Hi,<br><br>No, the communications never use TCP, ISAKMP use UDP (Port 500).<br><br>No trace in Shrew Debug ?<br><br>Regards,<br><br><br><div class="gmail_quote">On Wed, Nov 17, 2010 at 7:51 PM, <span dir="ltr"><<a href="mailto:kpickard@simplyc.com">kpickard@simplyc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> Hi Alexis. Thanks again for your help.<br>
<br>
Well I noticed that there was a mismatch in the Key Group so I changed my Netgear to use DH Group 2 as this is<br>
what the Shrew client was using for DH exchange. I also explicitly specified 3DES as the cipher algorithm on the<br>
client side rather than auto because I was seeing a lot of trying the different options on the Netgear side until<br>
it settled on 3DES anyway.<br>
<br>
So now things are looking like they are getting further along (see Netgear log below). It looks though like<br>
the Netgear is trying to send back a response (the TX >> AM_R1 line) but I am not seeing it at the client side. Is<br>
there something else I should be doing as the client is behind a NAT router? Should the communications from the<br>
client not be over TCP rather than UDP to make this work?<br>
<br>
Again thanks for all your help.<br>
<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Receive Packet address:0x1396850 from 216.254.149.98<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IKE:Peer Initialized IKE Aggressive Mode<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IKE:RX << AM_I1 : 216.254.149.98<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:New State index:1, sno:4<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Agg. Decoded Peer's ID Type is ID_FQDN<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Value=66 76 73 5f 72 65 6d 6f 74 65 2e 63 6f 6d<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Oakley Transform 1 accepted<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IKE:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IKE:[Client_Shrew_tmp2] TX >> AM_R1 : 216.254.149.98<br>
Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #4<br>
Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:event after this is EVENT_RETRANSMIT in 4 seconds<br>
Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:handling event EVENT_RETRANSMIT for d8fe9562 "Client_Shrew_tmp2" #3<br>
Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #3<br>
<div class="im"><br>
<br>
-----------------------------------~~~~~~~-----------------------------<br>
Doing what you love is Freedom. | o o | Kevin Pickard<br>
Loving what you do is Happiness. | ^ | <a href="mailto:kpickard@simplyc.com">kpickard@simplyc.com</a><br>
------------------------------^^^-----------^^^------------------------<br>
<br>
<br>
</div>On Wed 10/11/17 12:31 PM , Alexis La Goutte <a href="mailto:alexis.lagoutte@gmail.com">alexis.lagoutte@gmail.com</a> sent:<br>
> Hi Kevin,<br>
> The identifier Information (<a href="http://fvs_remote.com" target="_blank">fvs_remote.com</a> [1] and <a href="http://fvs_local.com" target="_blank">fvs_local.com</a> [2])<br>
<div class="im">> are actual values to be used, not need to resolve this address.<br>
> Check your phase1 parameter (ISAKMP)<br>
><br>
> Regards,<br>
><br>
</div><div class="im">> On Wed, Nov 17, 2010 at 6:25 PM, wrote:<br>
> Thank you Alexis. I went through the VPN Wizard again and<br>
> followed the steps at the link you provided. I then<br>
> rebooted my router to make sure it was starting with the proper<br>
> configuration. Now it appears that my router is no<br>
> longer flagging the ISAKMP packets as suspicious and tossing them<br>
> (which is good). In fact it looks like my router<br>
> is actually trying to process the packets now. But it is having<br>
> trouble with what it is seeing, based on its own<br>
> internal logs (below)...and a response is not being sent back to the<br>
> Shrew client.<br>
> My question now is, according to the link you provided, I was<br>
> to set the Identifier information fields to<br>
</div>> <a href="http://fvs_remote.com" target="_blank">fvs_remote.com</a> [4] and <a href="http://fvs_local.com" target="_blank">fvs_local.com</a> [5]. Are these just examples or<br>
<div class="im">> are they the actual values to be used? Should these<br>
