NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

sedcom_pm's avatar
sedcom_pm
Aspirant
Jul 20, 2017

Hi JohnCarloV,

 

I have followed the guide to setup IPSec VPN.  Ignoring the MacOS/iPhone part, I am testing it on a Windows 10 OS (Windows built in VPN Client) and also an Android (using StrongSwanVPN) and both fail to connect.  As the client side only needs to know the server address, username/password, there is not much other settings required.

 

Windows error:

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations withthe remote computer.

 

Android error (x.x.x.x replaces android and firewall IPs):

[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Android 6.0.1 - xxx/2017-04-01, SM-N9200 - samsung/nobleltezh/samsung, Linux 3.10.61-9869866, aarch64)

[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls

[JOB] spawning 16 worker threads

[IKE] initiating IKE_SA android[4] to x.x.x.x
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)

[IKE] retransmit 1 of request with message ID 0
[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)

[IKE] retransmit 2 of request with message ID 0
[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)

[IKE] retransmit 3 of request with message ID 0
[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)
[IKE] giving up after 3 retransmits

[IKE] peer not responding, trying again (2/0)

[IKE] initiating IKE_SA android[4] to x.x.x.x

[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)

[IKE] destroying IKE_SA in state CONNECTING without notification

 

Any ideas?

 

Many thanks.

JohnC_V's avatar
JohnC_V
NETGEAR Employee Retired
Jul 20, 2017

sedcom_pm,

 

As windows error was showing that it is an L2TP connection and not IPSec. These are 2 different protocols. Also the VPN for MAC and Windows are not the same as they are using different operating system. We are using a VPN Client for Windows. As far as I know that your device FVS336Gv3 has a free license lite key and it is included in the package(CD Key). If the CD is not included in the package then you may open a chat / case online on NETGEAR support for the request of the VPN lite license key.

 

Here is the manual for setting up VPN for Windows. You may download the client here.

 

Regards,

  • sedcom_pm's avatar
    sedcom_pm
    Aspirant
    Jul 21, 2017

    Hi JohnCarloV,

     

    The built in Windows VPN client has the option as:

     

    VPN type: L2TP/IPsec with pre-shared key.

     

    The only other option is L2TP/IPsec with certificate.

     

    The is no IPsec on it's own.

     

    There will be more users with Macs that will need to use VPN for this site, and as you/Netgear have advised that IPsec is the oply option, we need to try and get this working.

     

    Many thanks.

    • JohnC_V's avatar
      JohnC_V
      NETGEAR Employee Retired
      Jul 21, 2017

      sedcom_pm,

       

      L2TP/IPsec is different from IPsec only. They do have different credentials in order for the tunnel to be connected. You may use the client that I have attached on my previous reply and also for the MAC VPN mode config is attached from my previous reply also.

       

      Please do check the hyperlinks. Thank you!

       

      Regards,

      • sedcom_pm's avatar
        sedcom_pm
        Aspirant
        Aug 23, 2017

        Hi JohnCarloV/all,

         

        Thank you for your patience.  I still have this issue with the MacOS user.  I followed the guides you supplied links for.  The end user said his Mac connected on the VPN but disconnected almost immediately.  Unfortunately he could not give me any error messages/logs.  There is going to be several users that will be using IPsec method (due to be on latest MacOS) so I would prefer to try and get a generic/3rd party VPN application working.  I tried to install and test the single VPN Lite application on to my local machine (Windows 10) but there is no trial option and I do not want to use up the license.

         

        I have managed to get Shrew VPN to connect but I am not able to route any traffic externally/internally or ping any IPs on any of the ranges configured on the firewall/network.  However DNS servers have been picked up and I have DNS resolution.  I do get assigned the first IP in the range for the IPsec VPN upon the VPN connecting.

         

        Here is the Shrew connection log:

         

        config loaded for site '89.x.x.x'

        attached to key daemon ...

        peer configured

        iskamp proposal configured

        esp proposal configured

        client configured

        local id configured

        remote id configured

        pre-shared key configured

        bringing up tunnel ...

        network device configured

        tunnel enabled

         

        FVS336Gv3 IPsec VPN Logs:

         

        Wed Aug 23 11:46:08 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: 10.0.3.100 IP address has been released by remote peer.
        Wed Aug 23 11:46:08 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: KA remove: 89.x.x.x[4500]->88.x.x.x[4500]
        Wed Aug 23 11:46:08 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: ISAKMP-SA deleted for 89.x.x.x[4500]-88.x.x.x[4500] with spi:4fbb712c913a6dfd:26f9c9c5f4003681
        Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: XAuthUser gledsleyips Logged Out from IP Address 88.x.x.x
        Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=4fbb712c913a6dfd:26f9c9c5f4003681.
        Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: XAuthUser gledsleyips Logged Out from IP Address 88.x.x.x
        Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: [IPSEC_VPN] Purged IPsec-SA with proto_id=ESP and spi=830496086(0x31805d56).
        Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.
        Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Deleting generated policy for 88.x.x.x[0]
        Wed Aug 23 11:45:38 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 89.x.x.x->88.x.x.x with spi=830496086(0x31805d56)
        Wed Aug 23 11:45:38 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 88.x.x.x->89.x.x.x with spi=197506703(0xbc5b68f)
        Wed Aug 23 11:45:37 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Adjusting peer's encmode 3(3)->Tunnel(1)
        Wed Aug 23 11:45:37 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: No policy found, generating the policy : 10.0.3.100/32[0] 0.0.0.0/0[0] proto=any dir=in
        Wed Aug 23 11:45:37 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Using IPsec SA configuration: anonymous
        Wed Aug 23 11:45:37 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Responding to new phase 2 negotiation: 89.x.x.x[0]<=>88.x.x.x[0]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Ignored attribute 28680
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Ignored attribute 28677
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Cannot open "/etc/motd"
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] WARNING: Ignored attribute 28678
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Ignored attribute 28674
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] WARNING: Ignored attribute 5
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: 10.0.3.100 IP address is assigned to remote peer 88.x.x.x[4500]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from 88.x.x.x[4500]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Cannot record event: event queue overflow
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: XAuthUser gledsleyips Logged In from IP Address 88.x.x.x
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Login succeeded for user "gledsleyips"
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from 88.x.x.x[4500]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: ISAKMP-SA established for 89.x.x.x[4500]-88.x.x.x[4500] with spi:4fbb712c913a6dfd:26f9c9c5f4003681
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Sending Xauth request to 88.x.x.x[4500]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: KA list add: 89.x.x.x[4500]->88.x.x.x[4500]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Floating ports for NAT-T with peer 88.x.x.x[4500]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: NAT detected: PEER
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: NAT-D payload does not match for 88.x.x.x[500]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: NAT-D payload matches for 89.x.x.x[500]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: For 88.x.x.x[500], Selected NAT-T version: RFC 3947
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: DPD
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: DPD
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: RFC 3947
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID

        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Beginning Identity Protection mode.
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received request for new phase 1 negotiation: 89.x.x.x[500]<=>88.x.x.x[500]
        Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Anonymous configuration selected for 88.x.x.x[500].

         

         Please advise.

         

        Thanks.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More