Solved

Need help setting up Netgear FVS318 VPN

Posted on 2006-11-19
10
3,361 Views
Last Modified: 2008-01-09
Ok... I'm completely confused.  I've followed Netgear's instructions to the letter.  I have both the Netgear FVS318 firewall and the Netgear VPN client.  No matter what I do, I cannot get it to connect.  I've rechecked the settings a dozen times and all I get is a "INVALID_ID_INFORMATION" error message.

Here are the logs from the firewall:

[2006-11-19 18:38:40][==== IKE PHASE 1(from X.X.X.X) START (responder) ====]
[2006-11-19 18:38:40]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2006-11-19 18:38:40]<POLICY: > PAYLOADS: SA,PROP,TRANS,VID,VID,VID,VID,KE,NONCE,ID
[2006-11-19 18:38:40]SENDING NOTIFY MSG:
[2006-11-19 18:38:40]INVALID_ID_INFORMATION
[2006-11-19 18:38:40]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2006-11-19 18:38:40]<POLICY: > PAYLOADS: NOTIFY

My Network Setup is as follows:

FVS318 <-> CABLE MODEM <-> INTERNET <-> CLIENT PC

Help me before I throw this thing off of a tall building!!!  :-)
0
Comment
Question by:ddurmon
  • 5
  • 4
10 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The Netgear client can be difficult, or at least frustrating to set up, if you are not familiar with it. Following sites may be of some help if you haven't seen them:

Netgear site outline:
http://kbserver.netgear.com/kb_web_files/n101436.asp

3rd party guide, specific to the FVS318:
http://www.vpncasestudy.com/casestudy/FVS318/v3/casestudy.html

Set of screen shots showing a typical client and router config I created for another Experts-Exchange question:
http://www3.ns.sympatico.ca/malagash/Downloads/Netgear%20Sample/
0
 

Author Comment

by:ddurmon
Comment Utility
RobWill,

Thanks for the response.  I had previously tried the steps from the Netgear Knowledgebase with some confusion.  Apparently those instructions are for an older version of the firmware, as I couldn't follow them exactly because the menus didn't match.  I am running the latest version (v3_0_24 I think) of the firmware on the router.  I tried to downgrade to version 3_0_22, but the Netgear Knowledgebase instructions still didn't make sense.  I'll try the 2nd and third links tonight and let you know the results.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sounds good. Let us know how you make out. I know the Netgear instructions don't make a lot of sense, it's as if they only included 70% of the details.
--Rob
0
 

Author Comment

by:ddurmon
Comment Utility
Ok... the last link (http://www3.ns.sympatico.ca/malagash/Downloads/Netgear%20Sample/) got me closer.  It is passing Phase 1 but dying on Phase 2.  Also, on the picture named "VPN Policy.jpg", the router forced me to put in the subnet address (which I used 255.255.255.0).

Here are the log files..

From the VPN Client:
11-20: 22:02:42.468
11-20: 22:02:42.468 My Connections\VPN - Initiating IKE Phase 1 (IP ADDR=X.X.X.X)
11-20: 22:02:42.578 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
11-20: 22:02:45.593 My Connections\VPN - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, NAT-D 3x)
11-20: 22:02:45.593 My Connections\VPN - Peer is NAT-T draft-01 capable
11-20: 22:02:45.593 My Connections\VPN - NAT is detected for Client
11-20: 22:02:45.750 My Connections\VPN - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONTACT)
11-20: 22:02:45.750 My Connections\VPN - Established IKE SA
11-20: 22:02:45.750    MY COOKIE 68 60 3d 49 66 b6 47 a5
11-20: 22:02:45.750    HIS COOKIE 4 be 99 8f ec 34 98 32
11-20: 22:02:45.937 My Connections\VPN - Initiating IKE Phase 2 with Client IDs (message id: 7AB39411)
11-20: 22:02:45.937   Initiator = IP ADDR=192.168.1.5, prot = 0 port = 0
11-20: 22:02:45.937   Responder = IP SUBNET/MASK=192.168.2.0/255.255.255.0, prot = 0 port = 0
11-20: 22:02:45.937 My Connections\VPN - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
11-20: 22:02:46.000 My Connections\VPN - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
11-20: 22:02:46.000 My Connections\VPN - Discarding IPSec SA negotiation (message id: 7AB39411)
11-20: 22:02:46.000 My Connections\VPN - Discarding IKE SA negotiation
11-20: 22:02:46.000 My Connections\VPN - Deleting IKE SA (IP ADDR=X.X.X.X)
11-20: 22:02:46.000    MY COOKIE 68 60 3d 49 66 b6 47 a5
11-20: 22:02:46.000    HIS COOKIE 4 be 99 8f ec 34 98 32
11-20: 22:02:46.000 My Connections\VPN - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)


