Hi Kevin,<br><br>Your Client is between a router ? or directly connected to Internet ?<br><br>Regards,<br><br><div class="gmail_quote">On Fri, Nov 19, 2010 at 7:07 PM, <span dir="ltr"><<a href="mailto:kpickard@simplyc.com">kpickard@simplyc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im"> Thanks for the response Alexis.<br>
<br>
</div> I can not easily test from another location but I did identify where there is a problem. I managed to run a<br>
Wireshark trace outside of the router at the client side and I see that the Netgear *is* responding. The problem is<br>
that it is responding to port 500 when it received the request from port 26891! So the router here rightly does not<br>
route the response. So the flow is as follows.<br>
<br>
Client SrcPort(26891) -> DstPort(500) ISAKMP Req Netgear<br>
Client DstPort(500) <- SrcPort(500) ISAKMP Rsp Netgear<br>
<br>
So the question is why is the Netgear responding to the wrong port! Have you seen this before? I have the<br>
latest version of firmware for my hardware.<br>
<div class="im"><br>
-----------------------------------~~~~~~~-----------------------------<br>
Doing what you love is Freedom. | o o | Kevin Pickard<br>
Loving what you do is Happiness. | ^ | <a href="mailto:kpickard@simplyc.com">kpickard@simplyc.com</a><br>
------------------------------^^^-----------^^^------------------------<br>
<br>
<br>
</div>On Thu 10/11/18 3:50 PM , Alexis La Goutte <a href="mailto:alexis.lagoutte@gmail.com">alexis.lagoutte@gmail.com</a> sent:<br>
<div class="im">> Hi kevin,<br>
><br>
> I received your message, have you tested from another Internet<br>
> access?<br>
> Because it is very strange to not receive answer from router<br>
> Regards,<br>
</div><div class="im">> On Thu, Nov 18, 2010 at 7:12 PM, wrote:<br>
> Hello Alexis. Sorry to bother you. I was just wondering if you<br>
> received the message below sent yesterday (and<br>
> followup with Netgear config) and if you had any further ideas? You<br>
> helped me get to the point where it is almost<br>
> negotiating. Thank you very much for that.<br>
><br>
> -----------------------------------~~~~~~~-----------------------------<br>
> Doing what you love is Freedom. | o o | Kevin Pickard<br>
> Loving what you do is Happiness. | ^ | <br>
><br>
</div>> ------------------------------^^^-----------^^^------------------------<br>
<div><div></div><div class="h5">> ----- Original Message -----<br>
> From:<br>
> To: "Alexis La Goutte"<br>
> Sent: Wed 10/11/17 2:46 PM<br>
> Subject: Fwd: Re: Re: [vpn-help] Netgear<br>
> FVS318<br>
> Hi Alexis. I have not included the Shrew debug before because<br>
> it just shows the retry of the ISAKMP packet<br>
> send (last few lines). I have now included it below. I also am<br>
> running Wireshark on the client side and all I see<br>
> is the ISAKMP packet going out with no response coming back in as<br>
> well. So everything important right now is<br>
> happening on the Netgear router side. Based on my earlier logs from<br>
> the Netgear it looks like it is trying to send<br>
> a response but for whatever reason it is not getting back to the<br>
> client. As I said, my client is also behind a NAT<br>
> router. Is there something else that I need to setup in the Netgear<br>
> so it knows how to reach the client behind the<br>
> router or is there something else I need to configure on the client<br>
> so it can tell the Netgear how to get back to<br>
> it?<br>
> Once again thanks for all your help.<br>
> 10/11/17 14:37:39 ## : IKE Daemon, ver 2.1.7<br>
> 10/11/17 14:37:39 ## : Copyright 2010 Shrew Soft Inc.<br>
> 10/11/17 14:37:39 ## : This product linked OpenSSL 0.9.8h 28 May<br>
> 2008<br>
</div></div>> 10/11/17 14:37:39 ii : opened 'C:Program FilesShrewSoftVPN<br>
> Clientdebugiked.log'<br>
