Need help setting up Netgear FVS318 VPN

Ok... I'm completely confused.  I've followed Netgear's instructions to the letter.  I have both the Netgear FVS318 firewall and the Netgear VPN client.  No matter what I do, I cannot get it to connect.  I've rechecked the settings a dozen times and all I get is a "INVALID_ID_INFORMATION" error message.

Here are the logs from the firewall:

[2006-11-19 18:38:40][==== IKE PHASE 1(from X.X.X.X) START (responder) ====]
[2006-11-19 18:38:40]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2006-11-19 18:38:40]<POLICY: > PAYLOADS: SA,PROP,TRANS,VID,VID,VID,VID,KE,NONCE,ID
[2006-11-19 18:38:40]SENDING NOTIFY MSG:
[2006-11-19 18:38:40]INVALID_ID_INFORMATION
[2006-11-19 18:38:40]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2006-11-19 18:38:40]<POLICY: > PAYLOADS: NOTIFY

My Network Setup is as follows:

FVS318 <-> CABLE MODEM <-> INTERNET <-> CLIENT PC

Help me before I throw this thing off of a tall building!!!  :-)
ddurmonAsked:
Who is Participating?
 
Rob WilliamsConnect With a Mentor Commented:
Above you show: "INTERNET <-> FIOS ROUTER <-> FIREWALL <->192.168.1.0/255.255.255.0 NET (CLIENT PC IS HERE)"
VPN's do not like to traverse multiple NAT (Network Address Translation) devices at a given site. A router is a NAT device as it translates your public IP to a private. What is the "FIREWALL" above? If it is a NAT device it can block the security policy either through NAT or firewall rules.

I see no evidence of it but make sure with the subnets/IP's you have choose that you use a subnet mask of 255.255.255.0, not 255.255.0.0
0
 
Rob WilliamsCommented:
The Netgear client can be difficult, or at least frustrating to set up, if you are not familiar with it. Following sites may be of some help if you haven't seen them:

Netgear site outline:
http://kbserver.netgear.com/kb_web_files/n101436.asp

3rd party guide, specific to the FVS318:
http://www.vpncasestudy.com/casestudy/FVS318/v3/casestudy.html

Set of screen shots showing a typical client and router config I created for another Experts-Exchange question:
http://www3.ns.sympatico.ca/malagash/Downloads/Netgear%20Sample/
0
 
ddurmonAuthor Commented:
RobWill,

Thanks for the response.  I had previously tried the steps from the Netgear Knowledgebase with some confusion.  Apparently those instructions are for an older version of the firmware, as I couldn't follow them exactly because the menus didn't match.  I am running the latest version (v3_0_24 I think) of the firmware on the router.  I tried to downgrade to version 3_0_22, but the Netgear Knowledgebase instructions still didn't make sense.  I'll try the 2nd and third links tonight and let you know the results.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
Rob WilliamsCommented:
Sounds good. Let us know how you make out. I know the Netgear instructions don't make a lot of sense, it's as if they only included 70% of the details.
--Rob
0
 
ddurmonAuthor Commented:
Ok... the last link (http://www3.ns.sympatico.ca/malagash/Downloads/Netgear%20Sample/) got me closer.  It is passing Phase 1 but dying on Phase 2.  Also, on the picture named "VPN Policy.jpg", the router forced me to put in the subnet address (which I used 255.255.255.0).

Here are the log files..

From the VPN Client:
11-20: 22:02:42.468
11-20: 22:02:42.468 My Connections\VPN - Initiating IKE Phase 1 (IP ADDR=X.X.X.X)
11-20: 22:02:42.578 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
11-20: 22:02:45.593 My Connections\VPN - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, NAT-D 3x)
11-20: 22:02:45.593 My Connections\VPN - Peer is NAT-T draft-01 capable
11-20: 22:02:45.593 My Connections\VPN - NAT is detected for Client
11-20: 22:02:45.750 My Connections\VPN - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONTACT)
11-20: 22:02:45.750 My Connections\VPN - Established IKE SA
11-20: 22:02:45.750    MY COOKIE 68 60 3d 49 66 b6 47 a5
11-20: 22:02:45.750    HIS COOKIE 4 be 99 8f ec 34 98 32
11-20: 22:02:45.937 My Connections\VPN - Initiating IKE Phase 2 with Client IDs (message id: 7AB39411)
11-20: 22:02:45.937   Initiator = IP ADDR=192.168.1.5, prot = 0 port = 0
11-20: 22:02:45.937   Responder = IP SUBNET/MASK=192.168.2.0/255.255.255.0, prot = 0 port = 0
11-20: 22:02:45.937 My Connections\VPN - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
11-20: 22:02:46.000 My Connections\VPN - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
11-20: 22:02:46.000 My Connections\VPN - Discarding IPSec SA negotiation (message id: 7AB39411)
11-20: 22:02:46.000 My Connections\VPN - Discarding IKE SA negotiation
11-20: 22:02:46.000 My Connections\VPN - Deleting IKE SA (IP ADDR=X.X.X.X)
11-20: 22:02:46.000    MY COOKIE 68 60 3d 49 66 b6 47 a5
11-20: 22:02:46.000    HIS COOKIE 4 be 99 8f ec 34 98 32
11-20: 22:02:46.000 My Connections\VPN - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)


