Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

FVS318N RSA Signature Cannot connect to VPN

joe_schmo
Tutor
Tutor
‎2015-07-31 07:42 AM
‎2015-07-31 07:42 AM

FVS318N RSA Signature Cannot connect to VPN

I am at a bit of a loss here... and Netgear's support is rather unhelpful which is strange because usually they nail down a solution real quick.  I have an FVS318N that I can connect to VPN (client to box) using the Netgear VPN ProSafe software if I use a preshared key.

 

Now, I would like to use certificates, so I generated a CA on my laptop, signed it, then created a certificate on my laptop and signed it with the CA.  It's subject line is:c=us,l=montana,o=myvpn, ou=vpn,cn=client1

I then uploaded the CA to my router, generated a CSR, then signed it on my laptop with my CA and then uploaded it to the router.

 

On my IKE policy page, I changed the preshared key to rsa signature.

 

For local id (asn.1 der): c=us,l=montana,o=myvpn, ou=vpn,cn=router

For remote id (asn.1 der): c=us,l=montana,o=myvpn, ou=vpn,cn=client1

 

On the vpn clinet software, the local id defaults to get from x509 certificate and uses:

c=us,l=montana,o=myvpn, ou=vpn,cn=client1

 

the remote id, I set to asn1der and set it to: c=us,l=montana,o=myvpn, ou=vpn,cn=router

 

Then I try to connect:

 

20150731 02:11:32:420 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150731 02:11:32:932 Default (SA CertGateway-P1) RECV phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [CERT] [CERT_REQ] [SIG] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150731 02:11:32:958 Default exchange_add_certs: could not obtain cert for a type 4 cert request
20150731 02:11:32:958 Default exchange_run: doi->initiator (01C0FE08) failed

 

 

