Sign in with
Sign up | Sign in
Your question

Netgear FVS318 and Netgear (ProSafe) VPN Client problem th..

Last response: in Networking
Share
July 15, 2004 1:17:13 PM

Archived from groups: comp.security.firewalls (More info?)

AGGGHGGHGHGH!!!!!

I have a number of Netgear FVS318 units located at multiple sites, and
am attempting to use the Netgear VPN clients to connect to these
units.

VPN Client is the Netgear SafeNet SoftRemote 10.1.1 Build 10

PROBLEM

If the end user (VPN Client) connects directly to the internet -- not
through a firewall of any sort, such as when using dialup or directly
connecting to cable or DSL modem, etc., the VPN connection works fine.

But if you try to connect through any sort of firewall, connection
fails. Log viewer errors below:

LOG FROM THE VPN CLIENT

(I have masked the Destination IP address in the following log)

7-15: 08:18:39.473 My Connections\VPNClient - RECEIVED<<< ISAKMP OAK
MM (KE, NON)
7-15: 08:18:39.703 My Connections\VPNClient - SENDING>>>> ISAKMP OAK
MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
7-15: 08:18:39.743 My Connections\VPNClient - RECEIVED<<< ISAKMP OAK
MM *(ID, HASH)
7-15: 08:18:39.753 My Connections\VPNClient - Established IKE SA
7-15: 08:18:39.753 MY COOKIE 87 59 9 ee c4 4d 4e 44
7-15: 08:18:39.753 HIS COOKIE 24 45 32 47 d3 38 dd dc
7-15: 08:18:39.974 My Connections\VPNClient - Initiating IKE Phase 2
with Client IDs (message id: 3AFFEB9C)
7-15: 08:18:39.974 Initiator = IP ADDR=192.168.100.70, prot = 0
port = 0
7-15: 08:18:39.974 Responder = IP
SUBNET/MASK=192.168.0.0/255.255.255.0, prot = 0 port = 0

--> The following section is where it goes bad.

7-15: 08:18:39.974 My Connections\VPNClient - SENDING>>>> ISAKMP OAK
QM *(HASH, SA, NON, KE, ID 2x)
7-15: 08:18:50.709 My Connections\VPNClient - QM re-keying timed out
(message id: 3AFFEB9C). Retry count: 1
7-15: 08:18:50.709 My Connections\VPNClient - SENDING>>>> ISAKMP OAK
QM *(Retransmission)
7-15: 08:19:00.713 My Connections\VPNClient - QM re-keying timed out
(message id: 3AFFEB9C). Retry count: 2
7-15: 08:19:00.713 My Connections\VPNClient - SENDING>>>> ISAKMP OAK
QM *(Retransmission)
7-15: 08:19:11.709 My Connections\VPNClient - QM re-keying timed out
(message id: 3AFFEB9C). Retry count: 3
7-15: 08:19:11.709 My Connections\VPNClient - SENDING>>>> ISAKMP OAK
QM *(Retransmission)
7-15: 08:19:21.714 My Connections\VPNClient - Exceeded 3 re-keying
attempts (message id: 3AFFEB9C)
7-15: 08:19:21.714 My Connections\VPNClient - Disconnecting IKE SA
negotiation
7-15: 08:19:21.724 My Connections\VPNClient - Deleting IKE SA (IP
ADDR=12.169.111.11)
7-15: 08:19:21.724 MY COOKIE 87 59 9 ee c4 4d 4e 44
7-15: 08:19:21.724 HIS COOKIE 24 45 32 47 d3 38 dd dc
7-15: 08:19:21.724 My Connections\VPNClient - SENDING>>>> ISAKMP OAK
INFO *(HASH, DEL)

