[vpn-help] Shrew Cleint with Netgear FVX538

Matthew Grooms mgrooms at shrew.net
Mon Aug 23 23:36:19 CDT 2010 

On 8/20/2010 10:04 PM, Nathan Morrow wrote:
>> 2.
>>
>> If I try to use the netgear example on the shrew website (ike config
>> pull), I get
>>
>> config message type is invalid for pull config”
>>
>> in the shrew trace log and
>>
>> [IKE] ISAKMP-SA established for WORKIP[4500]-REMOTEIP[4500] with
>> spi:2a66a846b45e6422:7b1231493b23d4cb_
>>
>> [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
>>
>> [IKE] Short payload_
>>
>> in the netgear log.
>>
>> Not sure what needs to change on the client side to make it a valid config.
>>
>
> I believe another user was experiencing problems with his netgear until
> they upgraded the firmware. Are you running the latest version?
>
> I updated to the latest firmware and YES it did help.  I got a connection.  But ready below for the dirt.  Not exactly as in the example.
>
>> 3.
>>
>> If I change that mode to “Ike config push” and actually fill in all the
>> necessary info in the shrew client that was set to auto, it gets much
>> further, but then I get
>>
>> resend 1 phase2 packet(s) 192.168.50.132:4500 ->  WORKIP:4500
>>
>>    in the shrew trace log.  And
>>
>> No policy found: 192.168.2.5/32[0] 192.168.0.0/24[0] proto=any dir=in_
>> 2010 Aug 18 04:16:57 [IKE] Failed to get proposal for
>> responder._
>>
>> in the netgear log. Not sure if I am hosing everything with that
>> change.  But I did get further.
>>
>> As always, any help is appreciated.  I am running 2.1.6 with DPD turned
>> off on both ends.
>>
>
> You should definitely be using 'ike config pull' with netgear. They use
> the ipsec-tools based racoon daemon. If you still have problems after
> upgrading your firmware, try gathering some debug output and sending it
> to me directly. I'll have a look.
>
> As stated above, I got the VPN to connect and work.  But not with 'ike config pull'.  That still fails with an invalid config message in the shrew trace log.  But if I take the exact same configuration and just change it to 'ike config push', it actually worked.  Connected with an IP and able to see the internal network.
>
> Is there an issue with doing push?
> Doesn't make much sense to be since I didn't fill in the rest of the details (DNS, IP, etc).
>

No, there is no issue with doing push. I'm just surprised. Netgear is 
obviously using vastly different firmware for different gateway models. 
I have a FVS338 in my lab, and it uses ipsec-tools racoon which only 
supports supports the ike pull method. But if you are receiving an IP 
address and DNS settings, it sounds like push is working for you. Go 
with it :)

-Matthew

More information about the vpn-help mailing list