[vpn-help] Netgear FVS318
kpickard at simplyc.com
kpickard at simplyc.com
Wed Nov 17 12:51:49 CST 2010
Hi Alexis. Thanks again for your help.
Well I noticed that there was a mismatch in the Key Group so I changed my Netgear to use DH Group 2 as this is
what the Shrew client was using for DH exchange. I also explicitly specified 3DES as the cipher algorithm on the
client side rather than auto because I was seeing a lot of trying the different options on the Netgear side until
it settled on 3DES anyway.
So now things are looking like they are getting further along (see Netgear log below). It looks though like
the Netgear is trying to send back a response (the TX >> AM_R1 line) but I am not seeing it at the client side. Is
there something else I should be doing as the client is behind a NAT router? Should the communications from the
client not be over TCP rather than UDP to make this work?
Again thanks for all your help.
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Receive Packet address:0x1396850 from 216.254.149.98
Wed, 11/17/2010 13:43:00 - TekSavvy IKE:Peer Initialized IKE Aggressive Mode
Wed, 11/17/2010 13:43:00 - TekSavvy IKE:RX << AM_I1 : 216.254.149.98
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:New State index:1, sno:4
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Agg. Decoded Peer's ID Type is ID_FQDN
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Value=66 76 73 5f 72 65 6d 6f 74 65 2e 63 6f 6d
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Oakley Transform 1 accepted
Wed, 11/17/2010 13:43:00 - TekSavvy IKE:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
Wed, 11/17/2010 13:43:00 - TekSavvy IKE:[Client_Shrew_tmp2] TX >> AM_R1 : 216.254.149.98
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #4
Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:event after this is EVENT_RETRANSMIT in 4 seconds
Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:handling event EVENT_RETRANSMIT for d8fe9562 "Client_Shrew_tmp2" #3
Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #3
-----------------------------------~~~~~~~-----------------------------
Doing what you love is Freedom. | o o | Kevin Pickard
Loving what you do is Happiness. | ^ | kpickard at simplyc.com
------------------------------^^^-----------^^^------------------------
On Wed 10/11/17 12:31 PM , Alexis La Goutte alexis.lagoutte at gmail.com sent:
> Hi Kevin,
> The identifier Information (fvs_remote.com [1] and fvs_local.com [2])
> are actual values to be used, not need to resolve this address.
> Check your phase1 parameter (ISAKMP)
>
> Regards,
>
> On Wed, Nov 17, 2010 at 6:25 PM, wrote:
> Thank you Alexis. I went through the VPN Wizard again and
> followed the steps at the link you provided. I then
> rebooted my router to make sure it was starting with the proper
> configuration. Now it appears that my router is no
> longer flagging the ISAKMP packets as suspicious and tossing them
> (which is good). In fact it looks like my router
> is actually trying to process the packets now. But it is having
> trouble with what it is seeing, based on its own
> internal logs (below)...and a response is not being sent back to the
> Shrew client.
> My question now is, according to the link you provided, I was
> to set the Identifier information fields to
> fvs_remote.com [4] and fvs_local.com [5]. Are these just examples or
> are they the actual values to be used? Should these
> not resolve to real addresses? As can be seen below the FQDN of
> fvs_remote.com [6] is being sent by the Shrew client in
> the ISAKMP packet. The Netgear then complains about not having a
> connection. Is this because this address does not
> resolve?
> By the way, the Shrew client is on a network behind a router
> so is NAT.
> Anyway, below is the log from my Netgear. On the Shrew side I
> only see the ISAKMP packets being sent out every
> 5 seconds without any response coming back.
> Wed, 11/17/2010 10:44:22 - TekSavvy IKE:Trying Dynamic IP Searching
> Wed, 11/17/2010 10:44:28 - TekSavvy IPsec:Receive Packet
> address:0x1396850 from 216.254.149.98
> Wed, 11/17/2010 10:44:28 - TekSavvy IKE:Peer Initialized IKE
> Aggressive Mode
> Wed, 11/17/2010 10:44:28 - TekSavvy IKE:RX Hi Kevin,
> >
> > There is a VPN wizard in your FVS318v1 ?
> >
> > Because use VPN Wizard and information in this blog
> >
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [9]
> > -NETGEAR[1]
> > And it should work !
> >
> > Regards,
> >
> > On Mon, Nov 15, 2010 at 2:05 PM, Kevin Pickard wrote:
> > Thanks for the response Alexis. So have you managed to
> > get a FVS318v1 to work? Do you know what configuration I should
> use?
> > As I said in my initial post, my attempts at
> configuring
> > it have failed (see below).
> > At 03:59 AM 2010-11-15, Alexis La Goutte wrote:
> > >Hi Kevin,
> > >
> > >Yes, it work but you should not use the Xauth & ModeConfig (no
> > available in FVS318v1)
> > >
> > >Regards,
> > >
> > >
> > >On Sat, Nov 13, 2010 at 11:19 PM, Kevin Pickard wrote:
> > > I take it no-one else has any experience with this?