LOGS FROM THE NETGEAR

Thur, 07/15/2004 08:16:54 - FVS318 IPsec:New State index:1, sno:57
Thur, 07/15/2004 08:16:54 - FVS318 IKE:[VPNClient_tmp21] RX << QM_I1 :
67.168.11.111
Thur, 07/15/2004 08:16:54 - FVS318 IPsec:cannot respond to IPsec SA
request because no connection is known for
192.168.0.0/255.255.255.0-12.169.111.11=====67.168.11.111-19
Thur, 07/15/2004 08:17:04 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:17:04 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 237
Thur, 07/15/2004 08:17:04 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:17:14 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:17:14 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 237
Thur, 07/15/2004 08:17:14 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:17:24 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:17:24 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 237
Thur, 07/15/2004 08:17:24 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:17:34 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:17:34 - FVS318 IKE:[VPNClient_tmp21] RX <<
XCHG_INFO : 67.168.11.111
Thur, 07/15/2004 08:17:34 - FVS318 IPsec:Enter Process_DeleteSA()
spi_len=16
Thur, 07/15/2004 08:17:34 - FVS318 IKE:RX << DELETE ISAKMP SA :
67.168.11.111 ,I-R=cc 5e da 23 5f f4 2d fb c9 40 9f d1 b f4 18 5
Thur, 07/15/2004 08:17:34 - FVS318 IKE:[VPNClient_tmp21] ISAKMP SAs
were Deleted!
Thur, 07/15/2004 08:18:32 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:18:32 - FVS318 IKE:p eer Initialized IKE Main Mode
Thur, 07/15/2004 08:18:32 - FVS318 IKE:main_inI1_outR1() connection
not found 12.169.111.11[500]-67.168.11.111[500]
Thur, 07/15/2004 08:18:32 - FVS318 IKE:Trying Dynamic IP Searching
Thur, 07/15/2004 08:18:32 - FVS318 IPsec:instantiated
"VPNClient_tmp22" for 67.168.11.111
Thur, 07/15/2004 08:18:32 - FVS318 IKE:[VPNClient_tmp22] RX << MM_I1 :
67.168.11.111
Thur, 07/15/2004 08:18:32 - FVS318 IPsec:New State index:0, sno:1
Thur, 07/15/2004 08:18:32 - FVS318 IPsec:o akley Transform 1 accepted
Thur, 07/15/2004 08:18:32 - FVS318
IKE:o AKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP768
Thur, 07/15/2004 08:18:32 - FVS318 IKE:[VPNClient_tmp22] TX >> MM_R1 :
67.168.11.111
Thur, 07/15/2004 08:18:32 - FVS318 IPsec:inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Thur, 07/15/2004 08:18:32 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:18:32 - FVS318 IKE:[VPNClient_tmp22] RX << MM_I2 :
67.168.11.111
Thur, 07/15/2004 08:18:32 - FVS318 IKE:[VPNClient_tmp22] TX >> MM_R2 :
67.168.11.111
Thur, 07/15/2004 08:18:32 - FVS318 IPsec:inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Thur, 07/15/2004 08:18:34 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:18:34 - FVS318 IKE:[VPNClient_tmp22] RX << MM_I3 :
67.168.11.111
Thur, 07/15/2004 08:18:34 - FVS318 IPsec:D ecoded Peer's ID is
ID_IPV4_ADDR:192.168.100.70 and 67.168.11.111 in st
Thur, 07/15/2004 08:18:34 - FVS318 IKE:[VPNClient_tmp22] TX >> MM_R3 :
67.168.11.111
Thur, 07/15/2004 08:18:34 - FVS318 IPsec:inserting event
EVENT_SA_EXPIRE, timeout in 28980 seconds for #1
Thur, 07/15/2004 08:18:34 - FVS318 IPsec:STATE_MAIN_R3: sent MR3,
ISAKMP SA established
Thur, 07/15/2004 08:18:34 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:18:34 - FVS318 IPsec:New State index:1, sno:2
Thur, 07/15/2004 08:18:34 - FVS318 IKE:[VPNClient_tmp22] RX << QM_I1 :
67.168.11.111
Thur, 07/15/2004 08:18:34 - FVS318 IPsec:cannot respond to IPsec SA
request because no connection is known for
192.168.0.0/255.255.255.0-12.169.111.11=====67.168.11.111-19
Thur, 07/15/2004 08:18:44 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:18:44 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 79
Thur, 07/15/2004 08:18:44 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:18:54 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:18:54 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 79
Thur, 07/15/2004 08:18:54 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:19:06 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:19:06 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 79
Thur, 07/15/2004 08:19:06 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:19:16 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:19:16 - FVS318 IKE:[VPNClient_tmp22] RX <<
XCHG_INFO : 67.168.11.111
Thur, 07/15/2004 08:19:16 - FVS318 IPsec:Enter Process_DeleteSA()
spi_len=16
Thur, 07/15/2004 08:19:16 - FVS318 IKE:RX << DELETE ISAKMP SA :
67.168.11.111 ,I-R=87 59 9 ee c4 4d 4e 44 24 45 32 47 d3 38 dd dc
Thur, 07/15/2004 08:19:16 - FVS318 IKE:[VPNClient_tmp22] ISAKMP SAs
were Deleted!
Thur, 07/15/2004 08:21:26 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:21:26 - FVS318 IKE:p eer Initialized IKE Main Mode
Thur, 07/15/2004 08:21:26 - FVS318 IKE:[VPNClient] RX << MM_I1 :
67.168.11.111
Thur, 07/15/2004 08:21:26 - FVS318 IPsec:New State index:0, sno:1
Thur, 07/15/2004 08:21:26 - FVS318 IPsec:responding to Main Mode
Thur, 07/15/2004 08:21:26 - FVS318 IPsec:o akley Transform 1 accepted
Thur, 07/15/2004 08:21:26 - FVS318
IKE:o AKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP768
Thur, 07/15/2004 08:21:26 - FVS318 IKE:[VPNClient] TX >> MM_R1 :
67.168.11.111
Thur, 07/15/2004 08:21:26 - FVS318 IPsec:inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Thur, 07/15/2004 08:21:26 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:21:26 - FVS318 IKE:[VPNClient] RX << MM_I2 :
