[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Need help setting up Netgear FVS318 VPN

Posted on 2006-11-19
10
Medium Priority
?
3,487 Views
Last Modified: 2008-01-09
Ok... I'm completely confused.  I've followed Netgear's instructions to the letter.  I have both the Netgear FVS318 firewall and the Netgear VPN client.  No matter what I do, I cannot get it to connect.  I've rechecked the settings a dozen times and all I get is a "INVALID_ID_INFORMATION" error message.

Here are the logs from the firewall:

[2006-11-19 18:38:40][==== IKE PHASE 1(from X.X.X.X) START (responder) ====]
[2006-11-19 18:38:40]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2006-11-19 18:38:40]<POLICY: > PAYLOADS: SA,PROP,TRANS,VID,VID,VID,VID,KE,NONCE,ID
[2006-11-19 18:38:40]SENDING NOTIFY MSG:
[2006-11-19 18:38:40]INVALID_ID_INFORMATION
[2006-11-19 18:38:40]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2006-11-19 18:38:40]<POLICY: > PAYLOADS: NOTIFY

My Network Setup is as follows:

FVS318 <-> CABLE MODEM <-> INTERNET <-> CLIENT PC

Help me before I throw this thing off of a tall building!!!  :-)
0
Comment
Question by:ddurmon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17976348
The Netgear client can be difficult, or at least frustrating to set up, if you are not familiar with it. Following sites may be of some help if you haven't seen them:

Netgear site outline:
http://kbserver.netgear.com/kb_web_files/n101436.asp

3rd party guide, specific to the FVS318:
http://www.vpncasestudy.com/casestudy/FVS318/v3/casestudy.html

Set of screen shots showing a typical client and router config I created for another Experts-Exchange question:
http://www3.ns.sympatico.ca/malagash/Downloads/Netgear%20Sample/
0
 

Author Comment

by:ddurmon
ID: 17981032
RobWill,

Thanks for the response.  I had previously tried the steps from the Netgear Knowledgebase with some confusion.  Apparently those instructions are for an older version of the firmware, as I couldn't follow them exactly because the menus didn't match.  I am running the latest version (v3_0_24 I think) of the firmware on the router.  I tried to downgrade to version 3_0_22, but the Netgear Knowledgebase instructions still didn't make sense.  I'll try the 2nd and third links tonight and let you know the results.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17982241
Sounds good. Let us know how you make out. I know the Netgear instructions don't make a lot of sense, it's as if they only included 70% of the details.
--Rob
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:ddurmon
ID: 17984889
Ok... the last link (http://www3.ns.sympatico.ca/malagash/Downloads/Netgear%20Sample/) got me closer.  It is passing Phase 1 but dying on Phase 2.  Also, on the picture named "VPN Policy.jpg", the router forced me to put in the subnet address (which I used 255.255.255.0).

Here are the log files..

From the VPN Client:
11-20: 22:02:42.468
11-20: 22:02:42.468 My Connections\VPN - Initiating IKE Phase 1 (IP ADDR=X.X.X.X)
11-20: 22:02:42.578 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
11-20: 22:02:45.593 My Connections\VPN - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, NAT-D 3x)
11-20: 22:02:45.593 My Connections\VPN - Peer is NAT-T draft-01 capable
11-20: 22:02:45.593 My Connections\VPN - NAT is detected for Client
11-20: 22:02:45.750 My Connections\VPN - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONTACT)
11-20: 22:02:45.750 My Connections\VPN - Established IKE SA
11-20: 22:02:45.750    MY COOKIE 68 60 3d 49 66 b6 47 a5
11-20: 22:02:45.750    HIS COOKIE 4 be 99 8f ec 34 98 32
11-20: 22:02:45.937 My Connections\VPN - Initiating IKE Phase 2 with Client IDs (message id: 7AB39411)
11-20: 22:02:45.937   Initiator = IP ADDR=192.168.1.5, prot = 0 port = 0
11-20: 22:02:45.937   Responder = IP SUBNET/MASK=192.168.2.0/255.255.255.0, prot = 0 port = 0
11-20: 22:02:45.937 My Connections\VPN - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
11-20: 22:02:46.000 My Connections\VPN - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
11-20: 22:02:46.000 My Connections\VPN - Discarding IPSec SA negotiation (message id: 7AB39411)
11-20: 22:02:46.000 My Connections\VPN - Discarding IKE SA negotiation
11-20: 22:02:46.000 My Connections\VPN - Deleting IKE SA (IP ADDR=X.X.X.X)
11-20: 22:02:46.000    MY COOKIE 68 60 3d 49 66 b6 47 a5
11-20: 22:02:46.000    HIS COOKIE 4 be 99 8f ec 34 98 32
11-20: 22:02:46.000 My Connections\VPN - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)