<div class="im">> 10/11/17 14:37:39 ii : rebuilding vnet device list ...<br>
</div>> 10/11/17 14:37:40 ii : device ROOTVNET000 disabled<br>
<div><div></div><div class="h5">> 10/11/17 14:37:40 ii : network process thread begin ...<br>
> 10/11/17 14:37:40 ii : pfkey process thread begin ...<br>
> 10/11/17 14:37:40 ii : ipc server process thread begin ...<br>
> 10/11/17 14:37:43 ii : ipc client process thread begin ...<br>
> 10/11/17 14:37:43 > : key exchange payload<br>
> 10/11/17 14:37:43 >> : nonce payload<br>
> 10/11/17 14:37:43 >> : identification payload<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local supports nat-t ( draft v00 )<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local supports nat-t ( draft v01 )<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local supports nat-t ( draft v02 )<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local supports nat-t ( draft v03 )<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local supports nat-t ( rfc )<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local supports FRAGMENTATION<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local supports DPDv1<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local is SHREW SOFT compatible<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local is NETSCREEN compatible<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local is SIDEWINDER compatible<br>
> 10/11/17 14:37:43 >> : vendor id payload<br>
> 10/11/17 14:37:43 ii : local is CISCO UNITY compatible<br>
> 10/11/17 14:37:43 >= : cookies 7b05d12fcf86a8d3:0000000000000000<br>
> 10/11/17 14:37:43 >= : message 00000000<br>
</div></div>> 10/11/17 14:37:43 -> : send IKE packet MAILFILTERGATEWAY WARNING:<br>
> NUMERICAL LINKS ARE OFTEN MALICIOUS: <a href="http://192.168.1.83:500" target="_blank">192.168.1.83:500</a> [5] -><br>
> MAILFILTERGATEWAY WARNING: NUMERICAL LINKS ARE OFTEN MALICIOUS:<br>
> <a href="http://206.248.160.8:500" target="_blank">206.248.160.8:500</a> [6] ( 554 bytes )<br>
<div class="im">> 10/11/17 14:37:43 DB : phase1 resend event scheduled ( ref count = 2<br>
> )<br>
</div>> 10/11/17 14:37:48 -> : resend 1 phase1 packet(s) MAILFILTERGATEWAY<br>
> WARNING: NUMERICAL LINKS ARE OFTEN MALICIOUS: <a href="http://192.168.1.83:500" target="_blank">192.168.1.83:500</a> [7] -><br>
> MAILFILTERGATEWAY WARNING: NUMERICAL LINKS ARE OFTEN MALICIOUS:<br>
> <a href="http://206.248.160.8:500" target="_blank">206.248.160.8:500</a> [8]<br>
<div class="im">><br>
> -----------------------------------~~~~~~~-----------------------------<br>
> Doing what you love is Freedom. | o o | Kevin Pickard<br>
> Loving what you do is Happiness. | ^ | <br>
><br>
> ------------------------------^^^-----------^^^------------------------<br>
</div>> On Wed 10/11/17 2:12 PM , Alexis La Goutte sent:<br>
<div><div></div><div class="h5">> > Hi,<br>
> ><br>
> > No, the communications never use TCP, ISAKMP use UDP (Port 500).<br>
> ><br>
> > No trace in Shrew Debug ?<br>
> ><br>
> > Regards,<br>
> > On Wed, Nov 17, 2010 at 7:51 PM, wrote:<br>
> > Hi Alexis. Thanks again for your help.<br>
> > Well I noticed that there was a mismatch in the Key Group so<br>
> I<br>
> > changed my Netgear to use DH Group 2 as this is<br>
> > what the Shrew client was using for DH exchange. I also explicitly<br>
> > specified 3DES as the cipher algorithm on the<br>
> > client side rather than auto because I was seeing a lot of trying<br>
> > the different options on the Netgear side until<br>
> > it settled on 3DES anyway.<br>
> > So now things are looking like they are getting further<br>
> along<br>
> > (see Netgear log below). It looks though like<br>
> > the Netgear is trying to send back a response (the TX >> AM_R1<br>
> line)<br>
> > but I am not seeing it at the client side. Is<br>
