[Vpn-help] Help configuring Netgear FVX538 router
Charles Buckley
ceb at mauto.com
Wed Dec 9 17:17:45 CST 2009
I published a couple of posts about this - I'm waiting for an escalation
with Netgear to go through. It seems their customer support people can just
misrepresent issues they don't understand, and their management will believe
it.
I don't have time to redo the whole thing, but it is possible to get this to
work.
You must set up a VPN policy - mode-config doesn't work. This means you
must manually configure the VON IP address of each client that connects.
This IP address must be on a different subnet than the LAN.
The remote IP mask of he VPN policy must be set to 'any,' which means that
NetBIOS broadcasts don't work. All these behaviours (with the exception of
no mode config) also occur with the Netgear supplied client (cutting Shrew
out of the equation completely). But mode-config does work with the
Netgear-supplied client. Netgear are informed of this, but they've chosen
to distort and/or ignore the issues.
Those are the main caveats to getting things to work. There may be a few
others - search the archives.
_____
From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Mike Crowe
Sent: Wednesday, December 09, 2009 10:34 PM
To: vpn-help at lists.shrew.net
Subject: [Vpn-help] Help configuring Netgear FVX538 router
Hi folks,
I'm following the instructions at
http://www.shrew.net/support/wiki/HowtoNetgear, and I can't seem to get the
shrew client to connect. When I try an initiate a connection, I repeatedly
see:
09/12/09 16:14:45 -> : send IKE packet 192.168.1.15:500 ->
XX.XXX.XXX.198:500 ( 1177 bytes )
09/12/09 16:14:45 DB : phase1 resend event scheduled ( ref count = 2 )
09/12/09 16:14:50 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
XX.XXX.XXX.198:500
(full log below). If I look at this, it almost appears that the Netgear
isn't listening on port 500. Could that be possible?
Based on this setup, two questions:
1) I don't have to set up a VPN policy, right?
2) I don't have to adjust any port forwarding or other rules, right? I
don't have any port 500 rules in place now.
09/12/09 16:10:31 ## : IKE Daemon, ver 2.1.5
09/12/09 16:10:31 ## : Copyright 2009 Shrew Soft Inc.
09/12/09 16:10:31 ## : This product linked OpenSSL 0.9.8h 28 May 2008
09/12/09 16:10:31 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
09/12/09 16:10:31 ii : rebuilding vnet device list ...
09/12/09 16:10:31 ii : device ROOT\VNET\0000 disabled
09/12/09 16:10:31 ii : network process thread begin ...
09/12/09 16:10:31 ii : ipc server process thread begin ...
09/12/09 16:10:31 ii : pfkey process thread begin ...
09/12/09 16:10:33 ii : ipc client process thread begin ...
09/12/09 16:10:33 <A : peer config add message
09/12/09 16:10:33 DB : peer added ( obj count = 1 )
09/12/09 16:10:33 ii : local address 192.168.1.15 selected for peer
09/12/09 16:10:33 DB : tunnel added ( obj count = 1 )
09/12/09 16:10:33 <A : proposal config message
09/12/09 16:10:33 <A : proposal config message
09/12/09 16:10:33 <A : client config message
09/12/09 16:10:33 <A : xauth username message
09/12/09 16:10:33 <A : xauth password message
09/12/09 16:10:33 <A : local id 'vpn.zipitwireless.com' message
09/12/09 16:10:33 <A : preshared key message
09/12/09 16:10:33 <A : remote resource message
09/12/09 16:10:33 <A : peer tunnel enable message
09/12/09 16:10:33 DB : new phase1 ( ISAKMP initiator )
09/12/09 16:10:33 DB : exchange type is aggressive
