Solved

Set up Netgear FVS318v3 VPN Client Connection to Netgear Prosafe VPN Client

Posted on 2009-04-07
11
4,133 Views
Last Modified: 2012-05-06
I have used every single bit of information on the web to try and make this seemingly simple connection, but between conflicting information and not actually explaining a lot of the settings, I have been unable to successfully create a VPN connection.

Some details.  My VPN router is the FVS318v3.  It's IP address is 192.168.15.1.  It automatically assigns all computers on the network an IP address.  The WAN IP of the router isn't static, as a cable modem is connected to it.  We use creativethermalsolutions.dyndns.org as our dynamic dns name.  The only ports that are currently specifically open on the router are for FTP, which is currently used to make a simple FTP server, and it works.

I have attached pictures of all pertinent menus for the VPN and IKE policies, both overview and details, and also a walkthrough of all the screens within my VPN client program.  I will be extremely diligent and quick with follow up information if necessary. Currently, I believe my largest confusion is with what IPs need to be referenced with the connection.  We also do not use any type of domain name on our network, it's just simple workgroups.  Thank you for your help.
ike-policies.jpg
ike-policy-detail.jpg
vpn-policies.jpg
vpn-policy-detail.jpg
client-1.JPG
client-2.JPG
client-3.JPG
client-4.JPG
client-5.JPG
client-6.JPG
0
Comment
Question by:runningmanms3
  • 6
  • 3
  • 2
11 Comments
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 200 total points
ID: 24097861
On router for Local fully qualified domain name specify creativethermalsolutions.dyndns.org.

On client unser remote part identity and addresing, select domain name and specify creativethermalsolutions.dyndns.org as value; then gateway IP and specify the internal IP of Netgear router.

Under My identity; select Email address as ID type, specify employee [or user as configured on router] click Pre-shared key and specify the password as configured on router.

If you still cannot establish VPN, please post some sanitized logs from router/client which would help with troubleshooting.

Thank you.
0
 

Author Comment

by:runningmanms3
ID: 24101097
I have attached both the code from the log viewer on my newly failed attempt to connect, and all of the original pictures that were edited since you last helped me. If I did not include a picture, the settings present in the old pictures did not change.
I was not sure on your first comment, "On router for Local fully qualified domain name specify creativethermalsolutions.dyndns.org"  what you wanted me to do.  Would you like me to change a setting on the VPN router, because I didn't do that.
I had already entered in my pre-shared key in the correct place, so that's not the failure.
In the email space, I entered "employee" since that is the remote ID i specified on my router.  Is that still correct? There is also a local ID which is netgear.  I'm not terrible sure on what the need for those two ID is.
This wouldn't be hindered because I'm doing this already within the network I'm on, would it?  Do I have to find an outside network to test this on?
Also, on my last picture from my first post, I have seen places change the retransmit interval and enable other logs and things in that menu.  Anything in there I should be worried about?
Thanks again for all your help.
 
This is the code from the router.
[2009-04-08 14:43:39][==== IKE PHASE 1(from 192.168.15.100) START (responder) ====]
[2009-04-08 14:43:39]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2009-04-08 14:43:39]<POLICY: > PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID
[2009-04-08 14:43:39]SENDING NOTIFY MSG:
[2009-04-08 14:43:39]INVALID_ID_INFORMATION
[2009-04-08 14:43:39]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2009-04-08 14:43:39]<POLICY: > PAYLOADS: NOTIFY
[2009-04-08 14:45:25][==== IKE PHASE 1(from 192.168.15.100) START (responder) ====]
[2009-04-08 14:45:25]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2009-04-08 14:45:25]<POLICY: > PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID
[2009-04-08 14:45:25]SENDING NOTIFY MSG:
[2009-04-08 14:45:25]INVALID_ID_INFORMATION
[2009-04-08 14:45:25]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2009-04-08 14:45:25]<POLICY: > PAYLOADS: NOTIFY
 
This is the code from the client side.
  4-08: 14:43:22.578 Filter table loaded.
 4-08: 14:43:36.625
 4-08: 14:43:36.718 My Connections\Employee - Initiating IKE Phase 1 (IP ADDR=192.168.15.1)
 4-08: 14:43:36.953 My Connections\Employee - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
 4-08: 14:43:36.968 My Connections\Employee - RECEIVED<<< ISAKMP OAK INFO (NOTIFY:INVALID_ID_INFO)
 4-08: 14:43:36.968 My Connections\Employee - Discarding SA negotiation
 4-08: 14:44:25.296 Filter table loaded.
 4-08: 14:44:25.296 My Connections\Employee - Filter record 1 updated.
 4-08: 14:44:37.359 Filter table loaded.
 4-08: 14:44:37.359 My Connections\Employee - Filter record 1 updated.
 4-08: 14:44:48.593 Filter table loaded.
 4-08: 14:45:18.765 Filter table loaded.
 4-08: 14:45:18.765 My Connections\Employee - Filter record 1 updated.
 4-08: 14:45:23.640
 4-08: 14:45:23.640 My Connections\Employee - Initiating IKE Phase 1 (IP ADDR=192.168.15.1)
 4-08: 14:45:23.734 My Connections\Employee - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
 4-08: 14:45:23.750 My Connections\Employee - RECEIVED<<< ISAKMP OAK INFO (NOTIFY:INVALID_ID_INFO)
 4-08: 14:45:23.750 My Connections\Employee - Discarding SA negotiation


client-1.JPG
client-2.JPG
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 200 total points
ID: 24105471
Phase I is not going through; by router settings I meant:
Under ike-policy-detail.jpg, under Local you have mentioned netgear; instead mention the dynDNS name.

