NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
UTM25 SHA2-512 Integrity not working with VPN Client Pro
UTM25 FW version 3.6.2-4
VPN Client Pro version 6.12.001
I've had some strange issues getting the VPN Client Pro to work with the UTM25 with different encryption settings. It seems that I can't get any data through the tunnel (read ping) if SHA2-512 is selected as the Integrity Algorithm under mode config. If I change it to SHA-1, it works perfectly.
The settings below work. It creates the tunnel and I can ping devices on the other side of the tunnel with the client PC.
IKE Policy: AES-256, SHA2-512, DH16
Mode Config: AES-256, SHA-1, DH16
However, changing the mode config to the settings below does create the tunnel (VPN Tunnel Opened on PC), but there is no ping response to anything on the other side of the tunnel.
Mode Config: AES-256, SHA2-512, DH16 = open tunnel, but can't ping
Yes, I'm making sure to match the encryption settings on both the UTM and VPN Client Pro. In both cases, the tunnel is open (according to the software)
Now, to make things interesting. I have a site-to-site VPN tunnel set up between the UTM25 and a UTM5. Using the same settings on both (AES-256, SHA2-512) and that tunnel works fine.
It appears to me that there may be an error in the implementation of the SHA2-256 algorithm on either the UTM5/25 or the VPN Client Pro. The reason I say that is that the UTM25 and UTM5 communicate just fine with each other using SHA2-512, but both of them use the exact same firmware.
3 Replies
Hi npl102,
Welcome to the community! :)
Kindly answer the questions below:
a. What is the Operating System of the PC that you used? Have you tried other PC/s or laptop/s as well?
b. Does same results occur if you will have a VPN Client-to-Box setup using the UTM5?
c. Was the VPN Client-to-Box setup (using SHA2-512, etc) working before the UTM25 was upgraded to v3.6.2-4?
I look forward to your response.
Regards,
DaneA
NETGEAR Community Team
Hello DaneA,
A. I tried 3 different machines: Windows 7 Professional 32, Windows 7 Ultimate 32 and Windows 7 Ultimate 64. All with identical results.
B. Have not tried Client-to-UTM5. UTM 5 is configured at a remote office. The Gateway-to-Gateway connection between the UTM5 and UTM25 is working fine with: AES256, SHA-256, DH16 for both the IKE and VPN policies.
C. This is a new configuration that I’m trying to get up and have only tried the latest version (v3.6.2-4) on both boxes.As I mentioned, I’m using Mode Config on the UTM25 for the Client-to-box configuration. Any combination of settings works as long as the Integrity Algorithm is SHA-1 for the Mode Config TSL. If I change the Integrity Algorithm to SHA-256 or SHA-512, it will open the tunnel, but I can’t ping anything from the remote PC.
Below is a table showing the various combinations I’ve tried. Most of them work (I can access the network when the tunnel is opened) except for the 2 in red. In all cases the VPN Client Professional software shows the tunnel is open, I get an IP address from the pool and the DPD_R_U_THERE and DPD_R_U_THERE_ACK messages are being passed back-and-forth (shown in the console as I have dead peer detection enabled)IKE Encryption 3DES AES256 AES256 AES256 AES256 AES256 AES256 Authentication SHA-1 SHA-1 SHA-512 SHA-512 SHA-512 SHA-512 SHA-512 Key Group DH2 DH2 DH2 DH2 DH2 DH16 DH16 Mode Config TSL Encryption 3DES AES256 AES256 AES256 AES256 AES256 AES256 Authentication SHA-1 SHA-1 SHA-1 SHA-256 SHA-512 SHA-1 SHA-1 PFS DH2 DH2 DH2 DH2 DH2 DH2 DH16 Open Tunnel YES YES YES YES YES YES YES Communicate YES YES YES NO NO YES YES Hi npl102,
With regard to the isolation of the problem you did, I encourage you to open an online case with NETGEAR Support then report about your concern. It is possible that VPN logs will be needed to be analyzed as well.
Regards,
DaneA
NETGEAR Community Team
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
