I have a FVX538 which was shelved for many years because we had a new FW from the provider. However we switched providers and I had to pull it off the shelf to use. I updated the firmware successfully and all is working well, but I pulled out the VPN software which came with the device and it won't install on Windows 7 or higher with out errors. I downloaded the new VPN software for 30 days free but the configuration is different that the directions in the old software. I can see in the logs on the FW that I'm communicating but on the client side it only says "preparing IKE request" then "tunnel closed" in the lower right corner of the screen. Any assistance would be greatly appreciated.

@digitalbeachbum:Check these link below and this may help you as reference guides:http://kb.netgear.com/app/answers/detail/a_id/24245/related/1http://www.downloads.netgear.com/files/GDC/FVS318N/QSGVPN_4Apr2012.pdf

What FW version are you using now? If you have successfully updated the FW to the latest version, the UI of the firewall should change (should have a yellow/purple banner). When adding a new VPN connection using the wizard, you will be asked for a local and remote identifier. (ex. fvx_remote.com and fvx_local.com) you can actually change/modify the default one (take note of these identifiers). Once you applies the settings it should be good to go. Now, on the client side - the new client software is different from the old ones . Use the wizard as well. configuration>wizardchoose "A router or VPN gateway"enter the WAN IP of the FVS538enter the PSK and the local network IPthe click FinishYou will see three tabs Authentication, Advanced and Certificateclick advancedon the bottom part you will see Local and Remote IDon the type of ID select DNSon local ID: use the remote ID - fvx_remote.comone remote ID: use the local ID - fvx_local.comclick apply and save try opening the tunnel

Firmware Version (Primary): 3.0.5-28.4Yeah, those instructions are what I did - basically the wizards on both sides then added the DNS Identifier fvx_remote and fvx_localLet me try again and see if I missed any thingNhellie26 wrote:What FW version are you using now? If you have successfully updated the FW to the latest version, the UI of the firewall should change (should have a yellow/purple banner). When adding a new VPN connection using the wizard, you will be asked for a local and remote identifier. (ex. fvx_remote.com and fvx_local.com) you can actually change/modify the default one (take note of these identifiers). Once you applies the settings it should be good to go. Now, on the client side - the new client software is different from the old ones . Use the wizard as well. configuration>wizardchoose "A router or VPN gateway"enter the WAN IP of the FVS538enter the PSK and the local network IPthe click FinishYou will see three tabs Authentication, Advanced and Certificateclick advancedon the bottom part you will see Local and Remote IDon the type of ID select DNSon local ID: use the remote ID - fvx_remote.comone remote ID: use the local ID - fvx_local.comclick apply and save try opening the tunnel

I am using a pre-shared key verses the RSA signature. Does this make a difference?Nhellie26 wrote:What FW version are you using now? If you have successfully updated the FW to the latest version, the UI of the firewall should change (should have a yellow/purple banner). When adding a new VPN connection using the wizard, you will be asked for a local and remote identifier. (ex. fvx_remote.com and fvx_local.com) you can actually change/modify the default one (take note of these identifiers). Once you applies the settings it should be good to go. Now, on the client side - the new client software is different from the old ones . Use the wizard as well. configuration>wizardchoose "A router or VPN gateway"enter the WAN IP of the FVS538enter the PSK and the local network IPthe click FinishYou will see three tabs Authentication, Advanced and Certificateclick advancedon the bottom part you will see Local and Remote IDon the type of ID select DNSon local ID: use the remote ID - fvx_remote.comone remote ID: use the local ID - fvx_local.comclick apply and save try opening the tunnel

Thank you. I'm looking through the info now.Sasword wrote:@digitalbeachbum:Check these link below and this may help you as reference guides:http://kb.netgear.com/app/answers/detail/a_id/24245/related/1http://www.downloads.netgear.com/files/GDC/FVS318N/QSGVPN_4Apr2012.pdf

Fvx538 | NETGEAR Communities

41 Replies

digitalbeachbum
Aspirant
Jun 07, 2015
Here is a list of items I've completed which hasn't solved the problem.

1 - Made sure the firmware was up to date
2 - Changed the internal office and remote addresses to something other than 192.168.x.x
3 - Made sure the settings for remote=local and local=remote on the setup of the remote client workstation.
4 - Tried changing the external public IP (three different IP addresses).
5 - Turned off the FW on the workstation
6 - Verified in the FW log that the remote workstation had attempted to connect but for an unknown reason was being dropped

I'm tempted to purchase a new FW. It seems to be the only option right now.
Any suggestions for a new one?
adit
Mentor
Jun 08, 2015
Try installing 3.0.7-24. I'll update my VPN tutorial with the new VPN Client software one day this week.
RX
Luminary
Jun 08, 2015
@digitalbeachbum: It seems that the FVX538 that you have is a v1. The FW v3.0.7-24 is for the FVX538v2. If you want to make sure on what version your FVX538 is, you may contact Netgear Support then ask them to verify the serial number of your FVX538 if its a v1 or v2: http://support.netgear.com/general/contact/#tab-call

digitalbeachbum

Aspirant

Jun 08, 2015

Yes, it is a v1. I already got the latest version per the website.