[VPNCONF] TGBIKE_STARTED received
20150731 02:11:10:194 Default IKE daemon is removing SAs...
20150731 02:11:10:194 Default Reinitializing IKE daemon
20150731 02:11:10:220 Default IKE daemon reinitialized
20150731 02:11:19:382 Default IKE daemon is removing SAs...
20150731 02:11:19:382 Default Reinitializing IKE daemon
20150731 02:11:19:419 Default IKE daemon reinitialized
20150731 02:11:27:712 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150731 02:11:32:420 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150731 02:11:32:932 Default (SA CertGateway-P1) RECV phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [CERT] [CERT_REQ] [SIG] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150731 02:11:32:958 Default exchange_add_certs: could not obtain cert for a type 4 cert request
20150731 02:11:32:958 Default exchange_run: doi->initiator (01C0FE08) failed
20150731 02:11:58:154 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:11:59:855 Default (SA Gateway-P1) RECV phase 1 Aggressive Mode  [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [VID] [VID] [VID] [VID]
20150731 02:11:59:862 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode  [HASH] [NAT_D] [NAT_D]
20150731 02:11:59:863 Default phase 1 done: initiator id client.domain.com, responder id xx.xx.xx.xx
20150731 02:11:59:892 Default (SA Gateway-P1) RECV Transaction Mode  [HASH] [ATTRIBUTE]
20150731 02:12:03:565 Default XAUTH user action failed
20150731 02:12:03:565 Default exchange_run: doi->responder (01B6CCB0) failed
20150731 02:12:05:566 Default <Gateway-P1> deleted
20150731 02:12:05:566 Default XAUTH authentication failed or timed out for <Gateway-Tunnel-P2>
20150731 02:12:22:935 Default (SA <unknown>) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20150731 02:12:22:935 Default ipsec_get_keystate: no keystate in ISAKMP SA 01B2E148
20150731 02:12:45:157 Default IKE daemon is removing SAs...
20150731 02:12:45:157 Default Reinitializing IKE daemon
20150731 02:12:45:188 Default IKE daemon reinitialized
20150731 02:12:52:509 Default IKE daemon is removing SAs...
20150731 02:12:52:509 Default Reinitializing IKE daemon
20150731 02:12:52:539 Default IKE daemon reinitialized
20150731 02:12:53:031 Default message_recv: invalid cookie(s) 9494670d1c8ecb7c beb9b5908e5f9c29
20150731 02:12:53:031 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:12:53:031 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:12:55:443 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150731 02:12:57:696 Default (SA CertGateway-P1) RECV phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [CERT] [CERT_REQ] [SIG] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150731 02:12:57:726 Default exchange_add_certs: could not obtain cert for a type 4 cert request
20150731 02:12:57:726 Default exchange_run: doi->initiator (01B40400) failed
20150731 02:13:03:715 Default message_recv: invalid cookie(s) 9494670d1c8ecb7c beb9b5908e5f9c29
20150731 02:13:03:715 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:13:03:715 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:13:13:745 Default message_recv: invalid cookie(s) 9494670d1c8ecb7c beb9b5908e5f9c29
20150731 02:13:13:745 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:13:13:745 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:13:27:105 Default (SA <unknown>) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20150731 02:13:27:105 Default ipsec_get_keystate: no keystate in ISAKMP SA 01B6CBE8
[VPNCONF] TGBIKE_STOPPED received
[VPNCONF] TGBIKE_STARTED received
20150731 02:14:27:227 Default message_recv: invalid cookie(s) e642ef6c111244a3 e355817dc23d7e08
20150731 02:14:27:229 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:14:27:229 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:14:37:264 Default message_recv: invalid cookie(s) e642ef6c111244a3 e355817dc23d7e08
20150731 02:14:37:264 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:14:37:272 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:17:10:697 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150731 02:17:12:988 Default (SA CertGateway-P1) RECV phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [CERT] [CERT_REQ] [SIG] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150731 02:17:13:046 Default exchange_add_certs: could not obtain cert for a type 4 cert request
20150731 02:17:13:047 Default exchange_run: doi->initiator (01C1FEE8) failed
20150731 02:17:37:165 Default IKE daemon is removing SAs...
20150731 02:17:37:165 Default Reinitializing IKE daemon
20150731 02:17:37:261 Default IKE daemon reinitialized
20150731 02:17:43:047 Default message_recv: invalid cookie(s) bf476e5f48dd2d63 ecead03b3206d503
20150731 02:17:43:047 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:17:43:049 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:17:44:881 Default IKE daemon is removing SAs...
20150731 02:17:44:881 Default Reinitializing IKE daemon
20150731 02:17:44:927 Default IKE daemon reinitialized
20150731 02:17:50:197 Default IKE daemon is removing SAs...
20150731 02:17:50:199 Default Reinitializing IKE daemon
20150731 02:17:50:248 Default IKE daemon reinitialized
20150731 02:17:52:785 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:17:53:107 Default message_recv: invalid cookie(s) bf476e5f48dd2d63 ecead03b3206d503
20150731 02:17:53:107 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:17:53:107 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:17:57:112 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:18:02:113 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:18:03:368 Default message_recv: invalid cookie(s) bf476e5f48dd2d63 ecead03b3206d503
20150731 02:18:03:368 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:18:03:368 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:18:07:368 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:18:12:368 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:18:13:597 Default message_recv: invalid cookie(s) bf476e5f48dd2d63 ecead03b3206d503
20150731 02:18:13:597 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:18:13:597 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:18:17:600 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:18:17:601 Default transport_send_messages: giving up on message 01817F08
20150731 02:18:23:848 Default message_recv: invalid cookie(s) bf476e5f48dd2d63 ecead03b3206d503
20150731 02:18:23:849 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:18:23:851 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:18:33:877 Default message_recv: invalid cookie(s) bf476e5f48dd2d63 ecead03b3206d503
20150731 02:18:33:878 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:18:33:878 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:18:43:897 Default message_recv: invalid cookie(s) bf476e5f48dd2d63 ecead03b3206d503
