I have a FVX538 which was shelved for many years because we had a new FW from the provider. However we switched providers and I had to pull it off the shelf to use. I updated the firmware successfully and all is working well, but I pulled out the VPN software which came with the device and it won't install on Windows 7 or higher with out errors. I downloaded the new VPN software for 30 days free but the configuration is different that the directions in the old software. I can see in the logs on the FW that I'm communicating but on the client side it only says "preparing IKE request" then "tunnel closed" in the lower right corner of the screen. Any assistance would be greatly appreciated.

@digitalbeachbum:Check these link below and this may help you as reference guides:http://kb.netgear.com/app/answers/detail/a_id/24245/related/1http://www.downloads.netgear.com/files/GDC/FVS318N/QSGVPN_4Apr2012.pdf

What FW version are you using now? If you have successfully updated the FW to the latest version, the UI of the firewall should change (should have a yellow/purple banner). When adding a new VPN connection using the wizard, you will be asked for a local and remote identifier. (ex. fvx_remote.com and fvx_local.com) you can actually change/modify the default one (take note of these identifiers). Once you applies the settings it should be good to go. Now, on the client side - the new client software is different from the old ones . Use the wizard as well. configuration>wizardchoose "A router or VPN gateway"enter the WAN IP of the FVS538enter the PSK and the local network IPthe click FinishYou will see three tabs Authentication, Advanced and Certificateclick advancedon the bottom part you will see Local and Remote IDon the type of ID select DNSon local ID: use the remote ID - fvx_remote.comone remote ID: use the local ID - fvx_local.comclick apply and save try opening the tunnel

Firmware Version (Primary): 3.0.5-28.4Yeah, those instructions are what I did - basically the wizards on both sides then added the DNS Identifier fvx_remote and fvx_localLet me try again and see if I missed any thingNhellie26 wrote:What FW version are you using now? If you have successfully updated the FW to the latest version, the UI of the firewall should change (should have a yellow/purple banner). When adding a new VPN connection using the wizard, you will be asked for a local and remote identifier. (ex. fvx_remote.com and fvx_local.com) you can actually change/modify the default one (take note of these identifiers). Once you applies the settings it should be good to go. Now, on the client side - the new client software is different from the old ones . Use the wizard as well. configuration>wizardchoose "A router or VPN gateway"enter the WAN IP of the FVS538enter the PSK and the local network IPthe click FinishYou will see three tabs Authentication, Advanced and Certificateclick advancedon the bottom part you will see Local and Remote IDon the type of ID select DNSon local ID: use the remote ID - fvx_remote.comone remote ID: use the local ID - fvx_local.comclick apply and save try opening the tunnel

I am using a pre-shared key verses the RSA signature. Does this make a difference?Nhellie26 wrote:What FW version are you using now? If you have successfully updated the FW to the latest version, the UI of the firewall should change (should have a yellow/purple banner). When adding a new VPN connection using the wizard, you will be asked for a local and remote identifier. (ex. fvx_remote.com and fvx_local.com) you can actually change/modify the default one (take note of these identifiers). Once you applies the settings it should be good to go. Now, on the client side - the new client software is different from the old ones . Use the wizard as well. configuration>wizardchoose "A router or VPN gateway"enter the WAN IP of the FVS538enter the PSK and the local network IPthe click FinishYou will see three tabs Authentication, Advanced and Certificateclick advancedon the bottom part you will see Local and Remote IDon the type of ID select DNSon local ID: use the remote ID - fvx_remote.comone remote ID: use the local ID - fvx_local.comclick apply and save try opening the tunnel

Thank you. I'm looking through the info now.Sasword wrote:@digitalbeachbum:Check these link below and this may help you as reference guides:http://kb.netgear.com/app/answers/detail/a_id/24245/related/1http://www.downloads.netgear.com/files/GDC/FVS318N/QSGVPN_4Apr2012.pdf

Fvx538 | NETGEAR Communities

41 Replies

adit
Mentor
Jun 09, 2015
Yes, there are Phase 1 (IKE) and Phase 2 (VPN or Mode Config) policies on each end of the tunnel.
digitalbeachbum
Aspirant
Jun 09, 2015
adit wrote:
Yes, there are Phase 1 (IKE) and Phase 2 (VPN or Mode Config) policies on each end of the tunnel.

How come the Wizard doesn't auto create Phase 2? I see it in the manual version of the instructions. The older client I used to run on Win98 had it all built in and you just filled in the blanks.
digitalbeachbum
Aspirant
Jun 09, 2015
Sasword wrote:
Try to disable PFS on the VPN policy of the FVX538 as well as disable PFS on the VPN Client software then check if you could open the tunnel.

Thanks, I will try this tonight
digitalbeachbum
Aspirant
Jun 10, 2015
I started from scratch and actually got what you see below. After a few tries it gave up the connection. Every thing was exactly how it was in the manual except for a few things like the key and the remote/local identifiers. I did some searching for info on these errors but couldn't figure it out.

