them:

Netgear site outline:
http://kbserver.netgear.com/kb_web_files/n101500.asp

3rd party guide specific to the FVX538. See "ProSafe VPN Client 10.3.5 using FVX538 (Dynamic IP and Static IP)" section 1/2 way down the page:
http://www.vpncasestudy.com/casestudy/FVX538/v1649/casestudy.html

Set of screen shots showing a typical client and router config I created for another Experts-Exchange question. Was for the FVS318, but VPN configuration is similar:
http://www3.ns.sympatico.ca/malagash/Downloads/Netgear%20Sample/
0
 

Author Comment

by:sc0tty2h0tty
ID: 18077969
The vpncasestudy.com guide is essentially the same setup as the netgear reference one, giving the same error.

on the  FVX, the VPN log reports "2006-12-05 16:36:02: ERROR:  Could not find configuration for <my ip address>[500]"


the connection monitor of the client, before it connectts, displays <a href="http://www.futurevoiceanddata.co.uk/netgearnotworking.bmp"> this screen:</a>
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18082656
The  "message not received! Retransmitting!" message indicates even initial handshaking is not taking place, at a very basic level. Something serious is incorrectly configured.

In the message "could not find configuration for nnn.nnn.nnn.nnn[500]", is nnn.nnn.nnn.nnn your actual public address, i.e. does it match the IP returned by  http://www.whatismyip.com  when connecting from the client site, indicating it at least received some form of connection?

Any chance the FVX538 is behind another NAT device such as a modem that is a combined router and modem?


0
 

Author Comment

by:sc0tty2h0tty
ID: 18083731
Yes, the public address shown at whatsmyip is identical to the entry in the FVX's VPN log in the "could not find configuration for nnn.nnn.nnn.nnn[500]" entry.

The FVX is connected into a netgear DM111P ADSL ethernet modem, operating in bridged mode.

It would not matter that the client is behind NAT, would it? I am testing it with a 3G data card, and the prosafe client reports its IP as being in the 10.nnn.nnn.nnn range with a subnet of 255.0.0.0.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18084397
Client "should" be fine behind a single NAT device, I was more concerned about the Netgear Router. It supports NAT-T allowing the client to be behind a NAT router. You could try connecting it to the modem directly as a test, but doubtful that is the problem.

However, the VPN requires that the 2 sites, FVX, and client site be on different subnets. I know this is the VPN client, but if you are using a subnet mask of 255.0.0.0 at one or both sites, it means the entire 10.x.x.x  subnet is part of the same network segment ans will not work. If this is the case try changing the client site to something like 1952.168.x.x and test. Make sure through the whole VPN path, client to corporate site, there are no duplicate subnets.

Identical subnets will allow negotiations to start, but either not connect at all, or with some routers, allow connections, but no communication.
0
 

Author Comment

by:sc0tty2h0tty
ID: 18085093
I tried setting the client to use the virtual adapter, setting the virtual adapter address to 192.168.222.1 to avoid conflicting with the routers 10.101.101.0/24 subnet,  but i still get the same result. I cannot change the subnet that the client is on behind its NAT, since the NAT is done by the service provider .The 3G card is issued with a 10.nnn.nnn.nnn address when it connects, with the same IP address as the default gateway setting, and 255.255.255.255 as the subnet.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18085200
Sorry changing the VPN adapter address will not resolve the issue.
This is a very common problem with VPN's. The subnets must be different. The problem usually occurs with people using default addresses such a 192.168.1.0/24.

Is it possible to test the client at a different site, to verify this is in fact the problem.
0
 

Author Comment

by:sc0tty2h0tty
ID: 18086861
just tried connecting via a client behind NAT on a subnet of 195.1.150.0/24, got the same result as before:

12-06: 17:09:19.500 My Connections\fvad - Initiating IKE Phase 1 (IP ADDR=nnn.nnn.nnn.nnn)
12-06: 17:09:20.000 My Connections\fvad - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
12-06: 17:09:35.062 My Connections\fvad - message not received! Retransmitting!
12-06: 17:09:35.062 My Connections\fvad - SENDING>>>> ISAKMP OAK AG (Retransmission)
12-06: 17:09:50.125 My Connections\fvad - message not received! Retransmitting!
12-06: 17:09:50.125 My Connections\fvad - SENDING>>>> ISAKMP OAK AG (Retransmission)
12-06: 17:10:05.156 My Connections\fvad - message not received! Retransmitting!
12-06: 17:10:05.156 My Connections\fvad - SENDING>>>> ISAKMP OAK AG (Retransmission)
12-06: 17:10:20.437 My Connections\fvad - Exceeded 3 IKE SA negotiation attempts


whilst the FVX logged:

2006-12-06 17:07:31: ERROR:  Could not find configuration for nnn.nnn.nnn.nn[500]
2006-12-06 17:07:46: ERROR:  Could not find configuration for nnn.nnn.nnn.nn[500]
2006-12-06 17:08:01: ERROR:  Could not find configuration for nnn.nnn.nnn.nn[500]
2006-12-06 17:08:16: ERROR:  Could not find configuration for nnn.nnn.nnn.nn[500]

I have posted screenshots of my client and FVX setup details at http://support.futurevad.com/vpnhelp.html , are they all ok? If so, i'm thinking the problem must be  to do with the DM111P setup?


0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18087015
I am out of the office right now, I will have a much closer look when I get back, but 3 notes:
1) I have had better luck using the e-mail address than FQDN. Email address does not have to be real, just use the same
2) Under direction/type change from responder to both
3) I have never had to do it, but on another post a user was instructed by Netgear to change Traffic selector/Remote from any to subnet, with an IP of 0.0.0.0 and subnet mask of 255.255.255.0They said it required a subnet mask
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18166339
Sorry sc0tty2h0tty, somehow missed coming back to this thread. Any luck as of yet?
Might be worth as a test, trying to set up the VPN treating it as if you have 2 static IP's just using the current assigned DHCP address, as a test.
0
 

Accepted Solution

by:
sc0tty2h0tty earned 0 total points
ID: 18897461
Netgear Tech Supp have provided me with a working vpn profile file. thanks to everyone else here who helped.
0
 
LVL 1

Expert Comment

by:dev-adam
ID: 23138828
sc0tty... could you provide the solution as I am having so much trouble getting this FVX538 to connect via VPN...
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now