09/12/09 16:10:33 DB : 192.168.1.15:500 <-> 74.223.161.198:500
09/12/09 16:10:33 DB : 779787518ff0cc3a:0000000000000000
09/12/09 16:10:33 DB : phase1 added ( obj count = 1 )
09/12/09 16:10:33 >> : security association payload
09/12/09 16:10:33 >> : - proposal #1 payload
09/12/09 16:10:33 >> : -- transform #1 payload
09/12/09 16:10:33 >> : -- transform #2 payload
09/12/09 16:10:33 >> : -- transform #3 payload
09/12/09 16:10:33 >> : -- transform #4 payload
09/12/09 16:10:33 >> : -- transform #5 payload
09/12/09 16:10:33 >> : -- transform #6 payload
09/12/09 16:10:33 >> : -- transform #7 payload
09/12/09 16:10:33 >> : -- transform #8 payload
09/12/09 16:10:33 >> : -- transform #9 payload
09/12/09 16:10:33 >> : -- transform #10 payload
09/12/09 16:10:33 >> : -- transform #11 payload
09/12/09 16:10:33 >> : -- transform #12 payload
09/12/09 16:10:33 >> : -- transform #13 payload
09/12/09 16:10:33 >> : -- transform #14 payload
09/12/09 16:10:33 >> : -- transform #15 payload
09/12/09 16:10:33 >> : -- transform #16 payload
09/12/09 16:10:33 >> : -- transform #17 payload
09/12/09 16:10:33 >> : -- transform #18 payload
09/12/09 16:10:33 >> : key exchange payload
09/12/09 16:10:33 >> : nonce payload
09/12/09 16:10:33 >> : identification payload
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local supports XAUTH
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local supports nat-t ( draft v00 )
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local supports nat-t ( draft v01 )
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local supports nat-t ( draft v02 )
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local supports nat-t ( draft v03 )
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local supports nat-t ( rfc )
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local supports FRAGMENTATION
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local is SHREW SOFT compatible
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local is NETSCREEN compatible
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local is SIDEWINDER compatible
09/12/09 16:10:33 >> : vendor id payload
09/12/09 16:10:33 ii : local is CISCO UNITY compatible
09/12/09 16:10:33 >= : cookies 779787518ff0cc3a:0000000000000000
09/12/09 16:10:33 >= : message 00000000
09/12/09 16:10:33 -> : send IKE packet 192.168.1.15:500 ->
74.223.161.198:500 ( 1177 bytes )
09/12/09 16:10:33 DB : phase1 resend event scheduled ( ref count = 2 )
09/12/09 16:10:38 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
74.223.161.198:500
09/12/09 16:10:43 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
74.223.161.198:500
09/12/09 16:10:48 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
74.223.161.198:500
09/12/09 16:10:53 ii : resend limit exceeded for phase1 exchange
09/12/09 16:10:53 ii : phase1 removal before expire time
09/12/09 16:10:53 DB : phase1 deleted ( obj count = 0 )
09/12/09 16:10:53 DB : policy not found
09/12/09 16:10:53 DB : policy not found
09/12/09 16:10:53 DB : tunnel stats event canceled ( ref count = 1 )
09/12/09 16:10:53 DB : removing tunnel config references
09/12/09 16:10:53 DB : removing tunnel phase2 references
09/12/09 16:10:53 DB : removing tunnel phase1 references
09/12/09 16:10:53 DB : tunnel deleted ( obj count = 0 )
09/12/09 16:10:53 DB : removing all peer tunnel refrences
09/12/09 16:10:53 DB : peer deleted ( obj count = 0 )
09/12/09 16:10:53 ii : ipc client process thread exit ...
09/12/09 16:13:03 ii : ipc client process thread begin ...