Client Log
VPNCONF] TGBIKE_STARTED received
20150609 21:47:21 Reading configuration...
20150609 21:47:21 IKEv1 configuration detected
20150609 21:47:21 No IKEv2 configuration
20150609 21:47:21 No SSL configuration
20150609 21:47:59:180 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150609 21:47:59:751 Default (SA Ikev1Gateway-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150609 21:47:59:766 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20150609 21:47:59:768 Default phase 1 done: initiator id remote.com, responder id local.com
20150609 21:47:59:770 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:04:764 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:09:800 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20150609 21:48:09:801 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:19:800 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:19:842 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20150609 21:48:24:866 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:29:897 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20150609 21:48:29:897 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:29:897 Default transport_send_messages: giving up on message 02216138
20150609 21:48:30:913 Default (SA Ikev1Gateway-P1) SEND Informational [HASH] [DELETE]
20150609 21:48:30:913 Default deleted

FW LOG

2015 Jun 9 21:56:43 [FVX538] [IKE] Remote configuration for identifier "remote.com" found_
2015 Jun 9 21:56:43 [FVX538] [IKE] Received request for new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[500]_
2015 Jun 9 21:56:43 [FVX538] [IKE] Beginning Aggressive mode._
2015 Jun 9 21:56:43 [FVX538] [IKE] Received unknown Vendor ID_
2015 Jun 9 21:56:43 [FVX538] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2015 Jun 9 21:56:43 [FVX538] [IKE] Received unknown Vendor ID_
2015 Jun 9 21:56:43 [FVX538] [IKE] For x.x.x.x[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2015 Jun 9 21:56:43 [FVX538] [IKE] Floating ports for NAT-T with peer x.x.x.x[4500]_
2015 Jun 9 21:56:43 [FVX538] [IKE] Received Malformed packet of payload length 52014 and total length 72._
2015 Jun 9 21:56:43 [FVX538] [IKE] Could not start quick mode as there is no valid ISAKMP-SA:
2015 Jun 9 21:56:53 [FVX538] [IKE] Received Malformed packet of payload length 5542 and total length 72._
2015 Jun 9 21:56:53 [FVX538] [IKE] Could not start quick mode as there is no valid ISAKMP-SA:
2015 Jun 9 21:57:03 [FVX538] [IKE] Received Malformed packet of payload length 5542 and total length 72._
2015 Jun 9 21:57:08 [FVX538] [IKE] Could not start quick mode as there is no valid ISAKMP-SA:
2015 Jun 9 21:57:14 [FVX538] [IKE] Received Malformed packet of payload length 5542 and total length 72._
2015 Jun 9 21:57:14 [FVX538] [IKE] Could not start quick mode as there is no valid ISAKMP-SA:
2015 Jun 9 21:57:15 [FVX538] [IKE] Ignore information because ISAKMP-SA has not been established yet._
adit
Mentor
Jun 10, 2015
Don't use "remote.com". That is routable and not owned by you. Use the fvx_remote.com and fvx_local.com for the FQDN identifiers.
digitalbeachbum
Aspirant
Jun 10, 2015
adit wrote:
Don't use "remote.com". That is routable and not owned by you.

Use the fvx_remote.com and fvx_local.com for the FQDN identifiers.

I didn't I edited the logs and removed a private domain name.
adit
Mentor
Jun 10, 2015
Use exactly what is in the tutorial.
fordem
Mentor
Jun 10, 2015
Does the private domain name resolve to the appropriate end point address ? If it doesn't it will cause a problem - you're better off using fvx_remote.com & fvx_local.com
digitalbeachbum
Aspirant
Jun 10, 2015
adit wrote:
Use exactly what is in the tutorial.

I did... but on another note.

I found this thread
http://forums.prosecure.netgear.com/showthread.php?t=9396

It had some similar issues so I decided to reset to factory defaults and then start over but this time I applied each firmware upgrade then reboot. I did each upgrade hoping that maybe there was something missing.

When I finished I noticed several pages on the admin screens which had stuff I had never seen before. I am hoping that this will help solve my problem when I test it again.
digitalbeachbum
Aspirant
Jun 10, 2015
So I did each firmware update on top of each other then when I tested it remotely, on the very first try, everything worked! No errors... well sort of.

Once I connected I wanted to see what I could see so I opened a command prompt and trying to ping a server. It pinged once and then I got a blue screen. The remote system rebooted and I tried again.

The second time I tried to drive map to a server and as soon as I clicked to move forward with the mapping... blue screen.

I found the following in windows. I'm looking at what it might be, but I bet a conflict of some kind.

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033

Additional information about the problem:
BCCode: 19
BCP1: 00000020
BCP2: 89BA06B8
BCP3: 89BA06D0
BCP4: 08030019
OS Version: 6_1_7601
Service Pack: 1_0
Product: 256_1

Files that help describe the problem:
F:\Windows\Minidump\061015-52759-01.dmp
F:\Users\root\AppData\Local\Temp\WER-110401-0.sysdata.xml

Forum Discussion

Fvx538

41 Replies

Related Content

FVX538 SFTP

FVX538 Firewall Bandwidth Management

FVX538 v2 - Looking for new replacement

reset FVX538

FVX538 - Problems

NETGEAR Academy

ProSupport for Business