Orbi WiFi 7 RBE973
Reply

Re: FVS336Gv3 PPTP VPN for macOS Sierra

sedcom_pm
Aspirant

FVS336Gv3 PPTP VPN for macOS Sierra

Hi Netgear community,

 

One of our sites has a NETGEAR ProSafe™ Gigabit Dual WAN SSL VPN Firewall FVS336Gv3 which has PPTP Server enabled and setup with working users for Windows OS, there is 1 user that uses MAC OS.  Since that 1 user upgraded their macOS to Sierra the option for PPTP has been removed (Apple reports the reason is for security).  I have tried enabling SSLVPN in the firewall but have struggled to get that working.  As a fallback, we are looking at 3rd party clients that can create the VPN using PPTP again.  I've looked at some suggested clients (FlowVPN, VPN Tracker, user is trying TunnelBlick) but not getting very far.  Ideally, we want a freeware that can do PPTP (unless there is a free SSLVPN option).  Any suggestions or if you have got around this issue with macOS Sierra.

 

Many thanks in advance.

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 1 of 11
JohnC_V
NETGEAR Moderator

Re: FVS336Gv3 PPTP VPN for macOS Sierra

Hi sedcom_pm,

 

Welcome to our community!

 

Apple already dropped the support on PPTP, I don't think that if we run any PPTP 3rd party client it would still work. I may advise you to please try to give a call on apple support just to make sure what 3rd party application are we going to use that will work on your MAC OS Sierra.

 

Regards,

Message 2 of 11
JohnC_V
NETGEAR Moderator

Re: FVS336Gv3 PPTP VPN for macOS Sierra

@sedcom_pm,

 

I would like to have a follow-up on this. If you were able to contact apple support and everything works ok now. Please keep us posted.

 

Regards,

Message 3 of 11
sedcom_pm
Aspirant

Re: FVS336Gv3 PPTP VPN for macOS Sierra

Hi JohnCarloV,

 

My user tried FlowVPN and that did not work (with PPTP), the user reports that it disconnects automatically.

 

Do you have any instructions/step-by-step guide in setting up the SSL VPN for a user (who will be using a Mac), and also what client he needs to use on the Mac to make the SSL VPN connection.  The Mac Clients are all asking for a certificate from the host server (The Netgear FVS336Gv3 in this case) but I am unable to generate one.

 

Thanks in advance.

Message 4 of 11
JohnC_V
NETGEAR Moderator

Re: FVS336Gv3 PPTP VPN for macOS Sierra

@sedcom_pm,

 

My apologies but SSL VPN for Mac is not supported by our firewalls. We can only use IPSec tunnel for your MAC and even the VPN built-in app will work for this setup.

 

Please refer to this manual for setting up the firewall and this link is for your MAC.

 

Regards,

Message 5 of 11
sedcom_pm
Aspirant

Re: FVS336Gv3 PPTP VPN for macOS Sierra

Hi JohnCarloV,

 

I have followed the guide to setup IPSec VPN.  Ignoring the MacOS/iPhone part, I am testing it on a Windows 10 OS (Windows built in VPN Client) and also an Android (using StrongSwanVPN) and both fail to connect.  As the client side only needs to know the server address, username/password, there is not much other settings required.

 

Windows error:

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations withthe remote computer.

 

Android error (x.x.x.x replaces android and firewall IPs):

[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Android 6.0.1 - xxx/2017-04-01, SM-N9200 - samsung/nobleltezh/samsung, Linux 3.10.61-9869866, aarch64)

[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls

[JOB] spawning 16 worker threads

[IKE] initiating IKE_SA android[4] to x.x.x.x
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)

[IKE] retransmit 1 of request with message ID 0
[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)

[IKE] retransmit 2 of request with message ID 0
[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)

[IKE] retransmit 3 of request with message ID 0
[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)
[IKE] giving up after 3 retransmits

[IKE] peer not responding, trying again (2/0)

[IKE] initiating IKE_SA android[4] to x.x.x.x

[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

[NET] sending packet: from x.x.x.x[58908] to x.x.x.x[500] (746 bytes)

[IKE] destroying IKE_SA in state CONNECTING without notification

 

Any ideas?

 

Many thanks.

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 6 of 11
JohnC_V
NETGEAR Moderator

Re: FVS336Gv3 PPTP VPN for macOS Sierra

@sedcom_pm,

 

As windows error was showing that it is an L2TP connection and not IPSec. These are 2 different protocols. Also the VPN for MAC and Windows are not the same as they are using different operating system. We are using a VPN Client for Windows. As far as I know that your device FVS336Gv3 has a free license lite key and it is included in the package(CD Key). If the CD is not included in the package then you may open a chat / case online on NETGEAR support for the request of the VPN lite license key.

 

Here is the manual for setting up VPN for Windows. You may download the client here.

 

Regards,

Message 7 of 11
sedcom_pm
Aspirant

Re: FVS336Gv3 PPTP VPN for macOS Sierra

Hi JohnCarloV,

 

The built in Windows VPN client has the option as:

 

VPN type: L2TP/IPsec with pre-shared key.

 

The only other option is L2TP/IPsec with certificate.

 

The is no IPsec on it's own.

 

There will be more users with Macs that will need to use VPN for this site, and as you/Netgear have advised that IPsec is the oply option, we need to try and get this working.

 

Many thanks.

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 8 of 11
JohnC_V
NETGEAR Moderator

Re: FVS336Gv3 PPTP VPN for macOS Sierra

@sedcom_pm,

 

L2TP/IPsec is different from IPsec only. They do have different credentials in order for the tunnel to be connected. You may use the client that I have attached on my previous reply and also for the MAC VPN mode config is attached from my previous reply also.