09/12/09 16:13:03 <A : peer config add message
09/12/09 16:13:03 DB : peer added ( obj count = 1 )
09/12/09 16:13:03 ii : local address 192.168.1.15 selected for peer
09/12/09 16:13:03 DB : tunnel added ( obj count = 1 )
09/12/09 16:13:03 <A : proposal config message
09/12/09 16:13:03 <A : proposal config message
09/12/09 16:13:03 <A : client config message
09/12/09 16:13:03 <A : xauth username message
09/12/09 16:13:03 <A : xauth password message
09/12/09 16:13:03 <A : local id 'vpn.zipitwireless.com' message
09/12/09 16:13:03 <A : preshared key message
09/12/09 16:13:03 <A : remote resource message
09/12/09 16:13:03 <A : peer tunnel enable message
09/12/09 16:13:03 DB : new phase1 ( ISAKMP initiator )
09/12/09 16:13:03 DB : exchange type is aggressive
09/12/09 16:13:03 DB : 192.168.1.15:500 <-> 74.223.161.198:500
09/12/09 16:13:03 DB : d83d366fe6644d88:0000000000000000
09/12/09 16:13:03 DB : phase1 added ( obj count = 1 )
09/12/09 16:13:03 >> : security association payload
09/12/09 16:13:03 >> : - proposal #1 payload
09/12/09 16:13:03 >> : -- transform #1 payload
09/12/09 16:13:03 >> : -- transform #2 payload
09/12/09 16:13:03 >> : -- transform #3 payload
09/12/09 16:13:03 >> : -- transform #4 payload
09/12/09 16:13:03 >> : -- transform #5 payload
09/12/09 16:13:03 >> : -- transform #6 payload
09/12/09 16:13:03 >> : -- transform #7 payload
09/12/09 16:13:03 >> : -- transform #8 payload
09/12/09 16:13:03 >> : -- transform #9 payload
09/12/09 16:13:03 >> : -- transform #10 payload
09/12/09 16:13:03 >> : -- transform #11 payload
09/12/09 16:13:03 >> : -- transform #12 payload
09/12/09 16:13:03 >> : -- transform #13 payload
09/12/09 16:13:03 >> : -- transform #14 payload
09/12/09 16:13:03 >> : -- transform #15 payload
09/12/09 16:13:03 >> : -- transform #16 payload
09/12/09 16:13:03 >> : -- transform #17 payload
09/12/09 16:13:03 >> : -- transform #18 payload
09/12/09 16:13:03 >> : key exchange payload
09/12/09 16:13:03 >> : nonce payload
09/12/09 16:13:03 >> : identification payload
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local supports XAUTH
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local supports nat-t ( draft v00 )
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local supports nat-t ( draft v01 )
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local supports nat-t ( draft v02 )
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local supports nat-t ( draft v03 )
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local supports nat-t ( rfc )
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local supports FRAGMENTATION
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local is SHREW SOFT compatible
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local is NETSCREEN compatible
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local is SIDEWINDER compatible
09/12/09 16:13:03 >> : vendor id payload
09/12/09 16:13:03 ii : local is CISCO UNITY compatible
09/12/09 16:13:03 >= : cookies d83d366fe6644d88:0000000000000000
09/12/09 16:13:03 >= : message 00000000
09/12/09 16:13:03 -> : send IKE packet 192.168.1.15:500 ->
74.223.161.198:500 ( 1177 bytes )
09/12/09 16:13:03 DB : phase1 resend event scheduled ( ref count = 2 )
09/12/09 16:13:08 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
74.223.161.198:500
09/12/09 16:13:13 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
74.223.161.198:500
09/12/09 16:13:18 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
74.223.161.198:500
09/12/09 16:13:23 ii : resend limit exceeded for phase1 exchange
09/12/09 16:13:23 ii : phase1 removal before expire time
09/12/09 16:13:23 DB : phase1 deleted ( obj count = 0 )
09/12/09 16:13:23 DB : policy not found
09/12/09 16:13:23 DB : policy not found
09/12/09 16:13:23 DB : tunnel stats event canceled ( ref count = 1 )
09/12/09 16:13:23 DB : removing tunnel config references
09/12/09 16:13:23 DB : removing tunnel phase2 references
09/12/09 16:13:23 DB : removing tunnel phase1 references
09/12/09 16:13:23 DB : tunnel deleted ( obj count = 0 )
09/12/09 16:13:23 DB : removing all peer tunnel refrences
09/12/09 16:13:23 DB : peer deleted ( obj count = 0 )
09/12/09 16:13:23 ii : ipc client process thread exit ...
09/12/09 16:14:45 ii : ipc client process thread begin ...