From the router:
[2006-11-20 22:18:09][==== IKE PHASE 1(from Y.Y.Y.Y) START (responder) ====]
[2006-11-20 22:18:09]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:09]<POLICY: > PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,HASH,VID,NATD,NATD,NATD
[2006-11-20 22:18:12]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:12]**** RECEIVED  THIRD MESSAGE OF AGGR MODE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NATD,NATD,NOTIFY
[2006-11-20 22:18:12]**** AGGR MODE COMPLETED ****
[2006-11-20 22:18:12][==== IKE PHASE 1 ESTABLISHED====]
[2006-11-20 22:18:12][==== IKE PHASE 2(from Y.Y.Y.Y) START (responder) ====]
[2006-11-20 22:18:12]**** RECEIVED  FIRST MESSAGE OF QUICK MODE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2006-11-20 22:18:12]**** FOUND IDs,EXTRACT ID INFO ****
[2006-11-20 22:18:12]<Initiator IPADDR=192.168.1.5>
[2006-11-20 22:18:12]<Responder IPADDR=192.168.2.0 MASK=255.255.255.0>
[2006-11-20 22:18:12]No matching set of attributes found for the matching proposal
[2006-11-20 22:18:12]ERROR# NO MATCHING IPSEC PROPOSAL
[2006-11-20 22:18:12]SENDING NOTIFY MSG:
[2006-11-20 22:18:12]NO_PROPOSAL_CHOSEN
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NOTIFY
[2006-11-20 22:18:12]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2006-11-20 22:18:12]<POLICY: DDURMON> PAYLOADS: HASH,NOTIFY
[2006-11-20 22:18:12]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****

Notes:
1) My network changed a little bit.  It looks like this:
192.168.2.0/255.25.255.0 NET <-> FVS318 <-> CABLE MODEM <-> INTERNET <-> FIOS ROUTER <-> FIREWALL <->192.168.1.0/255.255.255.0 NET (CLIENT PC IS HERE)

I am sitting at a friends house at the moment.  I don't think the network configuration has any effect on the connection because I can get to my firewall (but I could be wrong).  The 192.168.1.0 network is at my friends house.  The 192.168.2.0 network is at my house.  The Y.Y.Y.Y is his IP address.  The X.X.X.X is the IP address of my cable modem.  My local IP on his network is 192.168.1.5.  Oh... and my firmware version is the latest version - v3.0_24
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17985019
>>"the router forced me to put in the subnet address (which I used 255.255.255.0)"
If that is in the traffic locater/local or remote IP that is fine.

What is the "firewall' behind the FIOS router ? VPN's don't like multiple NAT devices, as a rule.
Have you enabled IPSec pass-through on the FIOS router? May help.

Actually looks like a mis-match in encryption protocol configuration. Verify encryption; DES,3DES, SHA-1, MD5 as well as options like aggressive/main mode and PFS (Perfect Forward Secrecy) are the same at both ends.
0
 

Author Comment

by:ddurmon
ID: 18005588
Ok... I checked the encryption settings and aggressive/main move and PFS.  All the options are identical, but still no luck.

I've got aggressive mode set on both sides, DES and MD% on both sides, and PFS is enabled on both sides.  What else can I check?
0
 

Author Comment

by:ddurmon
ID: 18005592
Grr...  MD% should read MD5.  (Got too happy with the shift key ;-)
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 18007924
Above you show: "INTERNET <-> FIOS ROUTER <-> FIREWALL <->192.168.1.0/255.255.255.0 NET (CLIENT PC IS HERE)"
VPN's do not like to traverse multiple NAT (Network Address Translation) devices at a given site. A router is a NAT device as it translates your public IP to a private. What is the "FIREWALL" above? If it is a NAT device it can block the security policy either through NAT or firewall rules.

I see no evidence of it but make sure with the subnets/IP's you have choose that you use a subnet mask of 255.255.255.0, not 255.255.0.0
0
 
LVL 7

Expert Comment

by:Yury Merezhkov
ID: 18199362
I had a similar problem. I couldn't connect my new FVS318 V3 (firmware 3_0_24) to FVS318 V2 (firmware 2.3). I found this link to be helpful:

http://kbserver.netgear.com/kb_web_files/n101479.asp

I don't know what my problem was, but I just followed the steps described in the article, and now it's all working fine.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 19718106
Thanks ddurmon.
Cheers !
--Rob
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question