 

Please do check the hyperlinks. Thank you!

 

Regards,

Message 9 of 11
sedcom_pm
Aspirant

Re: FVS336Gv3 PPTP VPN for macOS Sierra

Hi JohnCarloV/all,

 

Thank you for your patience.  I still have this issue with the MacOS user.  I followed the guides you supplied links for.  The end user said his Mac connected on the VPN but disconnected almost immediately.  Unfortunately he could not give me any error messages/logs.  There is going to be several users that will be using IPsec method (due to be on latest MacOS) so I would prefer to try and get a generic/3rd party VPN application working.  I tried to install and test the single VPN Lite application on to my local machine (Windows 10) but there is no trial option and I do not want to use up the license.

 

I have managed to get Shrew VPN to connect but I am not able to route any traffic externally/internally or ping any IPs on any of the ranges configured on the firewall/network.  However DNS servers have been picked up and I have DNS resolution.  I do get assigned the first IP in the range for the IPsec VPN upon the VPN connecting.

 

Here is the Shrew connection log:

 

config loaded for site '89.x.x.x'

attached to key daemon ...

peer configured

iskamp proposal configured

esp proposal configured

client configured

local id configured

remote id configured

pre-shared key configured

bringing up tunnel ...

network device configured

tunnel enabled

 

FVS336Gv3 IPsec VPN Logs:

 

Wed Aug 23 11:46:08 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: 10.0.3.100 IP address has been released by remote peer.
Wed Aug 23 11:46:08 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: KA remove: 89.x.x.x[4500]->88.x.x.x[4500]
Wed Aug 23 11:46:08 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: ISAKMP-SA deleted for 89.x.x.x[4500]-88.x.x.x[4500] with spi:4fbb712c913a6dfd:26f9c9c5f4003681
Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: XAuthUser gledsleyips Logged Out from IP Address 88.x.x.x
Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=4fbb712c913a6dfd:26f9c9c5f4003681.
Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: XAuthUser gledsleyips Logged Out from IP Address 88.x.x.x
Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: [IPSEC_VPN] Purged IPsec-SA with proto_id=ESP and spi=830496086(0x31805d56).
Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.
Wed Aug 23 11:46:07 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Deleting generated policy for 88.x.x.x[0]
Wed Aug 23 11:45:38 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 89.x.x.x->88.x.x.x with spi=830496086(0x31805d56)
Wed Aug 23 11:45:38 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 88.x.x.x->89.x.x.x with spi=197506703(0xbc5b68f)
Wed Aug 23 11:45:37 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Adjusting peer's encmode 3(3)->Tunnel(1)
Wed Aug 23 11:45:37 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: No policy found, generating the policy : 10.0.3.100/32[0] 0.0.0.0/0[0] proto=any dir=in
Wed Aug 23 11:45:37 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Using IPsec SA configuration: anonymous
Wed Aug 23 11:45:37 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Responding to new phase 2 negotiation: 89.x.x.x[0]<=>88.x.x.x[0]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Ignored attribute 28680
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Ignored attribute 28677
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Cannot open "/etc/motd"
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] WARNING: Ignored attribute 28678
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Ignored attribute 28674
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] WARNING: Ignored attribute 5
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: 10.0.3.100 IP address is assigned to remote peer 88.x.x.x[4500]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from 88.x.x.x[4500]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] ERROR: Cannot record event: event queue overflow
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: XAuthUser gledsleyips Logged In from IP Address 88.x.x.x
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Login succeeded for user "gledsleyips"
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from 88.x.x.x[4500]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: ISAKMP-SA established for 89.x.x.x[4500]-88.x.x.x[4500] with spi:4fbb712c913a6dfd:26f9c9c5f4003681
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Sending Xauth request to 88.x.x.x[4500]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: KA list add: 89.x.x.x[4500]->88.x.x.x[4500]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Floating ports for NAT-T with peer 88.x.x.x[4500]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: NAT detected: PEER
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: NAT-D payload does not match for 88.x.x.x[500]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: NAT-D payload matches for 89.x.x.x[500]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: For 88.x.x.x[500], Selected NAT-T version: RFC 3947
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: DPD
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: DPD
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: RFC 3947
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID

Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received unknown Vendor ID
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Beginning Identity Protection mode.
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Received request for new phase 1 negotiation: 89.x.x.x[500]<=>88.x.x.x[500]
Wed Aug 23 11:45:36 2017 (GMT +0100): [FVS336GV3] [IKE] INFO: Anonymous configuration selected for 88.x.x.x[500].

 

 Please advise.

 

Thanks.

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 10 of 11
JohnC_V
NETGEAR Moderator

Re: FVS336Gv3 PPTP VPN for macOS Sierra

@sedcom_pm,

 

You may still use the license key to any windows computer that you have and it is very easy to setup. Once installed, it will sync on our database so that it will not be used by another user at the same time. Unless you uninstall the client and install it to another PC. There should be no problem on using those license keys.

 

As I checked the logs, it seems that there might be a problem with the credentials, showing that the IDs that you used are not the same. Even the policy is not being acknowledged by the firewall itself. The best way that you can use here is the IPSec from MAC itself not the 3rd party application. It will be better if you will start from scratch rather than using your previous configuration. Recreating those policies may resolve your issue.

 

Regards,

Message 11 of 11
Discussion stats
  • 10 replies
  • 5788 views
  • 0 kudos
  • 2 in conversation
Announcements