Netgear VPN Client to FVS318v3 issues

Hi All,

I have seen a number of posts similiar to my problem but none have been able to help me and I am beggining to think this is a

Scenario
Have a client who has a FVS318v3 (latest firmware) they are trying to connect using the Netgear Pro safe client installed on a Windows 7 64 bit machine. to the best of my knowledge this is the network diagram

VPN Client
|
ADSL Router
|
Internet
|
Public facing IP  (IP ADDR= fixed)
|
Netgear FVS318v3 -- Belkin Wireless (bridged mode) 172.30.1.
172.30.1.x
|
Internal network - 172.30.1.x

I have tried with the Netgear pro safe client, and now trying with the green bow client to establish a connection. I am getting close but falling over at the end below are the logs from the client and then the Netgear FVS

GreenBow Client
2011-04-01  17:49:25 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
2011-04-01  17:49:28 Default (SA Gateway-P1) RECV phase 1 Aggressive Mode  [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [NAT_D] [VID]
2011-04-01  17:49:28 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode  [HASH] [NAT_D] [NAT_D]
2011-04-01  17:49:28 Default phase 1 done: initiator id thegreenbow, responder id netgear
2011-04-01  17:49:28 Default (SA Gateway-Tunnel-P2) SEND phase 2 Quick Mode  [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-01  17:49:33 Default (SA Gateway-Tunnel-P2) SEND phase 2 Quick Mode  [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-01  17:49:38 Default (SA Gateway-Tunnel-P2) SEND phase 2 Quick Mode  [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-01  17:49:38 Default transport_send_messages: giving up on message 0193D3D0

Netgear FVS318v3

[2011-04-01 17:46:09][==== IKE PHASE 1(from x..x.x.x) START (responder) ====]
[2011-04-01 17:46:09]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2011-04-01 17:46:09]<POLICY: > PAYLOADS: SA,PROP,TRANS,VID,VID,VID,VID,VID,KE,NONCE,ID
[2011-04-01 17:46:09]<LocalRID> Type=ID_FQDN,ID DATA=thegreenbow
[2011-04-01 17:46:09]<RemoteLID> Type=ID_FQDN,ID DATA=thegreenbow
[2011-04-01 17:46:12]<POLICY: vpn1_client> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,HASH,VID,NATD,NATD,NATD
[2011-04-01 17:46:12]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
[2011-04-01 17:46:12]**** RECEIVED  THIRD MESSAGE OF AGGR MODE ****
[2011-04-01 17:46:12]<POLICY: vpn1_client> PAYLOADS: HASH,NATD,NATD
[2011-04-01 17:46:12]**** AGGR MODE COMPLETED ****
[2011-04-01 17:46:12][==== IKE PHASE 1 ESTABLISHED====]
[2011-04-01 17:46:12][==== IKE PHASE 2(from x.x.x.x) START (responder) ====]
[2011-04-01 17:46:12]**** RECEIVED  FIRST MESSAGE OF QUICK MODE ****
[2011-04-01 17:46:12]<POLICY: vpn1_client> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2011-04-01 17:46:12]**** FOUND IDs,EXTRACT ID INFO ****
[2011-04-01 17:46:12]<Initiator IPADDR=0.0.0.0>
[2011-04-01 17:46:12]<Responder IPADDR=172.30.1.0 MASK=255.255.255.0>

I actually had this tunnel connected till the FVS device was rebooted (it was just not getting assigned a IP address) and now I recieve the msg "giving up on message from the client.

anyone got ideas pls throw them my way, anything from a new set of eyes might pick up what I am missing.
LVL 1
lakeofafricaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DarinTCHSenior CyberSecurity EngineerCommented:
it seems you phase 2 of DH is not being rcvd

saw this elsewhere - might help

 
Hi,

If phase 2 diffie-hellman group is correctly configured
at both ends then your router is discarding the VPN client
phase 2 first message because you missconfigured phase 2
networking options.

Check that client's 'Remote LAN address'/'Subnet Mask' are
identical to Netgear's 'Local LAN start IP address'/'Local
LAN IP subnetmask'. Set 'VPN client address' to 0.0.0.0,
set 'tunnel can access' to 'a single remote a address' and
reset other subfields.




Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AllvirtualCommented:
Best results can be achieved with the NCP client: http://www.ncp-e.com. If you run into problems you contact NCP technical support and your problems will be resolved. This client rocks.
DarinTCHSenior CyberSecurity EngineerCommented:
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

lakeofafricaAuthor Commented:
thks DarinTCH and have tried a number of different combinations as you suggested and as suggessted via the troubleshooting guide without any success sadly.

All Virtual: I am just going to try the NCP client on a trial and let you know what happens.

cheers

lakeofafricaAuthor Commented:
Ok I have gotten the tunnel open but now have another problem. The VPN has been established with the greenbow client and the netgear FVs318 but I can't see any IP addresses being assigned to my client I can ping the netgear and the server but no clients within the LAN.

I am thinking its because the netgear has not assigned me a IP address or that there is no routing information between the netgear and the server. In any case I don't think Phase 2 is completing properly although the netgear is showing its established the connection via its status


netgear logs
[2011-04-12 09:47:15]**** FOUND IDs,EXTRACT ID INFO ****
[2011-04-12 09:47:15]<Initiator IPADDR=192.168.1.60>
[2011-04-12 09:47:15]<Responder IPADDR=172.30.1.0 MASK=255.255.255.0>
[2011-04-12 09:47:16]**** SENT OUT SECOND MESSAGE OF QUICK MODE ****
[2011-04-12 09:47:16]**** RECEIVED  THIRD MESSAGE OF QUICK MODE ****
[2011-04-12 09:47:16]<POLICY: work> PAYLOADS: HASH
[2011-04-12 09:47:18]**** QUICK MODE COMPLETED ****
[2011-04-12 09:47:18][==== IKE PHASE 2 ESTABLISHED====]
[2011-04-12 09:47:23]DISCARDING RETRANSMITTED PACKET...
[2011-04-12 09:47:28]DISCARDING RETRANSMITTED PACKET...
[2011-04-12 09:47:33]DISCARDING RETRANSMITTED PACKET...

Greenbow client log
2011-04-12  09:47:25 Default (SA vpn1_client-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
2011-04-12  09:47:29 Default (SA vpn1_client-P1) RECV phase 1 Aggressive Mode  [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [NAT_D] [VID]
2011-04-12  09:47:29 Default (SA vpn1_client-P1) SEND phase 1 Aggressive Mode  [HASH] [NAT_D] [NAT_D]
2011-04-12  09:47:29 Default phase 1 done: initiator id thegreenbow, responder id netgear
2011-04-12  09:47:29 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode  [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-12  09:47:30 Default (SA vpn1_client-Tunnel1-P2) RECV phase 2 Quick Mode  [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [ID]
2011-04-12  09:47:30 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode  [HASH]
2011-04-12  09:47:37 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode  [HASH]
2011-04-12  09:47:42 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode  [HASH]
2011-04-12  09:47:47 Default (SA vpn1_client-Tunnel1-P2) SEND phase 2 Quick Mode  [HASH] Netgear VPN Status
lakeofafricaAuthor Commented:
Resolved this issue, turned out they had a additional gateway that some clients were using instead of the netgear.

Nothing can be done on the netgear, to do this so going to need to setup additional routes via the local clients that need to be accessed remotely or setup a group policy to roll out an additional route to all clients

The syntax for adding the route is found here:

http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/

remote PCs should have either a statically assigned IP or a DHCP assigned IP from the VPN router.

If it is in a separate subnet, you can add a default route for the subnet.

If it is in the same subnet as your LAN, then you’re going to have to add a default route for each IP addressed designated for the remote PCs.
lakeofafricaAuthor Commented:
used a combination of fixes to resolve this, Darin tech comments were helpful but not the complete answer
AllvirtualCommented:
That is what IKE config mode is for it will distribute the subnets for the SAs. But I am not sure if Netgear can do this. Personally I would not use Netgear for VPN. Juniper is the best solution and they can do all this and more. As the old saying goes you get what you pay for - and sometimes less.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.