NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
FVS338 VPN still won't accept client
I got help here last week with a problem with the VPN Client not connecting to my FVS338 firewall. It worked on Friday, but now it is not working again, and the configuration is exactly as it was on Friday. To recount, I have an FVS338 with a single WAN connection. We have Bright House Business Internet, and their modem is in bridge mode passing our public address to the firewall. I have a Gateway to Gateway VPN established on this firewall which works great. I am trying to set up a salesman with a VPN connection using the Netgear Prosafe VPN client and cannot get the FW to accept the connection.
The VPN Client logs tell me nothing. I cleared the logs and then try to connect. This is the only entries in the log:
20150729 15:09:44:010 Default (SA Ikev 1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150729 15:09:49:080 Default (SA Ikev 1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150729 15:11:04:085 Default (SA Ikev 1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
The firewall VPN logs say the following:
2015 Jul 29 15:10:06 [FVS338] [IKE] Received mode config from 108.58.144.138[500], but local configuration does not have mode config or xauth._
2015 Jul 29 15:09:52 [FVS338] [IKE] Initiating new phase 2 negotiation: 71.43.108.68[0]<=>108.58.144.138[0]_
2015 Jul 29 15:09:51 [FVS338] [IKE] Received mode config from 108.58.144.138[500], but local configuration does not have mode config or xauth._
2015 Jul 29 15:09:51 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2015 Jul 29 15:09:51 [FVS338] [IKE] ISAKMP-SA established for 71.43.108.68[500]-108.58.144.138[500] with spi:2ebebc6804125db6:3e6b9457d7bae9c6_
2015 Jul 29 15:09:51 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt_
2015 Jul 29 15:09:51 [FVS338] [IKE] Received unknown Vendor ID_
2015 Jul 29 15:09:51 [FVS338] [IKE] Received Vendor ID: DPD_
2015 Jul 29 15:09:51 [FVS338] [IKE] Received Vendor ID: CISCO-UNITY_
2015 Jul 29 15:09:50 [FVS338] [IKE] Setting DPD Vendor ID_
2015 Jul 29 15:09:50 [FVS338] [IKE] Beginning Identity Protection mode._
2015 Jul 29 15:09:50 [FVS338] [IKE] Initiating new phase 1 negotiation: 71.43.108.68[500]<=>108.58.144.138[500]_
2015 Jul 29 15:09:50 [FVS338] [IKE] Configuration found for 108.58.144.138._
2015 Jul 29 15:09:50 [FVS338] [IKE] There is a difference between the in/out bound policies in SPD._
2015 Jul 29 15:09:50 [FVS338] [IKE] Using IPsec SA configuration: 192.168.50.1/24<->192.168.28.1/20_
2015 Jul 29 15:09:50 [FVS338] [IKE] no in-bound policy found: 192.168.28.1/20[0] 192.168.50.1/24[0] proto=any dir=in_
2015 Jul 29 15:09:47 [FVS338] [IKE] ISAKMP-SA deleted for 71.43.108.68[500]-108.58.144.138[500] with spi:19a527b0172f5d1c:3e6b9457bd7d7aa9_
2015 Jul 29 15:09:47 [FVS338] [IKE] an undead schedule has been deleted: 'quick_i1prep'._
2015 Jul 29 15:09:47 [FVS338] [IKE] Phase 2 negotiation failed due to time up. 19a527b0172f5d1c:3e6b9457bd7d7aa9:d98b5aa6_
2015 Jul 29 15:09:46 [FVS338] [IKE] Configuration found for 72.68.71.228._
2015 Jul 29 15:09:46 [FVS338] [IKE] Using IPsec SA configuration: 192.168.50.0/24<->10.0.0.0/8_
2015 Jul 29 15:09:45 [FVS338] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. ESP 72.68.71.228->71.43.108.68 _
So I was able to connect on Friday, the laptop set idle until last night when the salesman picked it up, and it no longer connects. Any help that you can provide is greatly appreciated. I am at the point of giving up.
--Hank
8 Replies
Hi HankLambert,
Have you tried to delete then re-create the policies using the VPN Wizard? Check pages 8-13 of this link below as reference guide:
http://www.downloads.netgear.com/files/GDC/FVS318N/QSGVPN_4Apr2012.pdf
What is the current firmware version of the FVS338?
What is the version of the VPN Client Professional Software installed on the laptop?
I am looking forward to your response.
Regards,
DaneA
Netgear Community Team
Thanks for the response. I have in fact deleted both the client policiy on the firewall and the VPN client on the laptop numerous times. I also followed the setup in the guide. The firewall firmware version version is 3.1.1-08, and the VPN Client has the following info:
vpnconf.exe 6.12.001
tgbikeng.exe 6.4.1
comlib.dll 4.1.0.1
tgbstarter.exe 4.2.0.4
vpncfg.dll 3.2.0.3
tgblibeay32.dll 0.9.8j
tgblogonui.exe 6.12
TgbCredProv.dll 6.12
TGBMPEnum.sys 2.00.02.0003 built by: WinDDK
TGBVPNVirtM.sys 2.04.04.0001 built by: WinDDK--Hank
Hi HankLambert,
Is the LAN network configured on your FVS338 different from the the LAN network of the laptop where the VPN Client software is installed?
It is recommended that the LAN network on the FVS338 should be different (for example: the FVS338 LAN has a network address of 192.168.1.0/24) from the laptop where the VPN Client software is installed (for example: the PC has an IP address of 10.0.0.9/24). And of course, the laptop should be outside the network of your FVS338.Furthermore, try to disable PFS on the VPN policy of the FVS338 as well as disable PFS on the VPN Client software then check if you could open the tunnel.
I will be looking forward to your response.
Regards,
DaneA
Netgear Community Team
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