> not resolve to real addresses? As can be seen below the FQDN of<br>
</div>> <a href="http://fvs_remote.com" target="_blank">fvs_remote.com</a> [6] is being sent by the Shrew client in<br>
<div class="im">> the ISAKMP packet. The Netgear then complains about not having a<br>
> connection. Is this because this address does not<br>
> resolve?<br>
> By the way, the Shrew client is on a network behind a router<br>
> so is NAT.<br>
> Anyway, below is the log from my Netgear. On the Shrew side I<br>
> only see the ISAKMP packets being sent out every<br>
> 5 seconds without any response coming back.<br>
> Wed, 11/17/2010 10:44:22 - TekSavvy IKE:Trying Dynamic IP Searching<br>
> Wed, 11/17/2010 10:44:28 - TekSavvy IPsec:Receive Packet<br>
> address:0x1396850 from 216.254.149.98<br>
> Wed, 11/17/2010 10:44:28 - TekSavvy IKE:Peer Initialized IKE<br>
> Aggressive Mode<br>
</div>> Wed, 11/17/2010 10:44:28 - TekSavvy IKE:RX Hi Kevin,<br>
<div class="im">> ><br>
> > There is a VPN wizard in your FVS318v1 ?<br>
> ><br>
> > Because use VPN Wizard and information in this blog<br>
> ><br>
> <a href="http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN" target="_blank">http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN</a><br>
</div>> [9]<br>
<div><div></div><div class="h5">> > -NETGEAR[1]<br>
> > And it should work !<br>
> ><br>
> > Regards,<br>
> ><br>
> > On Mon, Nov 15, 2010 at 2:05 PM, Kevin Pickard wrote:<br>
> > Thanks for the response Alexis. So have you managed to<br>
> > get a FVS318v1 to work? Do you know what configuration I should<br>
> use?<br>
> > As I said in my initial post, my attempts at<br>
> configuring<br>
> > it have failed (see below).<br>
> > At 03:59 AM 2010-11-15, Alexis La Goutte wrote:<br>
> > >Hi Kevin,<br>
> > ><br>
> > >Yes, it work but you should not use the Xauth & ModeConfig (no<br>
> > available in FVS318v1)<br>
> > ><br>
> > >Regards,<br>
> > ><br>
> > ><br>
> > >On Sat, Nov 13, 2010 at 11:19 PM, Kevin Pickard wrote:<br>
> > > I take it no-one else has any experience with this?<br>
> > Andreas was the only one to respond but his FVS318 appears to be a<br>
> > newer version and is completely different from mine. I have the<br>
> older<br>
> > v1 hardware (FVS318v1). Anyone?<br>
> > >At 16:59:21 2010-10-26, wrote:<br>
> > >>Message: 2<br>
> > >>Date: Tue, 26 Oct 2010 16:59:21 +0200<br>
> > >>From:<br>
> > >>Subject: Re: [vpn-help] Netgear FVS318<br>
> > >>To:<br>
> > >>Message-ID:<br>
> > >>Content-Type: text/plain; charset="iso-8859-1"; Format="flowed";<br>
> > >> DelSp="Yes"<br>
> > >><br>
> > >>Zitat von :<br>
> > >><br>
> > >>> Hello. Does anyone know if the Shrew client will work<br>
> > with the<br>
> > >>> Netgear FVS318 router?<br>
> > >>><br>
> > >>> I have scanned the archives and I have found<br>
> references<br>
> > to the<br>
> > >>> FVG318 but nothing specific about the FVS318. I have seen<br>
> > references<br>
> > >>> to needing Mode and Xauth enabled to get the FVS318 to work<br>
> but<br>
> > >>> neither of those options exist on the FVS318 (that I can<br>
> find).<br>
> > So I<br>
> > >>> think those people are confusing the FVS318 with another<br>
> model.<br>
> > >>><br>
> > >>> Has anyone been able to get the Netgear FVS318 (V1<br>
> > hardware<br>
> > >>> running V2.4 firmware) to work with the Shrew client?<br>
> > >>><br>
> > >>> My initial attempts at trying various configurations<br>
> > have only<br>
> > >>> resulted in security warnings on my FVS318 indicating that UDP<br>
> > >>> packets (from the Shrew Client) are being tossed because they<br>
> > >>> contain 'Suspicious UDP Data'. I have configured to<br>
> use<br>
> > PSK. On the<br>
> > >>> client<br>
> > >>> side, via Wireshark, I only see the ISAKMP packet being sent<br>
> out<br>
> > >>> (this is the one being tossed by the FVS318) at 5 second<br>
> > intervals.<br>
> > >>> The<br>
> > >>> Shrew client itself shows "bringing up tunnel ...", then<br>
> > eventually<br>
> > >>> followed by "negotiation timout [sic] occurred" after the<br>
> ISAKMP<br>
> > >>> packet has been sent 4 times.<br>
> > >><br>
> > >>Only some guess:<br>
> > >>If the netgear has some form of firewall you maybe need to allow<br>
> > >>inbound UDP port 500 and if using UDP encapsulation port 4500 as<br>