> > there something else I should be doing as the client is behind a<br>
> NAT<br>
> > router? Should the communications from the<br>
> > client not be over TCP rather than UDP to make this work?<br>
> > Again thanks for all your help.<br>
> > Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Receive Packet<br>
> > address:0x1396850 from 216.254.149.98<br>
> > Wed, 11/17/2010 13:43:00 - TekSavvy IKE:Peer Initialized IKE<br>
> > Aggressive Mode<br>
> > Wed, 11/17/2010 13:43:00 - TekSavvy IKE:RX > AM_R1 :<br>
> 216.254.149.98<br>
> > Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:inserting event<br>
> > EVENT_RETRANSMIT, timeout in 10 seconds for #4<br>
> > Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:event after this is<br>
> > EVENT_RETRANSMIT in 4 seconds<br>
> > Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:handling event<br>
> > EVENT_RETRANSMIT for d8fe9562 "Client_Shrew_tmp2" #3<br>
> > Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:inserting event<br>
> > EVENT_RETRANSMIT, timeout in 20 seconds for #3<br>
> ><br>
> ><br>
> -----------------------------------~~~~~~~-----------------------------<br>
> > Doing what you love is Freedom. | o o | Kevin Pickard<br>
> > Loving what you do is Happiness. | ^ | <br>
> ><br>
> ><br>
> ------------------------------^^^-----------^^^------------------------<br>
> > On Wed 10/11/17 12:31 PM , Alexis La Goutte sent:<br>
> > > Hi Kevin,<br>
</div></div>> > > The identifier Information (<a href="http://fvs_remote.com" target="_blank">fvs_remote.com</a> [11] [4] [1] and<br>
> > <a href="http://fvs_local.com" target="_blank">fvs_local.com</a> [12] [5] [2])<br>
<div class="im">> > > are actual values to be used, not need to resolve this address.<br>
> > > Check your phase1 parameter (ISAKMP)<br>
> > ><br>
> > > Regards,<br>
> > ><br>
> > > On Wed, Nov 17, 2010 at 6:25 PM, wrote:<br>
> > > Thank you Alexis. I went through the VPN Wizard again and<br>
> > > followed the steps at the link you provided. I then<br>
> > > rebooted my router to make sure it was starting with the proper<br>
> > > configuration. Now it appears that my router is no<br>
> > > longer flagging the ISAKMP packets as suspicious and tossing<br>
> them<br>
> > > (which is good). In fact it looks like my router<br>
> > > is actually trying to process the packets now. But it is having<br>
> > > trouble with what it is seeing, based on its own<br>
> > > internal logs (below)...and a response is not being sent back to<br>
> > the<br>
> > > Shrew client.<br>
> > > My question now is, according to the link you provided, I<br>
> > was<br>
> > > to set the Identifier information fields to<br>
</div>> > > <a href="http://fvs_remote.com" target="_blank">fvs_remote.com</a> [13] [6] [4] and <a href="http://fvs_local.com" target="_blank">fvs_local.com</a> [14] [7] [5]. Are<br>
<div class="im">> these just<br>
> > examples or<br>
> > > are they the actual values to be used? Should these<br>
> > > not resolve to real addresses? As can be seen below the FQDN of<br>
</div>> > > <a href="http://fvs_remote.com" target="_blank">fvs_remote.com</a> [15] [8] [6] is being sent by the Shrew client in<br>
<div class="im">> > > the ISAKMP packet. The Netgear then complains about not having a<br>
> > > connection. Is this because this address does not<br>
> > > resolve?<br>
> > > By the way, the Shrew client is on a network behind a<br>
> router<br>
> > > so is NAT.<br>
> > > Anyway, below is the log from my Netgear. On the Shrew<br>
> side<br>
> > I<br>
> > > only see the ISAKMP packets being sent out every<br>
> > > 5 seconds without any response coming back.<br>
> > > Wed, 11/17/2010 10:44:22 - TekSavvy IKE:Trying Dynamic IP<br>
> > Searching<br>
> > > Wed, 11/17/2010 10:44:28 - TekSavvy IPsec:Receive Packet<br>