20150731 02:18:43:897 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:18:43:902 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:18:53:937 Default message_recv: invalid cookie(s) bf476e5f48dd2d63 ecead03b3206d503
20150731 02:18:53:938 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:18:53:938 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:20:50:790 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:20:55:970 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:21:00:970 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:21:05:970 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:21:10:999 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:21:16:003 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID] [VID]
20150731 02:21:16:003 Default transport_send_messages: giving up on message 01817F08
20150731 02:21:24:018 Default IKE daemon is removing SAs...
20150731 02:21:24:021 Default Reinitializing IKE daemon
20150731 02:21:24:102 Default IKE daemon reinitialized
20150731 02:21:32:615 Default IKE daemon is removing SAs...
20150731 02:21:32:615 Default Reinitializing IKE daemon
20150731 02:21:32:661 Default IKE daemon reinitialized
20150731 02:21:46:613 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150731 02:21:48:894 Default (SA CertGateway-P1) RECV phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [CERT] [CERT_REQ] [SIG] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150731 02:21:48:937 Default exchange_add_certs: could not obtain cert for a type 4 cert request
20150731 02:21:48:938 Default exchange_run: doi->initiator (01B7AE80) failed
20150731 02:22:18:941 Default (SA <unknown>) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20150731 02:22:18:941 Default ipsec_get_keystate: no keystate in ISAKMP SA 01B3EDB8
20150731 02:23:09:059 Default message_recv: invalid cookie(s) b098def3aadd8a99 79ac3f8c5bebbe70
20150731 02:23:09:060 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:23:09:060 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:23:19:091 Default message_recv: invalid cookie(s) b098def3aadd8a99 79ac3f8c5bebbe70
20150731 02:23:19:091 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:23:19:091 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:23:29:120 Default message_recv: invalid cookie(s) b098def3aadd8a99 79ac3f8c5bebbe70
20150731 02:23:29:120 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:23:29:123 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
[VPNCONF] TGBIKE_STOPPED received
[VPNCONF] TGBIKE_STARTED received
20150731 02:27:04:078 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150731 02:27:09:400 Default (SA CertGateway-P1) RECV phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [CERT] [CERT_REQ] [SIG] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150731 02:27:09:443 Default exchange_add_certs: could not obtain cert for a type 4 cert request
20150731 02:27:09:443 Default exchange_run: doi->initiator (01C65DD0) failed
20150731 02:27:39:442 Default (SA <unknown>) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20150731 02:27:39:442 Default ipsec_get_keystate: no keystate in ISAKMP SA 01C54118
20150731 02:28:29:572 Default message_recv: invalid cookie(s) 6c27f2efba9655bb 784e8d6cbce522dd
20150731 02:28:29:572 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:28:29:572 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:28:39:591 Default message_recv: invalid cookie(s) 6c27f2efba9655bb 784e8d6cbce522dd
20150731 02:28:39:591 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:28:39:592 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:28:49:612 Default message_recv: invalid cookie(s) 6c27f2efba9655bb 784e8d6cbce522dd
20150731 02:28:49:612 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:28:49:612 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:31:07:502 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150731 02:31:09:797 Default (SA CertGateway-P1) RECV phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [CERT] [CERT_REQ] [SIG] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150731 02:31:09:832 Default exchange_add_certs: could not obtain cert for a type 4 cert request
20150731 02:31:09:832 Default exchange_run: doi->initiator (01C1FE88) failed
20150731 02:31:39:844 Default (SA <unknown>) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20150731 02:31:39:844 Default ipsec_get_keystate: no keystate in ISAKMP SA 01B3EDF8
20150731 02:32:29:974 Default message_recv: invalid cookie(s) 59cdbaa9143d586e 2cd54590d6d73af7
20150731 02:32:29:974 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:32:29:974 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:32:40:004 Default message_recv: invalid cookie(s) 59cdbaa9143d586e 2cd54590d6d73af7
20150731 02:32:40:004 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:32:40:004 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 02:32:50:025 Default message_recv: invalid cookie(s) 59cdbaa9143d586e 2cd54590d6d73af7
20150731 02:32:50:025 Default dropped message from xx.xx.xx.xx due to notification type INVALID_COOKIE
20150731 02:32:50:025 Default (SA <unknown>) SEND Informational  [NOTIFY] with INVALID_COOKIE error
20150731 08:13:01:334 Default (SA CertGateway-P1) SEND phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150731 08:13:03:612 Default (SA CertGateway-P1) RECV phase 1 Aggressive Mode  [SA] [KEY_EXCH] [NONCE] [ID] [CERT] [CERT_REQ] [SIG] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150731 08:13:03:648 Default exchange_add_certs: could not obtain cert for a type 4 cert request
20150731 08:13:03:648 Default exchange_run: doi->initiator (01B627F0) failed
20150731 08:13:33:662 Default (SA <unknown>) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20150731 08:13:33:662 Default ipsec_get_keystate: no keystate in ISAKMP SA 01C65CC8
20150731 08:14:23:782 Default message_recv: invalid cookie(s) 8211839091c57705 6b9272c7beffa0eb
[VPNCONF] IP address change
20150731 09:11:21:309 Default IKE daemon is removing SAs...
20150731 09:11:21:310 Default Reinitializing IKE daemon
20150731 09:11:21:357 Default IKE daemon reinitialized

Message 1 of 3
0 Kudos
Reply
JohnRo
NETGEAR Employee Retired
‎2015-07-31 08:11 PM
‎2015-07-31 08:11 PM

Re: FVS318N RSA Signature Cannot connect to VPN

Hello joe_schmo, 

 

I believe this documentation can help you achieve Client-to-box connection with using certificate as the authentication methond. c2b.png

Please click on this link to get to the guide.

 

Hope that helps! I'll look forward to your response. 

 

 

 

Thanks, 

 

Message 2 of 3
0 Kudos
Reply
joe232221
Aspirant
Aspirant
‎2015-08-19 11:07 AM
‎2015-08-19 11:07 AM

Re: FVS318N RSA Signature Cannot connect to VPN

That documented is awfully outdated.  There's no way to generate certifictes from the VPN Client software anymore.  Is there a new document?

Message 3 of 3
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 2 replies
  • ‎2015-07-31 07:42 AM
  • 5005 views
  • 0 kudos
  • 3 in conversation
Announcements