Yes, for testing VPN client must be coming in from a different internet connection, not from behind the router.

This should take care of things.

Thank you.
0
 

Author Comment

by:runningmanms3
ID: 24111628
I tried today to connect to my network from an outside connection, and it did not work.  I am wondering now if my router is the offending agent in all this.  I downloaded a trial version of TheGreenBow since the Netgear client I have been referencing doesn't work with Vista.  From my outside connection, I was able to connect to thegreenbow test vpn flawlessly, but now when I am inside my network, I don't even think VPN pass through is set up.  I tried to open the correct ports, but then the router tells me that IKE policies are using those ports and if I change them, I will effect my ability to use VPN tunneling.  I'm about ready to give up on this problem and accept it can't be done.
0
 
LVL 4

Expert Comment

by:mycroftx
ID: 24113108
not to discount anything posted erlier, there is great advice in there, but...
I install a lot of Netgear routers, and I have to say the Netgear branded VPN client is crap.  Use the Shrew client @ http://www.shrew.net/download and follow the steps at http://www.shrew.net/support/wiki/HowtoNetgear.  This tutorial is for the FVX538 or FVS338 but it should be pretty easy to match up with the 318.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:runningmanms3
ID: 24113129
I will definitely take a look at that Shrew client.  I have been looking for a good, free VPN client and this just may fit the bill.  Any ideas on why the router is not seemingly responding to outside clients?  Also, should I start a new thread about the inability to do a VPN passthrough on my current router?
0
 
LVL 4

Expert Comment

by:mycroftx
ID: 24113160
I would guess the lack of router response is because of the Firewall setup and that you are using Dynamic DNS.  Ma sure that TCP & UDP 500 are open and pointed to your gateway (192.168.15.1) and log into DynDNS.org and check what the host table shows your IP to be, then go to ipchicken.com and verify its the same.  If not, there's you problem.  If so, could be a thousand different things, but I'd start with with services and rules.  
If you want, set the router password and your DynDNS account info to something other than what you use now, save the config and email it to me, then set the password back.  I have a 318 sitting around that I can throw the config on and do some testing.  Might take me a couple of days to get to it (depending on what tomorow is like) but if you dont get it runnign soon I'd be glad to.
0
 

Author Comment

by:runningmanms3
ID: 24119158
I checked my DynDNS login and IP's and that all checks out.  I have been able to use that for an FTP server on my network, which you'll be able to see in my attached Router Rule screenshot.  The problem is I am unable to open those two TCP and UDP ports on 500 because it says it interferes with an IKE policy in place.  Should I still force that to open and "break" the supposed IKE policy that is already running?  I'm going to attempt to use the Shrew Client now, and maybe that will fix this.  Any insight on my rules configuration would be amazing though.  Thanks again for all the help.
rules.JPG
failed-rule.JPG
0
 
LVL 4

Accepted Solution

by:
mycroftx earned 200 total points
ID: 24119810
hmmm. on a 338 or a 538 I would begin by opening TCP & UDP 500 and then create the VPN Tunnells.  But a 318 is using different software, so I cannot say for sure.  I would delete the IKE & VPN Policies, creat the rule, then recreate the VPN & IKE Policies.  
Also you may want to diable the default 'Block Always' rule and see if the VPN works.  That will at least isolate if its a firewall or other issue.
I would advise you to continue with the Shrew VPN Client, it is way better and at the very least it's just as secure.  
Uou can email me the config and I will roll it out in the lab and get it operational, then send it back to you.  Just make sure you NEVER send anyone you passwords or static ip's as they can be used to break into your network.
...I feel a bit obligated to say this as well.  Netgear makes some great products, but I wouldnt use the 318 for anything more than a few PC's on a small network and I would never use it as the VPN endpoint.  It's kinda slow, not very many patches and the backplane is tine.  An FVS338 is faily inexpensive and does a great job.  Not that Im saying throw the 318 away, just next time go for the 338 or 538 if you want dual wan ports with roll-ver or protocol binding.  If you want any advice on future purchases, let me know and I will outline what I use regulary for my customers.
http://www.netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVS338.aspx
http://www.amazon.com/Netgear-FVS338-ProSafe-VPN-Firewall/dp/B0006OCZGW
 
0
 

Author Comment

by:runningmanms3
ID: 24126689
Thank you for all of your insight.  Everyone helped a lot in diagnosing the problems we have.  In the end, I believe it comes down to the router itself and it's inability to do what it advertises.  I have played with enough things like this in my day, and after all of this, it just comes down to a poorly implemented hardware router.  Thank you for both configuration help and, in the end, the knowledge that can only come with experience, and that is that some things just aren't designed well and will never do what you want.  I have decided to purchase an FVS338 and I will reference this along with the many other tutorials that exist for this router as opposed to the 318.  Thanks again. This was extremely helpful.
0
 

Author Closing Comment

by:runningmanms3
ID: 31567775
I just want to say thanks for the help.  I left a comment with the final resolution, and it really came down a lot to understanding this router just will not function the way I want it.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now