[vpn-help] Problem connecting to Netgear SRX5308
Shad L. Lords
slords at lordsfam.net
Mon Dec 13 13:33:13 CST 2010
Problem:
I'm trying to establish a IPSec VPN to a Netgear SRX5308 with the Shrew
Soft VPN Client. I've got it configured correctly to do mode config and
xauth. If I point the exact same configuration at my Netgear FVX538 or
Netgear FVS336G (also setup the same as the SRX5308) it connects just
fine. However on the SRX5308 I get a "invalid message from gateway"
message on the VPN client. I've tried using the 3.0.6-9.1 firmware as
well as the beta 3.0.7-11.1 firmware. They both behave the same way.
VPN Client Version = 2.1.7 and 2.2.0-alpha10
Windows OS Version = Windows 7 Ultimate (32-bit and 64-bit)
Gateway Make/Model = Netgear SRX5308 (broken)
Gateway OS Version = 3.0.6-9.1 and 3.0.7-11.1 (beta)
Gateway Make/Model = Netgear FVX538 and FVS336G (working)
Gateway OS Version = 3.0.6-29
In comparing the IKE decrypted packed dumps between the FVS336G and the
SRX5308 they are the same up to the point of doing the mode config
negotiation. The FVS336G does a ISAKMP_CFG_REQUEST (1) and receives a
ISAKMP_CFG_REPLY (2) with all the data needed (ip, mask, dns, etc). The
SRX5308 does the same ISAKMP_CFG_REQUEST (1) and receives a
ISAKMP_CFG_SET (3) with the needed information (ip, mask, dns, etc).
Because the packet is a SET instead of a REPLY the client doesn't
recognize the packet as one it expects and fails to bring up the tunnel.
I've got packet captures of both firewalls that I can send if necessary.
More information about the vpn-help
mailing list