Solved

Can't get a VPN started on NETGEAR ProSafe VPN Firewall FVS338. Any idea why?

Posted on 2009-05-13
12
4,005 Views
Last Modified: 2012-05-06
While trying to start a VPN between a NETGEAR ProSafe VPN Firewall FVS338 and a Windows XP VPN client , I get the following readout from the vpnlog file.

2009-05-13 13:42:17: INFO:  Configuration found for 83.183.180.27[500].
2009-05-13 13:42:17: INFO:  Received request for new phase 1 negotiation: 83.183.205.91[500]<=>83.183.180.27[500]
2009-05-13 13:42:17: INFO:  Beginning Identity Protection mode.
2009-05-13 13:42:17: INFO:  Received Vendor ID: MS NT5 ISAKMPOAKLEY
2009-05-13 13:42:17: INFO:  Received unknown Vendor ID
2009-05-13 13:42:17: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2009-05-13 13:42:17: INFO:  Received unknown Vendor ID
2009-05-13 13:42:18: INFO:  ISAKMP-SA established for 83.183.205.91[500]-83.183.180.27[500] with spi:2ff0dd8b0bee0b1c:a909cb6f2fc6598e
2009-05-13 13:42:18: INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2009-05-13 13:42:18: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:18: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:19: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:19: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:21: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:21: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:25: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:25: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:33: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:33: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:42:49: INFO:  Responding to new phase 2 negotiation: 83.183.205.91[0]<=>83.183.180.27[0]
2009-05-13 13:42:49: ERROR:  Failed to get IPsec SA configuration for: 83.183.205.91/32[1701]<->83.183.180.27/32[1701] from 83.183.180.27/32
2009-05-13 13:43:20: INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=2ff0dd8b0bee0b1c:a909cb6f2fc6598e.
2009-05-13 13:43:21: INFO:  ISAKMP-SA deleted for 83.183.205.91[500]-83.183.180.27[500] with spi:2ff0dd8b0bee0b1c:a909cb6f2fc6598e

Does anyone have any helpful suggestions on what may be wrong here and how to correct it?



 
 
 
0
Comment
Question by:helgevestin
  • 6
  • 6
12 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 24375441
This looks like a L2TP/IPSec connection is initiated. Is that what you wanted?
0
 

Author Comment

by:helgevestin
ID: 24385602
Ok - So I decided to install Netgear Prosafe VPN client sotware 10.3.5 and everything looks ok on the router http interface, as well as on the the Netgear Prosafe vpn client monitoring window on the remote pc. There is definitely a vpn connection! There's just on catch  - I can't get any data transfer through the vpn. The connection is there but I cannot see anything on any domain pc's (iincluding the domain servers) connected to the router or on the remote pc. Common sense says its probably the router but I can't see anything that seems misconfigured. Any suggestions?? (Could it be that another netgear software program is necessary here to get to pc's on both ends of the active vpn??)
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24386436
You need Prosafe only one side.
Your VPN is not up. Point. It can't, as the ISAKMP-SA is deleted, and that is because IPSec SA could not be created.
Check that the encryption parameters for Phase 2 (IPSec) are correct on both sides. The abvove log does not show what is exactly exchanged, but there has to be a mismatch in encryption (3DES, AES, DES, ...), authentication (SHA-1, MD5), or PFS (Diffie-Hellman).

0
 

Author Comment

by:helgevestin
ID: 24387865
I was sort of hoping you would not answer so fast! I forgot to mention that everything now looks ok in the vpn log. The vpn log looks fine now that I switched to Netgear Prosafe VPN client sotware 10.3.5 instead of the windows vpn software. The rounter now says that there is definately a vpn conneciton and the vpn log now says that all keys including the ISAKMP-SA have been accepted. As a result, the vpn log now shows no errors (only a couple of warnings) and completes successfully with the ISAKMP-SA being successfully accepted. I also checked the firewall and its VPN1 service (configured for port 1723) is activated and its rules disignate a throughput from 195.168.1.254 [1723] (the LAN port IP) to 83.183.205.91 (the router IP).