67.168.11.111
Thur, 07/15/2004 08:21:26 - FVS318 IKE:[VPNClient] TX >> MM_R2 :
67.168.11.111
Thur, 07/15/2004 08:21:26 - FVS318 IPsec:inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Thur, 07/15/2004 08:21:28 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:21:28 - FVS318 IKE:[VPNClient] RX << MM_I3 :
67.168.11.111
Thur, 07/15/2004 08:21:28 - FVS318 IPsec:D ecoded Peer's ID is
ID_IPV4_ADDR:192.168.100.70 and 67.168.11.111 in st
Thur, 07/15/2004 08:21:28 - FVS318 IKE:[VPNClient] TX >> MM_R3 :
67.168.11.111
Thur, 07/15/2004 08:21:28 - FVS318 IPsec:inserting event
EVENT_SA_EXPIRE, timeout in 28980 seconds for #1
Thur, 07/15/2004 08:21:28 - FVS318 IPsec:STATE_MAIN_R3: sent MR3,
ISAKMP SA established
Thur, 07/15/2004 08:21:28 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:21:28 - FVS318 IPsec:New State index:1, sno:2
Thur, 07/15/2004 08:21:28 - FVS318 IKE:[VPNClient] RX << QM_I1 :
67.168.11.111
Thur, 07/15/2004 08:21:28 - FVS318 IPsec:cannot respond to IPsec SA
request because no connection is known for
192.168.0.0/255.255.255.0-12.169.111.11=====67.168.11.111-19
Thur, 07/15/2004 08:21:38 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:21:38 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 48
Thur, 07/15/2004 08:21:38 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:21:48 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:21:48 - FVS318 IKE:[VPNClient] RX << XCHG_INFO :
67.168.11.111
Thur, 07/15/2004 08:21:48 - FVS318 IPsec:Enter Process_DeleteSA()
spi_len=16
Thur, 07/15/2004 08:21:48 - FVS318 IKE:RX << DELETE ISAKMP SA :
67.168.11.111 ,I-R=e0 f2 ea 67 e9 86 b9 68 d5 f6 b 6f be 23 de f9
Thur, 07/15/2004 08:21:48 - FVS318 IKE:[VPNClient] ISAKMP SAs were
Deleted!
Thur, 07/15/2004 08:24:50 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:24:50 - FVS318 IKE:p eer Initialized IKE Main Mode
Thur, 07/15/2004 08:24:50 - FVS318 IKE:main_inI1_outR1() connection
not found 12.169.111.11[500]-67.168.11.111[500]
Thur, 07/15/2004 08:24:50 - FVS318 IKE:Trying Dynamic IP Searching
Thur, 07/15/2004 08:24:50 - FVS318 IPsec:instantiated
"VPNClient_tmp23" for 67.168.11.111
Thur, 07/15/2004 08:24:50 - FVS318 IKE:[VPNClient_tmp23] RX << MM_I1 :
67.168.11.111
Thur, 07/15/2004 08:24:50 - FVS318 IPsec:New State index:0, sno:1
Thur, 07/15/2004 08:24:50 - FVS318 IPsec:o akley Transform 1 accepted
Thur, 07/15/2004 08:24:50 - FVS318
IKE:o AKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP768
Thur, 07/15/2004 08:24:50 - FVS318 IKE:[VPNClient_tmp23] TX >> MM_R1 :
67.168.11.111
Thur, 07/15/2004 08:24:50 - FVS318 IPsec:inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Thur, 07/15/2004 08:24:50 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:24:50 - FVS318 IKE:[VPNClient_tmp23] RX << MM_I2 :
67.168.11.111
Thur, 07/15/2004 08:24:50 - FVS318 IKE:[VPNClient_tmp23] TX >> MM_R2 :
67.168.11.111
Thur, 07/15/2004 08:24:50 - FVS318 IPsec:inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
Thur, 07/15/2004 08:24:52 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:24:52 - FVS318 IKE:[VPNClient_tmp23] RX << MM_I3 :
67.168.11.111
Thur, 07/15/2004 08:24:52 - FVS318 IPsec:D ecoded Peer's ID is
ID_IPV4_ADDR:192.168.100.70 and 67.168.11.111 in st
Thur, 07/15/2004 08:24:52 - FVS318 IKE:[VPNClient_tmp23] TX >> MM_R3 :
67.168.11.111
Thur, 07/15/2004 08:24:52 - FVS318 IPsec:inserting event
EVENT_SA_EXPIRE, timeout in 28980 seconds for #1
Thur, 07/15/2004 08:24:52 - FVS318 IPsec:STATE_MAIN_R3: sent MR3,
ISAKMP SA established
Thur, 07/15/2004 08:24:52 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:24:52 - FVS318 IPsec:New State index:1, sno:2
Thur, 07/15/2004 08:24:52 - FVS318 IKE:[VPNClient_tmp23] RX << QM_I1 :
67.168.11.111
Thur, 07/15/2004 08:24:52 - FVS318 IPsec:cannot respond to IPsec SA
request because no connection is known for
192.168.0.0/255.255.255.0-12.169.111.11=====67.168.11.111-19
Thur, 07/15/2004 08:25:02 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:25:02 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 34
Thur, 07/15/2004 08:25:02 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:25:12 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:25:12 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 34
Thur, 07/15/2004 08:25:12 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:25:22 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:25:22 - FVS318 IPsec:loglog[3] *#hahaha.... next
payload type of ISAKMP Hash Payload has an unknown value: 34
Thur, 07/15/2004 08:25:22 - FVS318 IPsec:malformed payload in packet
Thur, 07/15/2004 08:25:32 - FVS318 IPsec:Receive Packet
address:0x1397478 from 67.168.11.111
Thur, 07/15/2004 08:25:32 - FVS318 IKE:[VPNClient_tmp23] RX <<
XCHG_INFO : 67.168.11.111
Thur, 07/15/2004 08:25:32 - FVS318 IPsec:Enter Process_DeleteSA()
spi_len=16
Thur, 07/15/2004 08:25:32 - FVS318 IKE:RX << DELETE ISAKMP SA :
67.168.11.111 ,I-R=6 1c 2f 29 9c 6b 9c 2e 6c 82 2f fb f7 c 55 76
Thur, 07/15/2004 08:25:32 - FVS318 IKE:[VPNClient_tmp23] ISAKMP SAs
were Deleted!
Thur, 07/15/2004 08:28:10 - FVS318 IPsec:[VPNClient_tmp23] is removed
from the head of conn_list
Thur, 07/15/2004 08:28:10 - FVS318 IPsec:Connection [VPNClient_tmp23]
is deleted from connection table


