• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4453
  • Last Modified:

Can't get a VPN started on NETGEAR ProSafe VPN Firewall FVS338. Any idea why?

While trying to start a VPN between a NETGEAR ProSafe VPN Firewall FVS338 and a Windows XP VPN client , I get the following readout from the vpnlog file.

2009-05-13 13:42:17: INFO:  Configuration found for 83.183.180.27[500].
2009-05-13 13:42:17: INFO:  Received request for new phase 1 negotiation: 83.183.205.91[500]<=>83.183.180.27[500]
2009-05-13 13:42:17: INFO:  Beginning Identity Protection mode.
2009-05-13 13:42:17: INFO:  Received Vendor ID: MS NT5 ISAKMPOAKLEY
2009-05-13 13:42:17: INFO:  Received unknown Vendor ID
2009-05-13 13:42:17: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2009-05-13 13:42:17: INFO:  Received unknown Vendor ID
2009-05-13 13:42:18: INFO:  ISAKMP-SA established for 83.183.205.91[500]-83.183.180.27[500] with spi:2ff0dd8b0bee0b1c:a909cb6f2fc6598e
2009-05-13 13:42:18: INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2009-05-13 13:42:18: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:18: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:19: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:19: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:21: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:21: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:25: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:25: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:33: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:33: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:49: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:49: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:43:20: INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=2ff0dd8b0bee0b1c:a909cb6f2fc6598e.
2009-05-13 13:43:21: INFO:  ISAKMP-SA deleted for 83.183.205.91[500]-83.183.180.27[500] with spi:2ff0dd8b0bee0b1c:a909cb6f2fc6598e

Does anyone have any helpful suggestions on what may be wrong here and how to correct it?



 
 
 
0
helgevestin
Asked:
helgevestin
  • 6
  • 6
1 Solution
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This looks like a L2TP/IPSec connection is initiated. Is that what you wanted?
0
 
helgevestinAuthor Commented:
Ok - So I decided to install Netgear Prosafe VPN client sotware 10.3.5 and everything looks ok on the router http interface, as well as on the the Netgear Prosafe vpn client monitoring window on the remote pc. There is definitely a vpn connection! There's just on catch  - I can't get any data transfer through the vpn. The connection is there but I cannot see anything on any domain pc's (iincluding the domain servers) connected to the router or on the remote pc. Common sense says its probably the router but I can't see anything that seems misconfigured. Any suggestions?? (Could it be that another netgear software program is necessary here to get to pc's on both ends of the active vpn??)
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
You need Prosafe only one side.
Your VPN is not up. Point. It can't, as the ISAKMP-SA is deleted, and that is because IPSec SA could not be created.
Check that the encryption parameters for Phase 2 (IPSec) are correct on both sides. The abvove log does not show what is exactly exchanged, but there has to be a mismatch in encryption (3DES, AES, DES, ...), authentication (SHA-1, MD5), or PFS (Diffie-Hellman).

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
helgevestinAuthor Commented:
I was sort of hoping you would not answer so fast! I forgot to mention that everything now looks ok in the vpn log. The vpn log looks fine now that I switched to Netgear Prosafe VPN client sotware 10.3.5 instead of the windows vpn software. The rounter now says that there is definately a vpn conneciton and the vpn log now says that all keys including the ISAKMP-SA have been accepted. As a result, the vpn log now shows no errors (only a couple of warnings) and completes successfully with the ISAKMP-SA being successfully accepted. I also checked the firewall and its VPN1 service (configured for port 1723) is activated and its rules disignate a throughput from 195.168.1.254 [1723] (the LAN port IP) to 83.183.205.91 (the router IP).

To make a long story short, it looks ok on the firewall I think. But even if the firewall was misconfigured, I believe I shoulld still be able to at least detect something on the LAN network form the vpn client computer and vice vera. A firewall usually only blocks data exchange. You usually can still get something detected like another computer's name if it's somewhere on the LAN network. I can't get anything! Again, the Netgear Prosafe VPN client sotware 10.3.5 program says a vpn conneciton is fully established, and so does the Netgear router. Both state this planely and everything looks fine on the router and the Netgear Prosafe VPN client sotware on the client pc.

It just that I can't seem to get any data exchange. i can't see the vpn client pc on a network search from any domain pc (including the main server) and I can't see any domain pc from the vpn client pc either.
All this is why I think that a special program might be necessary for go further with regards to communicating between the domain pc's and the vpn client pc. A good vpn connection seems to be there, but i can't seem to sent or receive anything through it. Again, what's your expert opinion on all this??
0
 
helgevestinAuthor Commented:
Oh! By the way, I made a small but important typo. The LAN server port IP, mentioned above as 195.168.1.254 [1723], is really 192.168.1.254 [1723]   --- It's just a careless typo!
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I see. But you're not right regarding firewall functions.
  1. Network browsing is an issue with VPN even if the VPN works. This is because of next point
  2. Name resolution is a big issue with VPN, both NetBIOS and DNS. Either you resolve your addresses locally, and can't use remote names; or remote, and all DNS is resolved by the office DNS which causes more traffic and some lags.
  3. Firewalls can block all or only some traffic. Only if you can reach a remote device by one means, you can tell the VPN is working and the firewall is passing some traffic
Now the usual question has to follow: You do not use the same network addresses at home and in office? This will cause a lot of trouble. If so, change your home network!

If not, did you try a ping or tracert to the router's and/or a PC's address (not name, IP address)?
0
 
helgevestinAuthor Commented:
I followed you advice but still no luck. I tried monkeying with the dns settings to have them as you said was necessary here and still no luck. Everything looks very ok however. The vpn software says the connection is fine, the netgear router says IPsec SA connection is fine and the vpn log say that everything's ok. Again, everything looks ok but the vpn software says that there's no secured data exchange between the router and the vpn client and no pc in the domain can see the vpn client on a network browse and vice versa. Any more suggestions??
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
You haven't been responsive to my two questions:
* ping with IP address
* local and remote network addresses conflicts
These are important to know.

You will not see the client in your office network. Exception: If you set up a WINS server, the VPN client might (!) register with it, and be visible to others. But don't count on that.

0
 
helgevestinAuthor Commented:
You're absolutely right! I can easily ping the office network gateway (the IP of the vpn router) from the vpn client pc but not vice versa (nor ping from any office network pc to the vpn client for that matter of course) . Can you give me (or direct me to) an explicitly detailed example of a proper and working configuration for an office network with vpn router (hopefully involving a NETGEAR ProSafe VPN Firewall FVS338) and a remote vpn client (hopefully involving another NETGEAR ProSafe VPN Firewall FVS338 or 318, or involving the Netgear Prosafe VPN client software 10.3.5 installed on the remote pc).
0
 
helgevestinAuthor Commented:
I solved the problem. I got another Netgear prosafe vpn router of the same model. It was easy as heck to get the vpn going then. You were right, but a second vpn router of the same type saved a lot of time configuring. In less that an 30 mins I had a good vpn going and can see everything thoughtout the network on either side now. Thanks for your helpful advice! It help point me in the right direction!
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Another NetGear - that is an option ... Great that you got it to work that simple.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Either delete the question, or accept your answer and one or two of mine if you want to give points, please.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now