[vpn-help] Problem report - NetGear modeConfig without XAUTH

Matthew Grooms mgrooms at shrew.net
Thu Feb 18 23:39:35 CST 2010


On 2/11/2010 7:58 AM, Alexis La Goutte wrote:
> Hi All
>
> I made a test with a FVS336G with the latest firmware available
>
> and I have the same problem.
>
> I analysed IKE trace and i see the router send a ISAKMP_CFG_SET(3) in
> Config Mode to reply a ISAKMP_CFG_REQUEST (frame 5 and 6 of Michal
> packet capture).
>
> I am not an expert IPsec but I think it's a bug of router
>
> Matthew you confirm?
>

I agree with your assessment. The client sends a ISAKMP_CFG_REQUEST 
which should be answered with a ISAKMP_CFG_REPLY. Instead its sends a 
ISAKMP_CFG_SET. This is clearly defined in section (2) of the modecfg 
draft doc ...

http://tools.ietf.org/id/draft-ietf-ipsec-isakmp-mode-cfg-05.txt

Your best bet is to take this up with Netgear. They use ipsec-tools 
racoon ike daemon under the hood. However, they are probably using a 
very old version or have made some local patches that break things.

-Matthew



More information about the vpn-help mailing list