In this case, this was through a Netgear FVS318 router, while trying
to connect from my laptop to the VPN on another FVS318 at another
location.

I have tried the following:

Updated Firmware to current version V2.3 Feb. 5 2004
Assigning a static IP address to the VPN client (my laptop).
Changing the IP Address of the local gateway (my LAN's Netgear) to
192.168.1.253.
Setting my VPN Client (laptop) to be the DMZ.
Manually port forwarding port 500 to allow proper IKE functionality.
Changing MTU size on the Netgear.
On the Netgear IPSEC and VPN passthrough are enabled (same was true
for all firewalls tested).

Still I can't connect!

INTERESTING FACT: I have been replacing Sonicwall firewalls with
these Netgear FVS318's. The Sonicwall also uses an OEM version of the
ProSafe VPN client (just like Netgear). Those VPN connections work
JUST FINE without any changes to any networking hardware.

SUMMARY: It appears that any NAT device causes this same trouble. I
have tested through Netgear, Cisco, Dlink, and Linksys devices. All
show the same problem with the Netgear VPN only.

Any ideas on how to get this to work? Netgear support was clueless.
Anonymous
July 16, 2004 1:59:07 PM

Archived from groups: comp.security.firewalls (More info?)

Dominic wrote:
> Any ideas on how to get this to work? Netgear support was clueless.
1. Netgear support clueless? You mean you actually got a response from
Netgear????????
2. What firmware are you using on the routers? There is a beta version
(2.4a IIRC) available which cures many ills. bug in it completely fubars
remote LAN ranges if you aren't careful.
3. Logs suggest that traffic is either being blocked/fooled with at the
local router, or not being sent from the host.

Possibilities....
Problem may be that the host router does not know how to find the
network you are on (192.168.x.x) and cannot route the packets back.

It sorta seems like the host router is trying to create a tunnel with
the internal address, (192.168.x.x) rather than the NAT'd external address.

I think you can add a network route to the netgears - e.g.
192.168.100.0/24 via 67.168.11.111

Bottom line is don't know of an exact fix.
E.
!