To make a long story short, it looks ok on the firewall I think. But even if the firewall was misconfigured, I believe I shoulld still be able to at least detect something on the LAN network form the vpn client computer and vice vera. A firewall usually only blocks data exchange. You usually can still get something detected like another computer's name if it's somewhere on the LAN network. I can't get anything! Again, the Netgear Prosafe VPN client sotware 10.3.5 program says a vpn conneciton is fully established, and so does the Netgear router. Both state this planely and everything looks fine on the router and the Netgear Prosafe VPN client sotware on the client pc.

It just that I can't seem to get any data exchange. i can't see the vpn client pc on a network search from any domain pc (including the main server) and I can't see any domain pc from the vpn client pc either.
All this is why I think that a special program might be necessary for go further with regards to communicating between the domain pc's and the vpn client pc. A good vpn connection seems to be there, but i can't seem to sent or receive anything through it. Again, what's your expert opinion on all this??
0
 

Author Comment

by:helgevestin
ID: 24387958
Oh! By the way, I made a small but important typo. The LAN server port IP, mentioned above as 195.168.1.254 [1723], is really 192.168.1.254 [1723]   --- It's just a careless typo!
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24389680
I see. But you're not right regarding firewall functions.
  1. Network browsing is an issue with VPN even if the VPN works. This is because of next point
  2. Name resolution is a big issue with VPN, both NetBIOS and DNS. Either you resolve your addresses locally, and can't use remote names; or remote, and all DNS is resolved by the office DNS which causes more traffic and some lags.
  3. Firewalls can block all or only some traffic. Only if you can reach a remote device by one means, you can tell the VPN is working and the firewall is passing some traffic
Now the usual question has to follow: You do not use the same network addresses at home and in office? This will cause a lot of trouble. If so, change your home network!

If not, did you try a ping or tracert to the router's and/or a PC's address (not name, IP address)?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:helgevestin
ID: 24398619
I followed you advice but still no luck. I tried monkeying with the dns settings to have them as you said was necessary here and still no luck. Everything looks very ok however. The vpn software says the connection is fine, the netgear router says IPsec SA connection is fine and the vpn log say that everything's ok. Again, everything looks ok but the vpn software says that there's no secured data exchange between the router and the vpn client and no pc in the domain can see the vpn client on a network browse and vice versa. Any more suggestions??
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24401847
You haven't been responsive to my two questions:
* ping with IP address
* local and remote network addresses conflicts
These are important to know.

You will not see the client in your office network. Exception: If you set up a WINS server, the VPN client might (!) register with it, and be visible to others. But don't count on that.

0
 

Author Comment

by:helgevestin
ID: 24405073
You're absolutely right! I can easily ping the office network gateway (the IP of the vpn router) from the vpn client pc but not vice versa (nor ping from any office network pc to the vpn client for that matter of course) . Can you give me (or direct me to) an explicitly detailed example of a proper and working configuration for an office network with vpn router (hopefully involving a NETGEAR ProSafe VPN Firewall FVS338) and a remote vpn client (hopefully involving another NETGEAR ProSafe VPN Firewall FVS338 or 318, or involving the Netgear Prosafe VPN client software 10.3.5 installed on the remote pc).
0
 

Accepted Solution

by:
helgevestin earned 0 total points
ID: 24414341
I solved the problem. I got another Netgear prosafe vpn router of the same model. It was easy as heck to get the vpn going then. You were right, but a second vpn router of the same type saved a lot of time configuring. In less that an 30 mins I had a good vpn going and can see everything thoughtout the network on either side now. Thanks for your helpful advice! It help point me in the right direction!
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24414394
Another NetGear - that is an option ... Great that you got it to work that simple.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24431487
Either delete the question, or accept your answer and one or two of mine if you want to give points, please.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now