[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Need help setting up Netgear FVS318 VPN

Posted on 2006-11-19
10
Medium Priority
?
3,511 Views
Last Modified: 2008-01-09
Ok... I'm completely confused.  I've followed Netgear's instructions to the letter.  I have both the Netgear FVS318 firewall and the Netgear VPN client.  No matter what I do, I cannot get it to connect.  I've rechecked the settings a dozen times and all I get is a "INVALID_ID_INFORMATION" error message.

Here are the logs from the firewall:

[2006-11-19 18:38:40][==== IKE PHASE 1(from X.X.X.X) START (responder) ====]
[2006-11-19 18:38:40]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2006-11-19 18:38:40]<POLICY: > PAYLOADS: SA,PROP,TRANS,VID,VID,VID,VID,KE,NONCE,ID
[2006-11-19 18:38:40]SENDING NOTIFY MSG:
[2006-11-19 18:38:40]INVALID_ID_INFORMATION
[2006-11-19 18:38:40]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2006-11-19 18:38:40]<POLICY: > PAYLOADS: NOTIFY

My Network Setup is as follows:

FVS318 <-> CABLE MODEM <-> INTERNET <-> CLIENT PC

Help me before I throw this thing off of a tall building!!!  :-)
0
Comment
Question by:ddurmon
  • 5
  • 4
10 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 17976348
The Netgear client can be difficult, or at least frustrating to set up, if you are not familiar with it. Following sites may be of some help if you haven't seen them:

Netgear site outline:
http://kbserver.netgear.com/kb_web_files/n101436.asp

3rd party guide, specific to the FVS318:
http://www.vpncasestudy.com/casestudy/FVS318/v3/casestudy.html

Set of screen shots showing a typical client and router config I created for another Experts-Exchange question:
http://www3.ns.sympatico.ca/malagash/Downloads/Netgear%20Sample/
0
 

Author Comment

by:ddurmon
ID: 17981032
RobWill,

Thanks for the response.  I had previously tried the steps from the Netgear Knowledgebase with some confusion.  Apparently those instructions are for an older version of the firmware, as I couldn't follow them exactly because the menus didn't match.  I am running the latest version (v3_0_24 I think) of the firmware on the router.  I tried to downgrade to version 3_0_22, but the Netgear Knowledgebase instructions still didn't make sense.  I'll try the 2nd and third links tonight and let you know the results.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 17982241
Sounds good. Let us know how you make out. I know the Netgear instructions don't make a lot of sense, it's as if they only included 70% of the details.
--Rob
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:ddurmon
ID: 17984889
Ok... the last link (http://www3.ns.sympatico.ca/malagash/Downloads/Netgear%20Sample/) got me closer.  It is passing Phase 1 but dying on Phase 2.  Also, on the picture named "VPN Policy.jpg", the router forced me to put in the subnet address (which I used 255.255.255.0).

Here are the log files..

From the VPN Client:
11-20: 22:02:42.468
11-20: 22:02:42.468 My Connections\VPN - Initiating IKE Phase 1 (IP ADDR=X.X.X.X)
11-20: 22:02:42.578 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
11-20: 22:02:45.593 My Connections\VPN - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, NAT-D 3x)
11-20: 22:02:45.593 My Connections\VPN - Peer is NAT-T draft-01 capable
11-20: 22:02:45.593 My Connections\VPN - NAT is detected for Client
11-20: 22:02:45.750 My Connections\VPN - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONTACT)
11-20: 22:02:45.750 My Connections\VPN - Established IKE SA
11-20: 22:02:45.750    MY COOKIE 68 60 3d 49 66 b6 47 a5
11-20: 22:02:45.750    HIS COOKIE 4 be 99 8f ec 34 98 32
11-20: 22:02:45.937 My Connections\VPN - Initiating IKE Phase 2 with Client IDs (message id: 7AB39411)
11-20: 22:02:45.937   Initiator = IP ADDR=192.168.1.5, prot = 0 port = 0
11-20: 22:02:45.937   Responder = IP SUBNET/MASK=192.168.2.0/255.255.255.0, prot = 0 port = 0
11-20: 22:02:45.937 My Connections\VPN - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
11-20: 22:02:46.000 My Connections\VPN - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
11-20: 22:02:46.000 My Connections\VPN - Discarding IPSec SA negotiation (message id: 7AB39411)
11-20: 22:02:46.000 My Connections\VPN - Discarding IKE SA negotiation
11-20: 22:02:46.000 My Connections\VPN - Deleting IKE SA (IP ADDR=X.X.X.X)
11-20: 22:02:46.000    MY COOKIE 68 60 3d 49 66 b6 47 a5
11-20: 22:02:46.000    HIS COOKIE 4 be 99 8f ec 34 98 32
11-20: 22:02:46.000 My Connections\VPN - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)


