[vpn-help] Netgear FVS318
kpickard at simplyc.com
kpickard at simplyc.com
Wed Nov 17 14:02:35 CST 2010
Also I have attached the config for this connection on the Netgear side.
-----------------------------------~~~~~~~-----------------------------
Doing what you love is Freedom. | o o | Kevin Pickard
Loving what you do is Happiness. | ^ | kpickard at simplyc.com
------------------------------^^^-----------^^^------------------------
On Wed 10/11/17 2:12 PM , Alexis La Goutte alexis.lagoutte at gmail.com sent:
> Hi,
>
> No, the communications never use TCP, ISAKMP use UDP (Port 500).
>
> No trace in Shrew Debug ?
>
> Regards,
> On Wed, Nov 17, 2010 at 7:51 PM, wrote:
> Hi Alexis. Thanks again for your help.
> Well I noticed that there was a mismatch in the Key Group so I
> changed my Netgear to use DH Group 2 as this is
> what the Shrew client was using for DH exchange. I also explicitly
> specified 3DES as the cipher algorithm on the
> client side rather than auto because I was seeing a lot of trying
> the different options on the Netgear side until
> it settled on 3DES anyway.
> So now things are looking like they are getting further along
> (see Netgear log below). It looks though like
> the Netgear is trying to send back a response (the TX >> AM_R1 line)
> but I am not seeing it at the client side. Is
> there something else I should be doing as the client is behind a NAT
> router? Should the communications from the
> client not be over TCP rather than UDP to make this work?
> Again thanks for all your help.
> Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Receive Packet
> address:0x1396850 from 216.254.149.98
> Wed, 11/17/2010 13:43:00 - TekSavvy IKE:Peer Initialized IKE
> Aggressive Mode
> Wed, 11/17/2010 13:43:00 - TekSavvy IKE:RX > AM_R1 : 216.254.149.98
> Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:inserting event
> EVENT_RETRANSMIT, timeout in 10 seconds for #4
> Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:event after this is
> EVENT_RETRANSMIT in 4 seconds
> Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:handling event
> EVENT_RETRANSMIT for d8fe9562 "Client_Shrew_tmp2" #3
> Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:inserting event
> EVENT_RETRANSMIT, timeout in 20 seconds for #3
>
> -----------------------------------~~~~~~~-----------------------------
> Doing what you love is Freedom. | o o | Kevin Pickard
> Loving what you do is Happiness. | ^ |
>
> ------------------------------^^^-----------^^^------------------------
> On Wed 10/11/17 12:31 PM , Alexis La Goutte sent:
> > Hi Kevin,
> > The identifier Information (fvs_remote.com [4] [1] and
> fvs_local.com [5] [2])
> > are actual values to be used, not need to resolve this address.
> > Check your phase1 parameter (ISAKMP)
> >
> > Regards,
> >
> > On Wed, Nov 17, 2010 at 6:25 PM, wrote:
> > Thank you Alexis. I went through the VPN Wizard again and
> > followed the steps at the link you provided. I then
> > rebooted my router to make sure it was starting with the proper
> > configuration. Now it appears that my router is no
> > longer flagging the ISAKMP packets as suspicious and tossing them
> > (which is good). In fact it looks like my router
> > is actually trying to process the packets now. But it is having
> > trouble with what it is seeing, based on its own
> > internal logs (below)...and a response is not being sent back to
> the
> > Shrew client.
> > My question now is, according to the link you provided, I
> was
> > to set the Identifier information fields to
> > fvs_remote.com [6] [4] and fvs_local.com [7] [5]. Are these just
> examples or
> > are they the actual values to be used? Should these
> > not resolve to real addresses? As can be seen below the FQDN of
> > fvs_remote.com [8] [6] is being sent by the Shrew client in
> > the ISAKMP packet. The Netgear then complains about not having a
> > connection. Is this because this address does not
> > resolve?
> > By the way, the Shrew client is on a network behind a router
> > so is NAT.
> > Anyway, below is the log from my Netgear. On the Shrew side
> I
> > only see the ISAKMP packets being sent out every
> > 5 seconds without any response coming back.
