[vpn-help] Netgear FVS318

Matthew Grooms mgrooms at shrew.net
Fri Nov 26 13:34:31 CST 2010 

On 11/26/2010 1:32 PM, Matthew Grooms wrote:
> On 11/24/2010 6:00 PM, Kevin Pickard wrote:
>> Thank you for the response Matthew.
>>
>> I could not find any VPN passthru mode on the client side router.
>> Forwarding port 500 is not an option for different reasons. My Netgear
>> router is already at the latest firmware version for my hardware
>> version unfortunately and it does not look as though any further
>> changes will be forthcoming.
>>
>> I am guessing there is nothing in the ISAKMP message telling the
>> Netgear how to respond or which port to use. Oh well it was worth a
>> try I guess.
>>
>> Thanks Alexis for all your help and thank you Matthew as well of course.
>>
>
> Hi Kevin,
>
> The source port value of the packet is read from the UDP header in the
> IP packet. Sending a response to a different port value than the one
> used in the UDP header is a serious problem with the Netgear code. I can
> tell you that the Netgear gateway that I have in my lab does not exhibit
> this behavior. Its a fundamental flaw in the Netgear IKE daemon
> implementation, so your only recourse is to open a ticket with Netgear
> support and hope they fix it in the next release. A packet dump showing
> the response on port 500 should be enough evidence to get a high level
> support tech or maybe a firmware engineer involved. If they as why you
> believe it's a firmware problem, point them to this RFC and reference
> page 2 section 3 that states ...

Sorry, forgot the RFC link :)

http://www.ietf.org/rfc/rfc3947.txt

>
> 3. Phase 1
>
> The detection of support for NAT-Traversal and detection of NAT along
> the path between the two IKE peers occurs in IKE [RFC2409] Phase 1.
>
> The NAT may change the IKE UDP source port, and recipients MUST be
> able to process IKE packets whose source port is different from 500.
> The NAT does not have to change the source port if:
>
> o only one IPsec host is behind the NAT, or
>
> o for the first IPsec host, the NAT can keep the port 500, and the
> NAT will only change the port number for later connections.
>
> Recipients MUST reply back to the source address from the packet (see
> [RFC3715], section 2.1, case d). This means that when the original
> responder is doing rekeying or sending notifications to the original
> initiator, it MUST send the packets using the same set of port and IP
> numbers used when the IKE SA was last used.
>
> Sorry I can't be more help.
>
> -Matthew
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help

More information about the vpn-help mailing list