From the router:
[2006-11-20 22:18:09][==== IKE PHASE 1(from Y.Y.Y.Y) START (responder) ====]
[2006-11-20 22:18:09]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:09]<POLICY: > PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,HASH,VID,NATD,NATD,NATD
[2006-11-20 22:18:12]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:12]**** RECEIVED  THIRD MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NATD,NATD,NOTIFY
[2006-11-20 22:18:12]**** AGGR MODE COMPLETED ****
[2006-11-20 22:18:12][==== IKE PHASE 1 ESTABLISHED====]
[2006-11-20 22:18:12][==== IKE PHASE 2(from Y.Y.Y.Y) START (responder) ====]
[2006-11-20 22:18:12]**** RECEIVED  FIRST MESSAGE OF QUICK MODE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2006-11-20 22:18:12]**** FOUND IDs,EXTRACT ID INFO ****
[2006-11-20 22:18:12]<Initiator IPADDR=192.168.1.5>
[2006-11-20 22:18:12]<Responder IPADDR=192.168.2.0 MASK=255.255.255.0>
[2006-11-20 22:18:12]No matching set of attributes found for the matching proposal
[2006-11-20 22:18:12]ERROR# NO MATCHING IPSEC PROPOSAL
[2006-11-20 22:18:12]SENDING NOTIFY MSG:
[2006-11-20 22:18:12]NO_PROPOSAL_CHOSEN
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NOTIFY
[2006-11-20 22:18:12]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NOTIFY
[2006-11-20 22:18:12]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****

Notes:
1) My network changed a little bit.  It looks like this:
192.168.2.0/255.25.255.0 NET <-> FVS318 <-> CABLE MODEM <-> INTERNET <-> FIOS ROUTER <-> FIREWALL <->192.168.1.0/255.255.255.0 NET (CLIENT PC IS HERE)

I am sitting at a friends house at the moment.  I don't think the network configuration has any effect on the connection because I can get to my firewall (but I could be wrong).  The 192.168.1.0 network is at my friends house.  The 192.168.2.0 network is at my house.  The Y.Y.Y.Y is his IP address.  The X.X.X.X is the IP address of my cable modem.  My local IP on his network is 192.168.1.5.  Oh... and my firmware version is the latest version - v3.0_24
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 17985019
>>"the router forced me to put in the subnet address (which I used 255.255.255.0)"
If that is in the traffic locater/local or remote IP that is fine.

What is the "firewall' behind the FIOS router ? VPN's don't like multiple NAT devices, as a rule.
Have you enabled IPSec pass-through on the FIOS router? May help.

Actually looks like a mis-match in encryption protocol configuration. Verify encryption; DES,3DES, SHA-1, MD5 as well as options like aggressive/main mode and PFS (Perfect Forward Secrecy) are the same at both ends.
0
 

Author Comment

by:ddurmon
ID: 18005588
Ok... I checked the encryption settings and aggressive/main move and PFS.  All the options are identical, but still no luck.

I've got aggressive mode set on both sides, DES and MD% on both sides, and PFS is enabled on both sides.  What else can I check?
0
 

Author Comment

by:ddurmon
ID: 18005592
Grr...  MD% should read MD5.  (Got too happy with the shift key ;-)
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 18007924
Above you show: "INTERNET <-> FIOS ROUTER <-> FIREWALL <->192.168.1.0/255.255.255.0 NET (CLIENT PC IS HERE)"
VPN's do not like to traverse multiple NAT (Network Address Translation) devices at a given site. A router is a NAT device as it translates your public IP to a private. What is the "FIREWALL" above? If it is a NAT device it can block the security policy either through NAT or firewall rules.

I see no evidence of it but make sure with the subnets/IP's you have choose that you use a subnet mask of 255.255.255.0, not 255.255.0.0
0
 
LVL 7

Expert Comment

by:Yury Merezhkov
ID: 18199362
I had a similar problem. I couldn't connect my new FVS318 V3 (firmware 3_0_24) to FVS318 V2 (firmware 2.3). I found this link to be helpful:

http://kbserver.netgear.com/kb_web_files/n101479.asp

I don't know what my problem was, but I just followed the steps described in the article, and now it's all working fine.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19718106
Thanks ddurmon.
Cheers !
--Rob
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question