> > Wed, 11/17/2010 10:44:22 - TekSavvy IKE:Trying Dynamic IP
> Searching
> > Wed, 11/17/2010 10:44:28 - TekSavvy IPsec:Receive Packet
> > address:0x1396850 from 216.254.149.98
> > Wed, 11/17/2010 10:44:28 - TekSavvy IKE:Peer Initialized IKE
> > Aggressive Mode
> > Wed, 11/17/2010 10:44:28 - TekSavvy IKE:RX Hi Kevin,
> > >
> > > There is a VPN wizard in your FVS318v1 ?
> > >
> > > Because use VPN Wizard and information in this blog
> > >
> >
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [9]
> > [9]
> > > -NETGEAR[1]
> > > And it should work !
> > >
> > > Regards,
> > >
> > > On Mon, Nov 15, 2010 at 2:05 PM, Kevin Pickard wrote:
> > > Thanks for the response Alexis. So have you managed
> to
> > > get a FVS318v1 to work? Do you know what configuration I should
> > use?
> > > As I said in my initial post, my attempts at
> > configuring
> > > it have failed (see below).
> > > At 03:59 AM 2010-11-15, Alexis La Goutte wrote:
> > > >Hi Kevin,
> > > >
> > > >Yes, it work but you should not use the Xauth & ModeConfig (no
> > > available in FVS318v1)
> > > >
> > > >Regards,
> > > >
> > > >
> > > >On Sat, Nov 13, 2010 at 11:19 PM, Kevin Pickard wrote:
> > > > I take it no-one else has any experience with this?
> > > Andreas was the only one to respond but his FVS318 appears to be
> a
> > > newer version and is completely different from mine. I have the
> > older
> > > v1 hardware (FVS318v1). Anyone?
> > > >At 16:59:21 2010-10-26, wrote:
> > > >>Message: 2
> > > >>Date: Tue, 26 Oct 2010 16:59:21 +0200
> > > >>From:
> > > >>Subject: Re: [vpn-help] Netgear FVS318
> > > >>To:
> > > >>Message-ID:
> > > >>Content-Type: text/plain; charset="iso-8859-1";
> Format="flowed";
> > > >> DelSp="Yes"
> > > >>
> > > >>Zitat von :
> > > >>
> > > >>> Hello. Does anyone know if the Shrew client will
> work
> > > with the
> > > >>> Netgear FVS318 router?
> > > >>>
> > > >>> I have scanned the archives and I have found
> > references
> > > to the
> > > >>> FVG318 but nothing specific about the FVS318. I have seen
> > > references
> > > >>> to needing Mode and Xauth enabled to get the FVS318 to work
> > but
> > > >>> neither of those options exist on the FVS318 (that I can
> > find).
> > > So I
> > > >>> think those people are confusing the FVS318 with another
> > model.
> > > >>>
> > > >>> Has anyone been able to get the Netgear FVS318 (V1
> > > hardware
> > > >>> running V2.4 firmware) to work with the Shrew client?
> > > >>>
> > > >>> My initial attempts at trying various configurations
> > > have only
> > > >>> resulted in security warnings on my FVS318 indicating that
> UDP
> > > >>> packets (from the Shrew Client) are being tossed because
> they
> > > >>> contain 'Suspicious UDP Data'. I have configured to
> > use
> > > PSK. On the
> > > >>> client
> > > >>> side, via Wireshark, I only see the ISAKMP packet being sent
> > out
> > > >>> (this is the one being tossed by the FVS318) at 5 second
> > > intervals.
> > > >>> The
> > > >>> Shrew client itself shows "bringing up tunnel ...", then
> > > eventually
> > > >>> followed by "negotiation timout [sic] occurred" after the
> > ISAKMP
> > > >>> packet has been sent 4 times.
> > > >>
> > > >>Only some guess:
> > > >>If the netgear has some form of firewall you maybe need to
> allow
> > > >>inbound UDP port 500 and if using UDP encapsulation port 4500
> as
> > > well
> > > >>to get the tunnel up.
> > > >>
> > > >>Regards
> > > >>
> > > >>Andreas
> > > >>
> > > >>
> > > >>-------------- next part --------------
> > > >>A non-text attachment was scrubbed...
