Set up Netgear FVS318v3 VPN Client Connection to Netgear Prosafe VPN Client

runningmanms3 used Ask the Experts™
I have used every single bit of information on the web to try and make this seemingly simple connection, but between conflicting information and not actually explaining a lot of the settings, I have been unable to successfully create a VPN connection.

Some details.  My VPN router is the FVS318v3.  It's IP address is  It automatically assigns all computers on the network an IP address.  The WAN IP of the router isn't static, as a cable modem is connected to it.  We use as our dynamic dns name.  The only ports that are currently specifically open on the router are for FTP, which is currently used to make a simple FTP server, and it works.

I have attached pictures of all pertinent menus for the VPN and IKE policies, both overview and details, and also a walkthrough of all the screens within my VPN client program.  I will be extremely diligent and quick with follow up information if necessary. Currently, I believe my largest confusion is with what IPs need to be referenced with the connection.  We also do not use any type of domain name on our network, it's just simple workgroups.  Thank you for your help.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007
On router for Local fully qualified domain name specify

On client unser remote part identity and addresing, select domain name and specify as value; then gateway IP and specify the internal IP of Netgear router.

Under My identity; select Email address as ID type, specify employee [or user as configured on router] click Pre-shared key and specify the password as configured on router.

If you still cannot establish VPN, please post some sanitized logs from router/client which would help with troubleshooting.

Thank you.


I have attached both the code from the log viewer on my newly failed attempt to connect, and all of the original pictures that were edited since you last helped me. If I did not include a picture, the settings present in the old pictures did not change.
I was not sure on your first comment, "On router for Local fully qualified domain name specify"  what you wanted me to do.  Would you like me to change a setting on the VPN router, because I didn't do that.
I had already entered in my pre-shared key in the correct place, so that's not the failure.
In the email space, I entered "employee" since that is the remote ID i specified on my router.  Is that still correct? There is also a local ID which is netgear.  I'm not terrible sure on what the need for those two ID is.
This wouldn't be hindered because I'm doing this already within the network I'm on, would it?  Do I have to find an outside network to test this on?
Also, on my last picture from my first post, I have seen places change the retransmit interval and enable other logs and things in that menu.  Anything in there I should be worried about?
Thanks again for all your help.
This is the code from the router.
[2009-04-08 14:43:39][==== IKE PHASE 1(from START (responder) ====]
[2009-04-08 14:43:39]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2009-04-08 14:43:39]SENDING NOTIFY MSG:
[2009-04-08 14:43:39]INVALID_ID_INFORMATION
[2009-04-08 14:43:39]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2009-04-08 14:43:39]<POLICY: > PAYLOADS: NOTIFY
[2009-04-08 14:45:25][==== IKE PHASE 1(from START (responder) ====]
[2009-04-08 14:45:25]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2009-04-08 14:45:25]SENDING NOTIFY MSG:
[2009-04-08 14:45:25]INVALID_ID_INFORMATION
[2009-04-08 14:45:25]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2009-04-08 14:45:25]<POLICY: > PAYLOADS: NOTIFY
This is the code from the client side.
  4-08: 14:43:22.578 Filter table loaded.
 4-08: 14:43:36.625
 4-08: 14:43:36.718 My Connections\Employee - Initiating IKE Phase 1 (IP ADDR=
 4-08: 14:43:36.953 My Connections\Employee - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
 4-08: 14:43:36.968 My Connections\Employee - RECEIVED<<< ISAKMP OAK INFO (NOTIFY:INVALID_ID_INFO)
 4-08: 14:43:36.968 My Connections\Employee - Discarding SA negotiation
 4-08: 14:44:25.296 Filter table loaded.
 4-08: 14:44:25.296 My Connections\Employee - Filter record 1 updated.
 4-08: 14:44:37.359 Filter table loaded.
 4-08: 14:44:37.359 My Connections\Employee - Filter record 1 updated.
 4-08: 14:44:48.593 Filter table loaded.
 4-08: 14:45:18.765 Filter table loaded.
 4-08: 14:45:18.765 My Connections\Employee - Filter record 1 updated.
 4-08: 14:45:23.640
 4-08: 14:45:23.640 My Connections\Employee - Initiating IKE Phase 1 (IP ADDR=
 4-08: 14:45:23.734 My Connections\Employee - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
 4-08: 14:45:23.750 My Connections\Employee - RECEIVED<<< ISAKMP OAK INFO (NOTIFY:INVALID_ID_INFO)
 4-08: 14:45:23.750 My Connections\Employee - Discarding SA negotiation

Top Expert 2007
Phase I is not going through; by router settings I meant:
Under ike-policy-detail.jpg, under Local you have mentioned netgear; instead mention the dynDNS name.