From the router:
[2006-11-20 22:18:09][==== IKE PHASE 1(from Y.Y.Y.Y) START (responder) ====]
[2006-11-20 22:18:09]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:09]<POLICY: > PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,HASH,VID,NATD,NATD,NATD
[2006-11-20 22:18:12]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:12]**** RECEIVED  THIRD MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NATD,NATD,NOTIFY
[2006-11-20 22:18:12]**** AGGR MODE COMPLETED ****
[2006-11-20 22:18:12][==== IKE PHASE 1 ESTABLISHED====]
[2006-11-20 22:18:12][==== IKE PHASE 2(from Y.Y.Y.Y) START (responder) ====]
[2006-11-20 22:18:12]**** RECEIVED  FIRST MESSAGE OF QUICK MODE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2006-11-20 22:18:12]**** FOUND IDs,EXTRACT ID INFO ****
[2006-11-20 22:18:12]<Initiator IPADDR=192.168.1.5>
[2006-11-20 22:18:12]<Responder IPADDR=192.168.2.0 MASK=255.255.255.0>
[2006-11-20 22:18:12]No matching set of attributes found for the matching proposal
[2006-11-20 22:18:12]ERROR# NO MATCHING IPSEC PROPOSAL
[2006-11-20 22:18:12]SENDING NOTIFY MSG:
[2006-11-20 22:18:12]NO_PROPOSAL_CHOSEN
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NOTIFY
[2006-11-20 22:18:12]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NOTIFY
[2006-11-20 22:18:12]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****

Notes:
1) My network changed a little bit.  It looks like this:
192.168.2.0/255.25.255.0 NET <-> FVS318 <-> CABLE MODEM <-> INTERNET <-> FIOS ROUTER <-> FIREWALL <->192.168.1.0/255.255.255.0 NET (CLIENT PC IS HERE)

I am sitting at a friends house at the moment.  I don't think the network configuration has any effect on the connection because I can get to my firewall (but I could be wrong).  The 192.168.1.0 network is at my friends house.  The 192.168.2.0 network is at my house.  The Y.Y.Y.Y is his IP address.  The X.X.X.X is the IP address of my cable modem.  My local IP on his network is 192.168.1.5.  Oh... and my firmware version is the latest version - v3.0_24
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"the router forced me to put in the subnet address (which I used 255.255.255.0)"
If that is in the traffic locater/local or remote IP that is fine.

What is the "firewall' behind the FIOS router ? VPN's don't like multiple NAT devices, as a rule.
Have you enabled IPSec pass-through on the FIOS router? May help.

Actually looks like a mis-match in encryption protocol configuration. Verify encryption; DES,3DES, SHA-1, MD5 as well as options like aggressive/main mode and PFS (Perfect Forward Secrecy) are the same at both ends.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:ddurmon
Comment Utility
Ok... I checked the encryption settings and aggressive/main move and PFS.  All the options are identical, but still no luck.

I've got aggressive mode set on both sides, DES and MD% on both sides, and PFS is enabled on both sides.  What else can I check?
0
 

Author Comment

by:ddurmon
Comment Utility
Grr...  MD% should read MD5.  (Got too happy with the shift key ;-)
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
Above you show: "INTERNET <-> FIOS ROUTER <-> FIREWALL <->192.168.1.0/255.255.255.0 NET (CLIENT PC IS HERE)"
VPN's do not like to traverse multiple NAT (Network Address Translation) devices at a given site. A router is a NAT device as it translates your public IP to a private. What is the "FIREWALL" above? If it is a NAT device it can block the security policy either through NAT or firewall rules.

I see no evidence of it but make sure with the subnets/IP's you have choose that you use a subnet mask of 255.255.255.0, not 255.255.0.0
0
 
LVL 7

Expert Comment

by:RealSnaD
Comment Utility
I had a similar problem. I couldn't connect my new FVS318 V3 (firmware 3_0_24) to FVS318 V2 (firmware 2.3). I found this link to be helpful:

http://kbserver.netgear.com/kb_web_files/n101479.asp

I don't know what my problem was, but I just followed the steps described in the article, and now it's all working fine.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks ddurmon.
Cheers !
--Rob
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now