> > > address:0x1396850 from 216.254.149.98<br>
> > > Wed, 11/17/2010 10:44:28 - TekSavvy IKE:Peer Initialized IKE<br>
> > > Aggressive Mode<br>
> > > Wed, 11/17/2010 10:44:28 - TekSavvy IKE:RX Hi Kevin,<br>
> > > ><br>
> > > > There is a VPN wizard in your FVS318v1 ?<br>
> > > ><br>
> > > > Because use VPN Wizard and information in this blog<br>
> > > ><br>
> > ><br>
> ><br>
> <a href="http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN" target="_blank">http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN</a><br>
</div>> [16]<br>
<div><div></div><div class="h5">> > [9]<br>
> > > [9]<br>
> > > > -NETGEAR[1]<br>
> > > > And it should work !<br>
> > > ><br>
> > > > Regards,<br>
> > > ><br>
> > > > On Mon, Nov 15, 2010 at 2:05 PM, Kevin Pickard wrote:<br>
> > > > Thanks for the response Alexis. So have you managed<br>
> > to<br>
> > > > get a FVS318v1 to work? Do you know what configuration I<br>
> should<br>
> > > use?<br>
> > > > As I said in my initial post, my attempts at<br>
> > > configuring<br>
> > > > it have failed (see below).<br>
> > > > At 03:59 AM 2010-11-15, Alexis La Goutte wrote:<br>
> > > > >Hi Kevin,<br>
> > > > ><br>
> > > > >Yes, it work but you should not use the Xauth & ModeConfig<br>
> (no<br>
> > > > available in FVS318v1)<br>
> > > > ><br>
> > > > >Regards,<br>
> > > > ><br>
> > > > ><br>
> > > > >On Sat, Nov 13, 2010 at 11:19 PM, Kevin Pickard wrote:<br>
> > > > > I take it no-one else has any experience with this?<br>
> > > > Andreas was the only one to respond but his FVS318 appears to<br>
> be<br>
> > a<br>
> > > > newer version and is completely different from mine. I have<br>
> the<br>
> > > older<br>
> > > > v1 hardware (FVS318v1). Anyone?<br>
> > > > >At 16:59:21 2010-10-26, wrote:<br>
> > > > >>Message: 2<br>
> > > > >>Date: Tue, 26 Oct 2010 16:59:21 +0200<br>
> > > > >>From:<br>
> > > > >>Subject: Re: [vpn-help] Netgear FVS318<br>
> > > > >>To:<br>
> > > > >>Message-ID:<br>
> > > > >>Content-Type: text/plain; charset="iso-8859-1";<br>
> > Format="flowed";<br>
> > > > >> DelSp="Yes"<br>
> > > > >><br>
> > > > >>Zitat von :<br>
> > > > >><br>
> > > > >>> Hello. Does anyone know if the Shrew client will<br>
> > work<br>
> > > > with the<br>
> > > > >>> Netgear FVS318 router?<br>
> > > > >>><br>
> > > > >>> I have scanned the archives and I have found<br>
> > > references<br>
> > > > to the<br>
> > > > >>> FVG318 but nothing specific about the FVS318. I have seen<br>
> > > > references<br>
> > > > >>> to needing Mode and Xauth enabled to get the FVS318 to<br>
> work<br>
> > > but<br>
> > > > >>> neither of those options exist on the FVS318 (that I can<br>
> > > find).<br>
> > > > So I<br>
> > > > >>> think those people are confusing the FVS318 with another<br>
> > > model.<br>
> > > > >>><br>
> > > > >>> Has anyone been able to get the Netgear FVS318 (V1<br>
> > > > hardware<br>
> > > > >>> running V2.4 firmware) to work with the Shrew client?<br>
> > > > >>><br>
> > > > >>> My initial attempts at trying various<br>
> configurations<br>
> > > > have only<br>
> > > > >>> resulted in security warnings on my FVS318 indicating that<br>
> > UDP<br>
> > > > >>> packets (from the Shrew Client) are being tossed because<br>
> > they<br>
> > > > >>> contain 'Suspicious UDP Data'. I have configured<br>
> to<br>
> > > use<br>
> > > > PSK. On the<br>
> > > > >>> client<br>
> > > > >>> side, via Wireshark, I only see the ISAKMP packet being<br>
> sent<br>
> > > out<br>
> > > > >>> (this is the one being tossed by the FVS318) at 5 second<br>
> > > > intervals.<br>
> > > > >>> The<br>
> > > > >>> Shrew client itself shows "bringing up tunnel ...", then<br>
> > > > eventually<br>
> > > > >>> followed by "negotiation timout [sic] occurred" after the<br>
> > > ISAKMP<br>
> > > > >>> packet has been sent 4 times.<br>