09/12/09 16:14:45 <A : peer config add message
09/12/09 16:14:45 DB : peer added ( obj count = 1 )
09/12/09 16:14:45 ii : local address 192.168.1.15 selected for peer
09/12/09 16:14:45 DB : tunnel added ( obj count = 1 )
09/12/09 16:14:45 <A : proposal config message
09/12/09 16:14:45 <A : proposal config message
09/12/09 16:14:45 <A : client config message
09/12/09 16:14:45 <A : xauth username message
09/12/09 16:14:45 <A : xauth password message
09/12/09 16:14:45 <A : local id 'vpn.zipitwireless.com' message
09/12/09 16:14:45 <A : preshared key message
09/12/09 16:14:45 <A : remote resource message
09/12/09 16:14:45 <A : peer tunnel enable message
09/12/09 16:14:45 DB : new phase1 ( ISAKMP initiator )
09/12/09 16:14:45 DB : exchange type is aggressive
09/12/09 16:14:45 DB : 192.168.1.15:500 <-> 74.223.161.198:500
09/12/09 16:14:45 DB : 76b900f17cca669d:0000000000000000
09/12/09 16:14:45 DB : phase1 added ( obj count = 1 )
09/12/09 16:14:45 >> : security association payload
09/12/09 16:14:45 >> : - proposal #1 payload
09/12/09 16:14:45 >> : -- transform #1 payload
09/12/09 16:14:45 >> : -- transform #2 payload
09/12/09 16:14:45 >> : -- transform #3 payload
09/12/09 16:14:45 >> : -- transform #4 payload
09/12/09 16:14:45 >> : -- transform #5 payload
09/12/09 16:14:45 >> : -- transform #6 payload
09/12/09 16:14:45 >> : -- transform #7 payload
09/12/09 16:14:45 >> : -- transform #8 payload
09/12/09 16:14:45 >> : -- transform #9 payload
09/12/09 16:14:45 >> : -- transform #10 payload
09/12/09 16:14:45 >> : -- transform #11 payload
09/12/09 16:14:45 >> : -- transform #12 payload
09/12/09 16:14:45 >> : -- transform #13 payload
09/12/09 16:14:45 >> : -- transform #14 payload
09/12/09 16:14:45 >> : -- transform #15 payload
09/12/09 16:14:45 >> : -- transform #16 payload
09/12/09 16:14:45 >> : -- transform #17 payload
09/12/09 16:14:45 >> : -- transform #18 payload
09/12/09 16:14:45 >> : key exchange payload
09/12/09 16:14:45 >> : nonce payload
09/12/09 16:14:45 >> : identification payload
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local supports XAUTH
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local supports nat-t ( draft v00 )
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local supports nat-t ( draft v01 )
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local supports nat-t ( draft v02 )
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local supports nat-t ( draft v03 )
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local supports nat-t ( rfc )
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local supports FRAGMENTATION
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local is SHREW SOFT compatible
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local is NETSCREEN compatible
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local is SIDEWINDER compatible
09/12/09 16:14:45 >> : vendor id payload
09/12/09 16:14:45 ii : local is CISCO UNITY compatible
09/12/09 16:14:45 >= : cookies 76b900f17cca669d:0000000000000000
09/12/09 16:14:45 >= : message 00000000
09/12/09 16:14:45 -> : send IKE packet 192.168.1.15:500 ->
74.223.161.198:500 ( 1177 bytes )
09/12/09 16:14:45 DB : phase1 resend event scheduled ( ref count = 2 )
09/12/09 16:14:50 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
74.223.161.198:500
09/12/09 16:14:55 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
74.223.161.198:500
09/12/09 16:15:00 -> : resend 1 phase1 packet(s) 192.168.1.15:500 ->
74.223.161.198:500
09/12/09 16:15:05 ii : resend limit exceeded for phase1 exchange
09/12/09 16:15:05 ii : phase1 removal before expire time
09/12/09 16:15:05 DB : phase1 deleted ( obj count = 0 )
09/12/09 16:15:05 DB : policy not found
09/12/09 16:15:05 DB : policy not found
09/12/09 16:15:05 DB : tunnel stats event canceled ( ref count = 1 )
09/12/09 16:15:05 DB : removing tunnel config references
09/12/09 16:15:05 DB : removing tunnel phase2 references
09/12/09 16:15:05 DB : removing tunnel phase1 references
09/12/09 16:15:05 DB : tunnel deleted ( obj count = 0 )
09/12/09 16:15:06 DB : removing all peer tunnel refrences
09/12/09 16:15:06 DB : peer deleted ( obj count = 0 )
09/12/09 16:15:06 ii : ipc client process thread exit ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091210/e56b4b4e/attachment-0002.html>
More information about the vpn-help
mailing list