> > > >>Name: smime.p7s
> > > >>Type: application/pkcs7-signature
> > > >>Size: 6046 bytes
> > > >>Desc: S/MIME Cryptographic Signature
> > > >>URL:
> > > >>
> > > >>------------------------------
> > > >>
> > > >>_______________________________________________
> > > >>vpn-help mailing list
> > > >>
> > > >>http://lists.shrew.net/mailman/listinfo/vpn-help [10] [10]
> [19]
> > > >>
> > > >>
> > > >>End of vpn-help Digest, Vol 49, Issue 25
> > > >>****************************************
> > >
> > >
> >
> >-----------------------------------~~~~~~~-----------------------------
> > > > Doing what you love is Freedom. | o o | Kevin Pickard
> > > > Loving what you do is Happiness. | ^ |
> > >
> > >
> >
> >------------------------------^^^-----------^^^------------------------
> > > >_______________________________________________
> > > >vpn-help mailing list
> > > >
> > > >http://lists.shrew.net/mailman/listinfo/vpn-help [11] [11] [24]
> > >
> > >
> >
> -----------------------------------~~~~~~~-----------------------------
> > > Doing what you love is Freedom. | o o | Kevin Pickard
> > > Loving what you do is Happiness. | ^ |
> > >
> > >
> >
> ------------------------------^^^-----------^^^------------------------
> > >
> > >
> > > Links:
> > > ------
> > > [1]
> > >
> >
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [12]
> > [12]
> > > -NETGEAR[15]
> > >
> >
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [13]
> > [13]
> > > achment-0001.bin[16]
> > >
> >
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [14]
> > [14]
> > > achment-0001.bin[19]
> > http://lists.shrew.net/mailman/listinfo/vpn-help [15] [15]
> > > [24] http://lists.shrew.net/mailman/listinfo/vpn-help [16] [16]
> > >
> > >
> >
> >
> > Links:
> > ------
> > [1] http://fvs_remote.com [17]
> > [2] http://fvs_local.com [18]
> > [4] http://fvs_remote.com [19]
> > [5] http://fvs_local.com [20]
> > [6] http://fvs_remote.com [21]
> > [9]
> >
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [22]
> > [10] http://lists.shrew.net/mailman/listinfo/vpn-help [23]
> > [11] http://lists.shrew.net/mailman/listinfo/vpn-help [24]
> > [12]
> >
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [25]
> > [13]
> >
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [26]
> > [14]
> >
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [27]
> > [15] http://lists.shrew.net/mailman/listinfo/vpn-help [28]
> > [16] http://lists.shrew.net/mailman/listinfo/vpn-help [29]
> >
> >
> _______________________________________________
> vpn-help mailing list
> http://lists.shrew.net/mailman/listinfo/vpn-help [31]
>
>
> Links:
> ------
> [4] http://fvs_remote.com
> [5] http://fvs_local.com
> [6] http://fvs_remote.com
> [7] http://fvs_local.com
> [8] http://fvs_remote.com
> [9]
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [10] http://lists.shrew.net/mailman/listinfo/vpn-help
> [11] http://lists.shrew.net/mailman/listinfo/vpn-help
> [12]
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [13]
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [14]
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [15] http://lists.shrew.net/mailman/listinfo/vpn-help
> [16] http://lists.shrew.net/mailman/listinfo/vpn-help
> [17] http://fvs_remote.com
> [18] http://fvs_local.com
> [19] http://fvs_remote.com
> [20] http://fvs_local.com
> [21] http://fvs_remote.com
> [22]
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [23] http://lists.shrew.net/mailman/listinfo/vpn-help
> [24] http://lists.shrew.net/mailman/listinfo/vpn-help
> [25]
> http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN
> [26]
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [27]
> http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att
> [28] http://lists.shrew.net/mailman/listinfo/vpn-help
> [29] http://lists.shrew.net/mailman/listinfo/vpn-help
> [31] http://lists.shrew.net/mailman/listinfo/vpn-help
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20101117_NetgearCfg.JPG
Type: image/jpeg
Size: 56996 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20101117/219b6f7b/attachment-0002.jpe>
More information about the vpn-help
mailing list