[vpn-help] Netgear FVS318

Matthew Grooms mgrooms at shrew.net
Fri Nov 26 13:32:56 CST 2010 

On 11/24/2010 6:00 PM, Kevin Pickard wrote:
>          Thank you for the response Matthew.
>
>          I could not find any VPN passthru mode on the client side router. Forwarding port 500 is not an option for different reasons. My Netgear router is already at the latest firmware version for my hardware version unfortunately and it does not look as though any further changes will be forthcoming.
>
>          I am guessing there is nothing in the ISAKMP message telling the Netgear how to respond or which port to use. Oh well it was worth a try I guess.
>
>          Thanks Alexis for all your help and thank you Matthew as well of course.
>

Hi Kevin,

The source port value of the packet is read from the UDP header in the 
IP packet. Sending a response to a different port value than the one 
used in the UDP header is a serious problem with the Netgear code. I can 
tell you that the Netgear gateway that I have in my lab does not exhibit 
this behavior. Its a fundamental flaw in the Netgear IKE daemon 
implementation, so your only recourse is to open a ticket with Netgear 
support and hope they fix it in the next release. A packet dump showing 
the response on port 500 should be enough evidence to get a high level 
support tech or maybe a firmware engineer involved. If they as why you 
believe it's a firmware problem, point them to this RFC and reference 
page 2 section 3 that states ...

3.  Phase 1

    The detection of support for NAT-Traversal and detection of NAT along
    the path between the two IKE peers occurs in IKE [RFC2409] Phase 1.

    The NAT may change the IKE UDP source port, and recipients MUST be
    able to process IKE packets whose source port is different from 500.
    The NAT does not have to change the source port if:

    o  only one IPsec host is behind the NAT, or

    o  for the first IPsec host, the NAT can keep the port 500, and the
       NAT will only change the port number for later connections.

    Recipients MUST reply back to the source address from the packet (see
    [RFC3715], section 2.1, case d).  This means that when the original
    responder is doing rekeying or sending notifications to the original
    initiator, it MUST send the packets using the same set of port and IP
    numbers used when the IKE SA was last used.

Sorry I can't be more help.

-Matthew

More information about the vpn-help mailing list