Netgear VPN Client to FVS318v3 issues
Hi All,
I have seen a number of posts similiar to my problem but none have been able to help me and I am beggining to think this is a
Scenario
Have a client who has a FVS318v3 (latest firmware) they are trying to connect using the Netgear Pro safe client installed on a Windows 7 64 bit machine. to the best of my knowledge this is the network diagram
VPN Client
|
ADSL Router
|
Internet
|
Public facing IP (IP ADDR= fixed)
|
Netgear FVS318v3 -- Belkin Wireless (bridged mode) 172.30.1.
172.30.1.x
|
Internal network - 172.30.1.x
I have tried with the Netgear pro safe client, and now trying with the green bow client to establish a connection. I am getting close but falling over at the end below are the logs from the client and then the Netgear FVS
GreenBow Client
2011-04-01 17:49:25 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
2011-04-01 17:49:28 Default (SA Gateway-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [NAT_D] [VID]
2011-04-01 17:49:28 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
2011-04-01 17:49:28 Default phase 1 done: initiator id thegreenbow, responder id netgear
2011-04-01 17:49:28 Default (SA Gateway-Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-01 17:49:33 Default (SA Gateway-Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-01 17:49:38 Default (SA Gateway-Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-01 17:49:38 Default transport_send_messages: giving up on message 0193D3D0
Netgear FVS318v3
[2011-04-01 17:46:09][==== IKE PHASE 1(from x..x.x.x) START (responder) ====]
[2011-04-01 17:46:09]**** RECEIVED FIRST MESSAGE OF AGGR MODE ****
[2011-04-01 17:46:09]<POLICY: > PAYLOADS: SA,PROP,TRANS,VID,VID,VID,
[2011-04-01 17:46:09]<LocalRID> Type=ID_FQDN,ID DATA=thegreenbow
[2011-04-01 17:46:09]<RemoteLID> Type=ID_FQDN,ID DATA=thegreenbow
[2011-04-01 17:46:12]<POLICY: vpn1_client> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,
[2011-04-01 17:46:12]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
[2011-04-01 17:46:12]**** RECEIVED THIRD MESSAGE OF AGGR MODE ****
[2011-04-01 17:46:12]<POLICY: vpn1_client> PAYLOADS: HASH,NATD,NATD
[2011-04-01 17:46:12]**** AGGR MODE COMPLETED ****
[2011-04-01 17:46:12][==== IKE PHASE 1 ESTABLISHED====]
[2011-04-01 17:46:12][==== IKE PHASE 2(from x.x.x.x) START (responder) ====]
[2011-04-01 17:46:12]**** RECEIVED FIRST MESSAGE OF QUICK MODE ****
[2011-04-01 17:46:12]<POLICY: vpn1_client> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,K
[2011-04-01 17:46:12]**** FOUND IDs,EXTRACT ID INFO ****
[2011-04-01 17:46:12]<Initiator IPADDR=0.0.0.0>
[2011-04-01 17:46:12]<Responder IPADDR=172.30.1.0 MASK=255.255.255.0>
I actually had this tunnel connected till the FVS device was rebooted (it was just not getting assigned a IP address) and now I recieve the msg "giving up on message from the client.
anyone got ideas pls throw them my way, anything from a new set of eyes might pick up what I am missing.
I have seen a number of posts similiar to my problem but none have been able to help me and I am beggining to think this is a
Scenario
Have a client who has a FVS318v3 (latest firmware) they are trying to connect using the Netgear Pro safe client installed on a Windows 7 64 bit machine. to the best of my knowledge this is the network diagram
VPN Client
|
ADSL Router
|
Internet
|
Public facing IP (IP ADDR= fixed)
|
Netgear FVS318v3 -- Belkin Wireless (bridged mode) 172.30.1.
172.30.1.x
|
Internal network - 172.30.1.x
I have tried with the Netgear pro safe client, and now trying with the green bow client to establish a connection. I am getting close but falling over at the end below are the logs from the client and then the Netgear FVS
GreenBow Client
2011-04-01 17:49:25 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
2011-04-01 17:49:28 Default (SA Gateway-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [NAT_D] [VID]
2011-04-01 17:49:28 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
2011-04-01 17:49:28 Default phase 1 done: initiator id thegreenbow, responder id netgear
2011-04-01 17:49:28 Default (SA Gateway-Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-01 17:49:33 Default (SA Gateway-Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-01 17:49:38 Default (SA Gateway-Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-01 17:49:38 Default transport_send_messages: giving up on message 0193D3D0
Netgear FVS318v3
[2011-04-01 17:46:09][==== IKE PHASE 1(from x..x.x.x) START (responder) ====]
[2011-04-01 17:46:09]**** RECEIVED FIRST MESSAGE OF AGGR MODE ****
[2011-04-01 17:46:09]<POLICY: > PAYLOADS: SA,PROP,TRANS,VID,VID,VID,
[2011-04-01 17:46:09]<LocalRID> Type=ID_FQDN,ID DATA=thegreenbow
[2011-04-01 17:46:09]<RemoteLID> Type=ID_FQDN,ID DATA=thegreenbow
[2011-04-01 17:46:12]<POLICY: vpn1_client> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,
[2011-04-01 17:46:12]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
[2011-04-01 17:46:12]**** RECEIVED THIRD MESSAGE OF AGGR MODE ****
[2011-04-01 17:46:12]<POLICY: vpn1_client> PAYLOADS: HASH,NATD,NATD
[2011-04-01 17:46:12]**** AGGR MODE COMPLETED ****
[2011-04-01 17:46:12][==== IKE PHASE 1 ESTABLISHED====]
[2011-04-01 17:46:12][==== IKE PHASE 2(from x.x.x.x) START (responder) ====]
[2011-04-01 17:46:12]**** RECEIVED FIRST MESSAGE OF QUICK MODE ****
[2011-04-01 17:46:12]<POLICY: vpn1_client> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,K
[2011-04-01 17:46:12]**** FOUND IDs,EXTRACT ID INFO ****
[2011-04-01 17:46:12]<Initiator IPADDR=0.0.0.0>
[2011-04-01 17:46:12]<Responder IPADDR=172.30.1.0 MASK=255.255.255.0>
I actually had this tunnel connected till the FVS device was rebooted (it was just not getting assigned a IP address) and now I recieve the msg "giving up on message from the client.