> > Andreas was the only one to respond but his FVS318 appears to be a
> > newer version and is completely different from mine. I have the
> older
> > v1 hardware (FVS318v1). Anyone?
> > >At 16:59:21 2010-10-26, wrote:
> > >>Message: 2
> > >>Date: Tue, 26 Oct 2010 16:59:21 +0200
> > >>From:
> > >>Subject: Re: [vpn-help] Netgear FVS318
> > >>To:
> > >>Message-ID:
> > >>Content-Type: text/plain; charset="iso-8859-1"; Format="flowed";
> > >> DelSp="Yes"
> > >>
> > >>Zitat von :
> > >>
> > >>> Hello. Does anyone know if the Shrew client will work
> > with the
> > >>> Netgear FVS318 router?
> > >>>
> > >>> I have scanned the archives and I have found
> references
> > to the
> > >>> FVG318 but nothing specific about the FVS318. I have seen
> > references
> > >>> to needing Mode and Xauth enabled to get the FVS318 to work
> but
> > >>> neither of those options exist on the FVS318 (that I can
> find).
> > So I
> > >>> think those people are confusing the FVS318 with another
> model.
> > >>>
> > >>> Has anyone been able to get the Netgear FVS318 (V1
> > hardware
> > >>> running V2.4 firmware) to work with the Shrew client?
> > >>>
> > >>> My initial attempts at trying various configurations
> > have only
> > >>> resulted in security warnings on my FVS318 indicating that UDP
> > >>> packets (from the Shrew Client) are being tossed because they
> > >>> contain 'Suspicious UDP Data'. I have configured to
> use
> > PSK. On the
> > >>> client
> > >>> side, via Wireshark, I only see the ISAKMP packet being sent
> out
> > >>> (this is the one being tossed by the FVS318) at 5 second
> > intervals.
> > >>> The
> > >>> Shrew client itself shows "bringing up tunnel ...", then
> > eventually
> > >>> followed by "negotiation timout [sic] occurred" after the
> ISAKMP
> > >>> packet has been sent 4 times.
> > >>
> > >>Only some guess:
> > >>If the netgear has some form of firewall you maybe need to allow
> > >>inbound UDP port 500 and if using UDP encapsulation port 4500 as
> > well
> > >>to get the tunnel up.
> > >>
> > >>Regards
> > >>
> > >>Andreas
> > >>
> > >>
> > >>-------------- next part --------------
> > >>A non-text attachment was scrubbed...
> > >>Name: smime.p7s
> > >>Type: application/pkcs7-signature
> > >>Size: 6046 bytes
> > >>Desc: S/MIME Cryptographic Signature
> > >>URL:
> > >>
> > >>------------------------------
> > >>
> > >>_______________________________________________
> > >>vpn-help mailing list
> > >>
> > >>http://lists.shrew.net/mailman/listinfo/vpn-help [10] [19]
> > >>
> > >>
> > >>End of vpn-help Digest, Vol 49, Issue 25
> > >>****************************************
> >
> >
> >-----------------------------------~~~~~~~-----------------------------
> > > Doing what you love is Freedom. | o o | Kevin Pickard
> > > Loving what you do is Happiness. | ^ |
> >
> >
> >------------------------------^^^-----------^^^------------------------
> > >_______________________________________________
> > >vpn-help mailing list
> > >
> > >http://lists.shrew.net/mailman/listinfo/vpn-help [11] [24]
> >
> >
> -----------------------------------~~~~~~~-----------------------------
> > Doing what you love is Freedom. | o o | Kevin Pickard
> > Loving what you do is Happiness. | ^ |
> >
> >
> ------------------------------^^^-----------^^^------------------------
> >
> >
> > Links:
> > ------
> > [1]
> >
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [12]
> > -NETGEAR[15]
> >
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [13]
> > achment-0001.bin[16]
> >
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [14]
> > achment-0001.bin[19]
> http://lists.shrew.net/mailman/listinfo/vpn-help [15]
> > [24] http://lists.shrew.net/mailman/listinfo/vpn-help [16]
> >
> >
>
>
> Links:
> ------
> [1] http://fvs_remote.com
> [2] http://fvs_local.com
> [4] http://fvs_remote.com
> [5] http://fvs_local.com
> [6] http://fvs_remote.com
> [9]
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [10] http://lists.shrew.net/mailman/listinfo/vpn-help
> [11] http://lists.shrew.net/mailman/listinfo/vpn-help
> [12]
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [13]
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [14]
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [15] http://lists.shrew.net/mailman/listinfo/vpn-help
> [16] http://lists.shrew.net/mailman/listinfo/vpn-help
>
>
More information about the vpn-help
mailing list