> > > > >><br>
> > > > >>Only some guess:<br>
> > > > >>If the netgear has some form of firewall you maybe need to<br>
> > allow<br>
> > > > >>inbound UDP port 500 and if using UDP encapsulation port<br>
> 4500<br>
> > as<br>
> > > > well<br>
> > > > >>to get the tunnel up.<br>
> > > > >><br>
> > > > >>Regards<br>
> > > > >><br>
> > > > >>Andreas<br>
> > > > >><br>
> > > > >><br>
> > > > >>-------------- next part --------------<br>
> > > > >>A non-text attachment was scrubbed...<br>
> > > > >>Name: smime.p7s<br>
> > > > >>Type: application/pkcs7-signature<br>
> > > > >>Size: 6046 bytes<br>
> > > > >>Desc: S/MIME Cryptographic Signature<br>
> > > > >>URL:<br>
> > > > >><br>
> > > > >>------------------------------<br>
> > > > >><br>
> > > > >>_______________________________________________<br>
> > > > >>vpn-help mailing list<br>
> > > > >><br>
</div></div>> > > > >><a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a> [17] [10]<br>
<div class="im">> [10]<br>
> > [19]<br>
> > > > >><br>
> > > > >><br>
> > > > >>End of vpn-help Digest, Vol 49, Issue 25<br>
> > > > >>****************************************<br>
> > > ><br>
> > > ><br>
> > ><br>
> ><br>
> >-----------------------------------~~~~~~~-----------------------------<br>
> > > > > Doing what you love is Freedom. | o o | Kevin Pickard<br>
> > > > > Loving what you do is Happiness. | ^ |<br>
> > > ><br>
> > > ><br>
> > ><br>
> ><br>
> >------------------------------^^^-----------^^^------------------------<br>
> > > > >_______________________________________________<br>
> > > > >vpn-help mailing list<br>
> > > > ><br>
</div>> > > > ><a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a> [18] [11]<br>
<div class="im">> [11] [24]<br>
> > > ><br>
> > > ><br>
> > ><br>
> ><br>
> -----------------------------------~~~~~~~-----------------------------<br>
> > > > Doing what you love is Freedom. | o o | Kevin Pickard<br>
> > > > Loving what you do is Happiness. | ^ |<br>
> > > ><br>
> > > ><br>
> > ><br>
> ><br>
> ------------------------------^^^-----------^^^------------------------<br>
> > > ><br>
> > > ><br>
> > > > Links:<br>
> > > > ------<br>
> > > > [1]<br>
> > > ><br>
> > ><br>
> ><br>
> <a href="http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN" target="_blank">http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN</a><br>
</div>> [19]<br>
> > [12]<br>
> > > [12]<br>
> > > > -NETGEAR[15]<br>
><br>
><br>
> Links:<br>
> ------<br>
> [5] <a href="http://192.168.1.83:500" target="_blank">http://192.168.1.83:500</a><br>
> [6] <a href="http://206.248.160.8:500" target="_blank">http://206.248.160.8:500</a><br>
> [7] <a href="http://192.168.1.83:500" target="_blank">http://192.168.1.83:500</a><br>
> [8] <a href="http://206.248.160.8:500" target="_blank">http://206.248.160.8:500</a><br>
> [11] <a href="http://fvs_remote.com" target="_blank">http://fvs_remote.com</a><br>
> [12] <a href="http://fvs_local.com" target="_blank">http://fvs_local.com</a><br>
> [13] <a href="http://fvs_remote.com" target="_blank">http://fvs_remote.com</a><br>
> [14] <a href="http://fvs_local.com" target="_blank">http://fvs_local.com</a><br>
> [15] <a href="http://fvs_remote.com" target="_blank">http://fvs_remote.com</a><br>
> [16]<br>
<div class="im">> <a href="http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN" target="_blank">http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN</a><br>
</div>> [17] <a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
> [18] <a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
> [19]<br>
<div><div></div><div class="h5">> <a href="http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN" target="_blank">http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN</a><br>
><br>
><br>
<br>
</div></div></blockquote></div><br>