Yes, for testing VPN client must be coming in from a different internet connection, not from behind the router.

This should take care of things.

Thank you.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


I tried today to connect to my network from an outside connection, and it did not work.  I am wondering now if my router is the offending agent in all this.  I downloaded a trial version of TheGreenBow since the Netgear client I have been referencing doesn't work with Vista.  From my outside connection, I was able to connect to thegreenbow test vpn flawlessly, but now when I am inside my network, I don't even think VPN pass through is set up.  I tried to open the correct ports, but then the router tells me that IKE policies are using those ports and if I change them, I will effect my ability to use VPN tunneling.  I'm about ready to give up on this problem and accept it can't be done.

not to discount anything posted erlier, there is great advice in there, but...
I install a lot of Netgear routers, and I have to say the Netgear branded VPN client is crap.  Use the Shrew client @ and follow the steps at  This tutorial is for the FVX538 or FVS338 but it should be pretty easy to match up with the 318.


I will definitely take a look at that Shrew client.  I have been looking for a good, free VPN client and this just may fit the bill.  Any ideas on why the router is not seemingly responding to outside clients?  Also, should I start a new thread about the inability to do a VPN passthrough on my current router?

I would guess the lack of router response is because of the Firewall setup and that you are using Dynamic DNS.  Ma sure that TCP & UDP 500 are open and pointed to your gateway ( and log into and check what the host table shows your IP to be, then go to and verify its the same.  If not, there's you problem.  If so, could be a thousand different things, but I'd start with with services and rules.  
If you want, set the router password and your DynDNS account info to something other than what you use now, save the config and email it to me, then set the password back.  I have a 318 sitting around that I can throw the config on and do some testing.  Might take me a couple of days to get to it (depending on what tomorow is like) but if you dont get it runnign soon I'd be glad to.


I checked my DynDNS login and IP's and that all checks out.  I have been able to use that for an FTP server on my network, which you'll be able to see in my attached Router Rule screenshot.  The problem is I am unable to open those two TCP and UDP ports on 500 because it says it interferes with an IKE policy in place.  Should I still force that to open and "break" the supposed IKE policy that is already running?  I'm going to attempt to use the Shrew Client now, and maybe that will fix this.  Any insight on my rules configuration would be amazing though.  Thanks again for all the help.
hmmm. on a 338 or a 538 I would begin by opening TCP & UDP 500 and then create the VPN Tunnells.  But a 318 is using different software, so I cannot say for sure.  I would delete the IKE & VPN Policies, creat the rule, then recreate the VPN & IKE Policies.  
Also you may want to diable the default 'Block Always' rule and see if the VPN works.  That will at least isolate if its a firewall or other issue.
I would advise you to continue with the Shrew VPN Client, it is way better and at the very least it's just as secure.  
Uou can email me the config and I will roll it out in the lab and get it operational, then send it back to you.  Just make sure you NEVER send anyone you passwords or static ip's as they can be used to break into your network.
...I feel a bit obligated to say this as well.  Netgear makes some great products, but I wouldnt use the 318 for anything more than a few PC's on a small network and I would never use it as the VPN endpoint.  It's kinda slow, not very many patches and the backplane is tine.  An FVS338 is faily inexpensive and does a great job.  Not that Im saying throw the 318 away, just next time go for the 338 or 538 if you want dual wan ports with roll-ver or protocol binding.  If you want any advice on future purchases, let me know and I will outline what I use regulary for my customers.


Thank you for all of your insight.  Everyone helped a lot in diagnosing the problems we have.  In the end, I believe it comes down to the router itself and it's inability to do what it advertises.  I have played with enough things like this in my day, and after all of this, it just comes down to a poorly implemented hardware router.  Thank you for both configuration help and, in the end, the knowledge that can only come with experience, and that is that some things just aren't designed well and will never do what you want.  I have decided to purchase an FVS338 and I will reference this along with the many other tutorials that exist for this router as opposed to the 318.  Thanks again. This was extremely helpful.


I just want to say thanks for the help.  I left a comment with the final resolution, and it really came down a lot to understanding this router just will not function the way I want it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial