[vpn-help] Problem connecting to Netgear SRX5308

Shad L. Lords slords at lordsfam.net
Mon Dec 13 14:08:33 CST 2010 

On 12/13/2010 1:04 PM, Alexis La Goutte wrote:
> Hi,
>
> Which mode you use ? Xauth ? ModeConfig ?
> Because there is a "known issue" with NETGEAR Router and ModeConfig
> without XAUTH
>
> http://lists.shrew.net/pipermail/vpn-help/2010-February/001962.html

I'm aware of this and have both xauth and modeconfig setup.  (See second 
sentence below).  As I also mentioned I can successfully connect to two 
other netgear vpn routers.  It is just the SRX5308 that I can't.  I've 
got all three devices setup identically and I just change the connect to 
address in the shrew client.

-Shad

> On Mon, Dec 13, 2010 at 8:33 PM, Shad L. Lords <slords at lordsfam.net
> <mailto:slords at lordsfam.net>> wrote:
>
>     Problem:
>
>     I'm trying to establish a IPSec VPN to a Netgear SRX5308 with the
>     Shrew Soft VPN Client. I've got it configured correctly to do mode
>     config and xauth. If I point the exact same configuration at my
>     Netgear FVX538 or Netgear FVS336G (also setup the same as the
>     SRX5308) it connects just fine. However on the SRX5308 I get a
>     "invalid message from gateway" message on the VPN client.  I've
>     tried using the 3.0.6-9.1 firmware as well as the beta 3.0.7-11.1
>     firmware.  They both behave the same way.
>
>     VPN Client Version = 2.1.7 and 2.2.0-alpha10
>     Windows OS Version = Windows 7 Ultimate (32-bit and 64-bit)
>     Gateway Make/Model = Netgear SRX5308 (broken)
>     Gateway OS Version = 3.0.6-9.1 and 3.0.7-11.1 (beta)
>
>     Gateway Make/Model = Netgear FVX538 and FVS336G (working)
>     Gateway OS Version = 3.0.6-29
>
>     In comparing the IKE decrypted packed dumps between the FVS336G and
>     the SRX5308 they are the same up to the point of doing the mode
>     config negotiation. The FVS336G does a ISAKMP_CFG_REQUEST (1) and
>     receives a ISAKMP_CFG_REPLY (2) with all the data needed (ip, mask,
>     dns, etc). The SRX5308 does the same ISAKMP_CFG_REQUEST (1) and
>     receives a ISAKMP_CFG_SET (3) with the needed information (ip, mask,
>     dns, etc). Because the packet is a SET instead of a REPLY the client
>     doesn't recognize the packet as one it expects and fails to bring up
>     the tunnel.
>
>     I've got packet captures of both firewalls that I can send if necessary.
>     _______________________________________________
>     vpn-help mailing list
>     vpn-help at lists.shrew.net <mailto:vpn-help at lists.shrew.net>
>     http://lists.shrew.net/mailman/listinfo/vpn-help
>
>

More information about the vpn-help mailing list