anyone got ideas pls throw them my way, anything from a new set of eyes might pick up what I am missing.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Allvirtual
Best results can be achieved with the NCP client: http://www.ncp-e.com. If you run into problems you contact NCP technical support and your problems will be resolved. This client rocks.
ASKER
thks DarinTCH and have tried a number of different combinations as you suggested and as suggessted via the troubleshooting guide without any success sadly.
All Virtual: I am just going to try the NCP client on a trial and let you know what happens.
cheers
All Virtual: I am just going to try the NCP client on a trial and let you know what happens.
cheers
ASKER
Ok I have gotten the tunnel open but now have another problem. The VPN has been established with the greenbow client and the netgear FVs318 but I can't see any IP addresses being assigned to my client I can ping the netgear and the server but no clients within the LAN.
I am thinking its because the netgear has not assigned me a IP address or that there is no routing information between the netgear and the server. In any case I don't think Phase 2 is completing properly although the netgear is showing its established the connection via its status
netgear logs
[2011-04-12 09:47:15]**** FOUND IDs,EXTRACT ID INFO ****
[2011-04-12 09:47:15]<Initiator IPADDR=192.168.1.60>
[2011-04-12 09:47:15]<Responder IPADDR=172.30.1.0 MASK=255.255.255.0>
[2011-04-12 09:47:16]**** SENT OUT SECOND MESSAGE OF QUICK MODE ****
[2011-04-12 09:47:16]**** RECEIVED THIRD MESSAGE OF QUICK MODE ****
[2011-04-12 09:47:16]<POLICY: work> PAYLOADS: HASH
[2011-04-12 09:47:18]**** QUICK MODE COMPLETED ****
[2011-04-12 09:47:18][==== IKE PHASE 2 ESTABLISHED====]
[2011-04-12 09:47:23]DISCARDING RETRANSMITTED PACKET...
[2011-04-12 09:47:28]DISCARDING RETRANSMITTED PACKET...
[2011-04-12 09:47:33]DISCARDING RETRANSMITTED PACKET...
Greenbow client log
2011-04-12 09:47:25 Default (SA vpn1_client-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
2011-04-12 09:47:29 Default (SA vpn1_client-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [NAT_D] [VID]
2011-04-12 09:47:29 Default (SA vpn1_client-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
2011-04-12 09:47:29 Default phase 1 done: initiator id thegreenbow, responder id netgear
2011-04-12 09:47:29 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-12 09:47:30 Default (SA vpn1_client-Tunnel1-P2) RECV phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-12 09:47:30 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH]
2011-04-12 09:47:37 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH]
2011-04-12 09:47:42 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH]
2011-04-12 09:47:47 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH]
I am thinking its because the netgear has not assigned me a IP address or that there is no routing information between the netgear and the server. In any case I don't think Phase 2 is completing properly although the netgear is showing its established the connection via its status
netgear logs
[2011-04-12 09:47:15]**** FOUND IDs,EXTRACT ID INFO ****
[2011-04-12 09:47:15]<Initiator IPADDR=192.168.1.60>
[2011-04-12 09:47:15]<Responder IPADDR=172.30.1.0 MASK=255.255.255.0>
[2011-04-12 09:47:16]**** SENT OUT SECOND MESSAGE OF QUICK MODE ****
[2011-04-12 09:47:16]**** RECEIVED THIRD MESSAGE OF QUICK MODE ****
[2011-04-12 09:47:16]<POLICY: work> PAYLOADS: HASH
[2011-04-12 09:47:18]**** QUICK MODE COMPLETED ****
[2011-04-12 09:47:18][==== IKE PHASE 2 ESTABLISHED====]
[2011-04-12 09:47:23]DISCARDING RETRANSMITTED PACKET...
[2011-04-12 09:47:28]DISCARDING RETRANSMITTED PACKET...
[2011-04-12 09:47:33]DISCARDING RETRANSMITTED PACKET...
Greenbow client log
2011-04-12 09:47:25 Default (SA vpn1_client-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
2011-04-12 09:47:29 Default (SA vpn1_client-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [NAT_D] [VID]
2011-04-12 09:47:29 Default (SA vpn1_client-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
2011-04-12 09:47:29 Default phase 1 done: initiator id thegreenbow, responder id netgear
2011-04-12 09:47:29 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-12 09:47:30 Default (SA vpn1_client-Tunnel1-P2) RECV phase 2 Quick Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-12 09:47:30 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH]
2011-04-12 09:47:37 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH]
2011-04-12 09:47:42 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH]
2011-04-12 09:47:47 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode [HASH]
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
used a combination of fixes to resolve this, Darin tech comments were helpful but not the complete answer
That is what IKE config mode is for it will distribute the subnets for the SAs. But I am not sure if Netgear can do this. Personally I would not use Netgear for VPN. Juniper is the best solution and they can do all this and more. As the old saying goes you get what you pay for - and sometimes less.