> > well<br>
> > >>to get the tunnel up.<br>
> > >><br>
> > >>Regards<br>
> > >><br>
> > >>Andreas<br>
> > >><br>
> > >><br>
> > >>-------------- next part --------------<br>
> > >>A non-text attachment was scrubbed...<br>
> > >>Name: smime.p7s<br>
> > >>Type: application/pkcs7-signature<br>
> > >>Size: 6046 bytes<br>
> > >>Desc: S/MIME Cryptographic Signature<br>
> > >>URL:<br>
> > >><br>
> > >>------------------------------<br>
> > >><br>
> > >>_______________________________________________<br>
> > >>vpn-help mailing list<br>
> > >><br>
</div></div>> > >><a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a> [10] [19]<br>
<div class="im">> > >><br>
> > >><br>
> > >>End of vpn-help Digest, Vol 49, Issue 25<br>
> > >>****************************************<br>
> ><br>
> ><br>
> >-----------------------------------~~~~~~~-----------------------------<br>
> > > Doing what you love is Freedom. | o o | Kevin Pickard<br>
> > > Loving what you do is Happiness. | ^ |<br>
> ><br>
> ><br>
> >------------------------------^^^-----------^^^------------------------<br>
> > >_______________________________________________<br>
> > >vpn-help mailing list<br>
> > ><br>
</div>> > ><a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a> [11] [24]<br>
<div class="im">> ><br>
> ><br>
> -----------------------------------~~~~~~~-----------------------------<br>
> > Doing what you love is Freedom. | o o | Kevin Pickard<br>
> > Loving what you do is Happiness. | ^ |<br>
> ><br>
> ><br>
> ------------------------------^^^-----------^^^------------------------<br>
> ><br>
> ><br>
> > Links:<br>
> > ------<br>
> > [1]<br>
> ><br>
> <a href="http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN" target="_blank">http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN</a><br>
</div>> [12]<br>
<div class="im">> > -NETGEAR[15]<br>
> ><br>
> <a href="http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att" target="_blank">http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att</a><br>
</div>> [13]<br>
<div class="im">> > achment-0001.bin[16]<br>
> ><br>
> <a href="http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att" target="_blank">http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att</a><br>
</div>> [14]<br>
> > achment-0001.bin[19]<br>
> <a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a> [15]<br>
> > [24] <a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a> [16]<br>
> ><br>
> ><br>
><br>
><br>
> Links:<br>
> ------<br>
> [1] <a href="http://fvs_remote.com" target="_blank">http://fvs_remote.com</a><br>
> [2] <a href="http://fvs_local.com" target="_blank">http://fvs_local.com</a><br>
> [4] <a href="http://fvs_remote.com" target="_blank">http://fvs_remote.com</a><br>
> [5] <a href="http://fvs_local.com" target="_blank">http://fvs_local.com</a><br>
> [6] <a href="http://fvs_remote.com" target="_blank">http://fvs_remote.com</a><br>
> [9]<br>
<div class="im">> <a href="http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN" target="_blank">http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN</a><br>
</div>> [10] <a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
> [11] <a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
> [12]<br>
<div class="im">> <a href="http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN" target="_blank">http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN</a><br>
</div>> [13]<br>
<div class="im">> <a href="http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att" target="_blank">http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att</a><br>
</div>> [14]<br>
<div class="im">> <a href="http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att" target="_blank">http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att</a><br>
</div>> [15] <a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
> [16] <a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
><br>
><br>
<br>
_______________________________________________<br>
vpn-help mailing list<br>
<div class="im"><a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br>
</div><div><div></div><div class="h5"><a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
</div></div></blockquote></div><br>