From the router:
[2006-11-20 22:18:09][==== IKE PHASE 1(from Y.Y.Y.Y) START (responder) ====]
[2006-11-20 22:18:09]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:09]<POLICY: > PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,HASH,VID,NATD,NATD,NATD
[2006-11-20 22:18:12]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:12]**** RECEIVED  THIRD MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NATD,NATD,NOTIFY
[2006-11-20 22:18:12]**** AGGR MODE COMPLETED ****
[2006-11-20 22:18:12][==== IKE PHASE 1 ESTABLISHED====]
[2006-11-20 22:18:12][==== IKE PHASE 2(from Y.Y.Y.Y) START (responder) ====]
[2006-11-20 22:18:12]**** RECEIVED  FIRST MESSAGE OF QUICK MODE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2006-11-20 22:18:12]**** FOUND IDs,EXTRACT ID INFO ****
[2006-11-20 22:18:12]<Initiator IPADDR=192.168.1.5>
[2006-11-20 22:18:12]<Responder IPADDR=192.168.2.0 MASK=255.255.255.0>
[2006-11-20 22:18:12]No matching set of attributes found for the matching proposal
[2006-11-20 22:18:12]ERROR# NO MATCHING IPSEC PROPOSAL
[2006-11-20 22:18:12]SENDING NOTIFY MSG:
[2006-11-20 22:18:12]NO_PROPOSAL_CHOSEN
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NOTIFY
[2006-11-20 22:18:12]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NOTIFY
[2006-11-20 22:18:12]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****

Notes:
1) My network changed a little bit.  It looks like this:
192.168.2.0/255.25.255.0 NET <-> FVS318 <-> CABLE MODEM <-> INTERNET <-> FIOS ROUTER <-> FIREWALL <->192.168.1.0/255.255.255.0 NET (CLIENT PC IS HERE)

I am sitting at a friends house at the moment.  I don't think the network configuration has any effect on the connection because I can get to my firewall (but I could be wrong).  The 192.168.1.0 network is at my friends house.  The 192.168.2.0 network is at my house.  The Y.Y.Y.Y is his IP address.  The X.X.X.X is the IP address of my cable modem.  My local IP on his network is 192.168.1.5.  Oh... and my firmware version is the latest version - v3.0_24
0
 
Rob WilliamsCommented:
>>"the router forced me to put in the subnet address (which I used 255.255.255.0)"
If that is in the traffic locater/local or remote IP that is fine.

What is the "firewall' behind the FIOS router ? VPN's don't like multiple NAT devices, as a rule.
Have you enabled IPSec pass-through on the FIOS router? May help.

Actually looks like a mis-match in encryption protocol configuration. Verify encryption; DES,3DES, SHA-1, MD5 as well as options like aggressive/main mode and PFS (Perfect Forward Secrecy) are the same at both ends.
0
 
ddurmonAuthor Commented:
Ok... I checked the encryption settings and aggressive/main move and PFS.  All the options are identical, but still no luck.

I've got aggressive mode set on both sides, DES and MD% on both sides, and PFS is enabled on both sides.  What else can I check?
0
 
ddurmonAuthor Commented:
Grr...  MD% should read MD5.  (Got too happy with the shift key ;-)
0
 
Yury MerezhkovDevelopment Team LeadCommented:
I had a similar problem. I couldn't connect my new FVS318 V3 (firmware 3_0_24) to FVS318 V2 (firmware 2.3). I found this link to be helpful:

http://kbserver.netgear.com/kb_web_files/n101479.asp

I don't know what my problem was, but I just followed the steps described in the article, and now it's all working fine.
0
 
Rob WilliamsCommented:
Thanks ddurmon.
Cheers !
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.