[vpn-help] Problem connecting to FVS318N
john espiro
john_espiro at yahoo.com
Wed Jul 29 17:01:34 CDT 2015
Trying to get Shrew connected to my FVS318N. Configuration and error messages are below. Netgear won't support Shrew so I am hoping that someone here has seen this before and mght be able to assist.
Running Windows 7 Professional x64.
Shrew version 2.2.2
Netgear FVS318N
- Certificates tab
CA Identity (Subject Name): C=US, ST=Montana, L=MyCity, O=My VPN, OU=VPN, CN=VPN
Issuer Name: C=US, ST=Montana, L=MyCity, O=My VPN, OU=VPN, CN=VPN
Active Self Certificates
Subject Name: CN=router1
Issuer Name: C=US, ST=Montana, L=MyCity, O=My VPN, OU=VPN, CN=VPN
The Client Cert:
OpenSSL> x509 -subject -nameopt RFC2253 -noout -in client1.crt
subject= CN=client1,OU=VPN,O=My VPN,L=MyCity,ST=Montana,C=US
The Router Cert:
OpenSSL> x509 -subject -nameopt RFC2253 -noout -in router1.crt
subject= CN=router1
IKE Policies:
Name: vpnclient-ike
Mode: agressive
Local ID: CN=router1
Remote ID: CN=client1
Encr: 3DES
Auth: SHA-1
DH: Group 5 (1536 bit)
Mode Config:
Record Name: vpnclient-cfg
Pool Start: 10.10.0.50
Pool End: 10.10.0.55
Shrew:
General:
IP set
Auto Configuration: ike config pull
Adapter Mode: Virtual adapater
Authentication:
Mutual RSA
Local Identity:
Identification Type: ASN.1 Distinguished Name
DN String: CN=client1
Remote Identity:
ASN.1 Distinguished Name
Use the subject... box checked, ASN.1 DN field blank
Credentials:
Server cert: root-ca.crt
Client cert: client1.crt
Client private key: client1.key
Phase 1:
Exchange type: agressive
DH exchange: group 5
Cipher: 3des
Has: sha1
Key lifetime limit: 28800
Policy:
Policy generation level: auto
Remote network resource: 10.0.0.0 / 255.255.255.0 (which is my LAN)
I get the message below:
config loaded for site 'xx.xx.xx.xx'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
gateway authentication error
tunnel disabled
detached from key daemon
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
gateway authentication error
tunnel disabled
detached from key daemon
If I set Local and Remote on Shrew to use subject in certificate, I get:
config loaded for site 'xx.xx.xx.xx'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
server cert configured
client cert configured
client key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon
Wed Jul 29 21:47:15 2015 (GMT +0000): [FVS318N] [IKE] ERROR: No policy found: 10.0.0.0/24[0] 10.10.0.50/32[0] proto=any dir=out
Wed Jul 29 21:47:15 2015 (GMT +0000): [FVS318N] [IKE] ERROR: No policy found: 10.10.0.50/32[0] 10.0.0.0/24[0] proto=any dir=in
Wed Jul 29 21:47:15 2015 (GMT +0000): [FVS318N] [IKE] INFO: 10.10.0.50 IP address has been released by remote peer.
Wed Jul 29 21:47:15 2015 (GMT +0000): [FVS318N] [IKE] INFO: ISAKMP-SA deleted for xx.xx.xx.xx[500]-10.0.0.18[500] with spi:fbfe2631e3923c00:9af064c7258fcc4a
Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=fbfe2631e3923c00:9af064c7258fcc4a.
Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] WARNING: Short payload
Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: Sending Informational Exchange: notify payload[608]
Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: ISAKMP-SA established for xx.xx.xx.xx[500]-10.0.0.18[500] with spi:fbfe2631e3923c00:9af064c7258fcc4a
Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: 10.10.0.50 IP address is assigned to remote peer 10.0.0.18[500]
Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: NAT not detected
Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=US/ST=Montana/L=MyCity/O=My VPN/OU=VPN/CN=VPN
Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=US/ST=Montana/L=MyCity/O=My VPN/OU=VPN/CN=client1
Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: NAT-D payload matches for 10.0.0.18[500]
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: For 10.0.0.18[500], Selected NAT-T version: RFC 3947Wed Jul 29 21:47:14 2015 (GMT +0000): [FVS318N] [IKE] INFO: NAT-D payload matches for xx.xx.xx.xx[500]
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received Vendor ID: DPD
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received Vendor ID: DPD
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received Vendor ID: RFC 3947
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received unknown Vendor ID
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Beginning Aggressive mode.
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Received request for new phase 1 negotiation: xx.xx.xx.xx[500]<=>10.0.0.18[500]
Wed Jul 29 21:47:12 2015 (GMT +0000): [FVS318N] [IKE] INFO: Anonymous configuration selected for 10.0.0.18[500].
More information about the vpn-help
mailing list