Every thing else is working but the VPN. I never had problems previously. I actually used this same FW years ago for the office but shelved it when we switched providers.

Sasword wrote:
@digitalbeachbum:

It seems that the FVX538 that you have is a v1. The FW v3.0.7-24 is for the FVX538v2.

If you want to make sure on what version your FVX538 is, you may contact Netgear Support then ask them to verify the serial number of your FVX538 if its a v1 or v2: http://support.netgear.com/general/contact/#tab-call

digitalbeachbum
Aspirant
Jun 08, 2015
Found this error in a log. Does any one know what it means?

default ike_phase_1_inititor_send_sa:differing group descriptions in a proposal
default exchange_run:doi->initator (00e59ce) failed

Sasword wrote:
@digitalbeachbum: It seems that the FVX538 that you have is a v1. The FW v3.0.7-24 is for the FVX538v2. If you want to make sure on what version your FVX538 is, you may contact Netgear Support then ask them to verify the serial number of your FVX538 if its a v1 or v2: http://support.netgear.com/general/contact/#tab-call

Nhellie

Virtuoso

Jun 08, 2015

digitalbeachbum wrote:
Found this error in a log. Does any one know what it means?

default ike_phase_1_inititor_send_sa:differing group descriptions in a proposal
default exchange_run:doi->initator (00e59ce) failed

digitalbeachbum wrote:
Found this error in a log. Does any one know what it means? default ike_phase_1_inititor_send_sa:differing group descriptions in a proposal default exchange_run:doi->initator (00e59ce) failed

It looks like some of the settings do not match, check the passphrase or the local and remote subnets on the firewall and client.

digitalbeachbum
Aspirant
Jun 08, 2015
Do I need to open a port? I've searched around and I keep seeing a port needing to be open in relation to this error message.

I'll double check all my stuff again.

Nhellie26 wrote:
It looks like some of the settings do not match, check the passphrase or the local and remote subnets on the firewall and client.

Nhellie26 wrote:
It looks like some of the settings do not match, check the passphrase or the local and remote subnets on the firewall and client.

Luminary

Jun 08, 2015

digitalbeachbum wrote:
Found this error in a log. Does any one know what it means?

default ike_phase_1_inititor_send_sa:differing group descriptions in a proposal
default exchange_run:doi->initator (00e59ce) failed

digitalbeachbum wrote:
Found this error in a log. Does any one know what it means? default ike_phase_1_inititor_send_sa:differing group descriptions in a proposal default exchange_run:doi->initator (00e59ce) failed

It seems that this is just a portion in the logs. Maybe you could take a look on this link as reference about the VPN console logs here: http://www.downloads.netgear.com/files/GDC/VPNG01L/VPNClient_UM_10Apr2013.pdf -- check Chapter7 on p132 onwards.

digitalbeachbum wrote:
Do I need to open a port? I've searched around and I keep seeing a port needing to be open in relation to this error message.

digitalbeachbum wrote:
Do I need to open a port? I've searched around and I keep seeing a port needing to be open in relation to this error message.

Check page 133 from the link I have given you.

digitalbeachbum
Aspirant
Jun 09, 2015
I've made progress.

My logs are now showing a lot of different results and I've getting further. The manual has made a difference when I 'manually configured the client' but I'm still missing something.

Log from client

[VPNCONF] TGBIKE_STARTED received
20150608 22:25:13 Reading configuration...
20150608 22:25:14 IKEv1 configuration detected
20150608 22:25:14 No IKEv2 configuration
20150608 22:25:14 No SSL configuration
20150608 22:25:41:819 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150608 22:25:46:842 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150608 22:25:51:865 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150608 22:27:00:870 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]

Log from FW (VPN LOG)

2015 Jun 8 20:14:14 [FVX538] [IKE] Could not find configuration for xxx.xx.xx.xxx[500]_

When I used the manual configuration I made the most progress. The Wizard and the non-manual settings from the instruction guide did nothing for me.

Is there supposed to be a Phase 1 and Phase 2 cfg? I recall the older version of the client having this already built in to the cfg.
RX
Luminary
Jun 09, 2015
Try to disable PFS on the VPN policy of the FVX538 as well as disable PFS on the VPN Client software then check if you could open the tunnel.

Forum Discussion

Fvx538

41 Replies

Related Content

FVX538 SFTP

FVX538 Firewall Bandwidth Management

FVX538 v2 - Looking for new replacement

reset FVX538

FVX538 - Problems

NETGEAR Academy

ProSupport for Business