Orbi WiFi 7 RBE973
Reply

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

train_wreck
Luminary

L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

I am using the guide I made to configure L2TP/IPsec on the FVS336Gv3:

 

https://community.netgear.com/t5/VPN-Firewalls/FVS336Gv3-L2TP-IPsec-on-Windows-10/m-p/1063257#M4362

Windows clients are able to connect and throughput is around 10mbps.

 

I am now in the process of configuring the built-in VPN client on Android (the 2 phones I'm testing with are Samsung Galaxy S4 and S5, both on 5), which has had no problems connecting to other vendor's VPN router devices - Cisco, Mikrotik, Ubiquiti, all no problems. While it connects to the FVS336G with the same settings used on Windows, throughput is VERY slow to the point of being unusable - under 100kbps. Also, I experience periods of 10-20 seconds where the FVS336G stops passing VPN traffic to the phone entirely; long-term pings from the phone to a client behind the FVS LAN show bursts of packet loss. The phone right now is connected a WiFi acces point on the WAN side of the FVS336G, and is experiencing no other throughput or traffic problems whatsoever without the VPN connected.

 

When the Android phone is connected to the FVS VPN, I periodically see the following log entry repeatedly in the "VPN Logs" on the FVS:

 

[FVS336G][IKE] ERROR: the length of the isakmp header is too big.

What does this error message mean? If you put it in quotes on Google, you literally get 10 results on the entire Internet, most of which are from the source code from a software program called "KAME Racoon". ?????????

 

Any help here? Before the mods post the boilerplate suggestions, yes I have the latest firmware, yes I have tried a factory restore. Of course those actions did nothing to change the situation.

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 1 of 13
DaneA
NETGEAR Employee Retired

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Hi train_wreck, 

 

Kindly post images or screenshots that shows that the throughput is slow when your Android phones are connected via L2TP VPN to the FVS336Gv3 as well as the VPN Logs you have mentioned.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 13
train_wreck
Luminary

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Here is an iperf from my Win10 PC (172.16.16.10) to the phone (192.168.251.14); the phone is a Galaxy S4 running nothing but the "iperf for Android" app shown here https://play.google.com/store/apps/details?id=com.magicandroidapps.iperf . Bandwidth starts decently fast for around 10 seconds, but then there is a 10 second period of no traffic, followed by decent bandwidth, followed by a disconnect in the iperf program. Immediately after the disconnect, there was another ~10 second period of no traffic to/from the phone. I can re-run this test without the VPN connected and I get consistently high bandwidth with no periods of loss.

 

vpn2.png

 

Here are the logs you requested. IP addresses have been blanked. As I refresh the logs, this "isakmp" message appears roughly once every 10-30 seconds:

 

vpnfail.png

 

Is there an official recommended way of connecting an Android phone to an FVS336G via IPsec? If so, I haven't been able to find one, and this is the only gateway I've ever used that had so much trouble with the built-in Android VPN client. As an aside, I tried using a different IPsec VPN client on Android with an app called "NCP", as some other posters have said good things about it. I have identitcal problems with that VPN app as well.

Message 3 of 13
DaneA
NETGEAR Employee Retired

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Hi train_wreck,

 

Here is the article I have below.  However, it is about PPTP VPN.

 

How to Configure PPTP VPN between Android and ProSAFE Firewall

 

Hope this would help.

 

 

Regards,

 

DaneA

NETGEAR Community Team

 

Message 4 of 13
train_wreck
Luminary

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Thanks, but that doesn't really help. PPTP is long known to be a horribly insecure and broken protocol, and should not be used today. Also, the thread topic is specifically concerning IPsec.

 

 

Message 5 of 13
DaneA
NETGEAR Employee Retired

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Hi train_wreck,

 

I'm afraid that I cannot find an official recommended way of connecting an Android phone to an FVS336Gv3 via IPsec VPN.  It seems that its best that you open an online case with NETGEAR Support regarding this and let them know your concern.  The online case might get escalated to the engineering team and its possible that from here on, the IPSec VPN connectivity using Android devices will be given full attention.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 6 of 13
josephsmith0000
Aspirant

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

I agree with you my friend there are many VPN which slow the speed of your smartphone so my suggestion is that use fast VPN like express or hma VPN. 

thank you 

Message 7 of 13
train_wreck
Luminary

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"


@josephsmith0000 wrote:

I agree with you my friend there are many VPN which slow the speed of your smartphone so my suggestion is that use fast VPN like express or hma VPN. 

thank you 


Actually, dumping L2TP and using plain IPsec with the "NCP" VPN client app on my phone gets me ~23-25mbps of throughput, and so far works reasonably well; there are still issues with P1 reauth, as well as issues with handling IP changes on mobile LTE connections (that's something IKEv2 and MOBIKE would solve, but the Netgear doesn't support either). And a 3rd-part VPN provider isn't exactly what I'm looking for. It's actually the reason I got the Netgear.

Message 8 of 13
vpnman
Guide

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Hi train_wreck,

 

Are you able to successfully get L2TP/IPSec to work between FVS336Gv3 and Android (specifically, any of Samsung Galaxy Note or S series) or iPhone?

 

I also use NCP VPN client on Android with IPSec VPN and the app works good.  However, there's an associated cost.   Would prefer to use the built-in L2TP/IPSec client that's in Samsung Android phone or iPhone.  And thanks for the L2TP/IPSec cookbook instructions for Win10.

Message 9 of 13
train_wreck
Luminary

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Nope, gave up on it. I have to think it's a problem with the Netgear, since the Android L2TP/IPsec works with every other VPN router device I've tired.

 

I have settled on using the built-in Galaxy S7's Android VPN client using "IPsec Xauth PSK", though have recently finally enabled certificate authentication, so am using "IPsec Xauth RSA". Using plain IPsec is actually better with the FVS336G, since with plain IPsec I have achieved ~25-30mbps of throughput to the phone/connecting device. L2TP is limited to ~5-10mbps, and is often slower than that.

Message 10 of 13
vpnman
Guide

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Hi train_wreck,

 

Thanks for your kind response.  In "IPsec Xauth PSK" of Galaxy S7's built-in VPN client, does it expect the FVS336GV3 to use ModeConfig or not?  And what does the S7 expects of FVS336Gv3 on IKE Policy settings for Encryption and DH Group?

 

 

 

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 11 of 13
train_wreck
Luminary

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Yes, it expects Mode Config. Basically, you can follow that guide, but select the "Edge Device" radio button under "XAuth Configuration", then add a user on the "Users" page of type "IPSEC VPN User". Be aware that this will break compatibiltiy with the Windows built-in VPN client, since it doesn't support XAuth. I have found limited success on Windows using the "Shrewsoft" free VPN client, but it has issues with DPD randomly failing, and also seems to be abandonded (last update in 2013). I have been looking into the "Green Bow" Windows VPN client recently, but haven't finished evaluating it. BTW, all of this madness is why many people are moving to OpenVPN, or historically have used proprietary VPN clients. For decades, built-in IPsec clients have ranged from passable to absolutely horrendous, in terms of compatibility and performance. OpenVPN seems to be the future here.

 

As far as encryption algorithms, my S7 didn't really seem to care, between 3DES-SHA1 or AES128/192/256-SHA1 on either IKE (phase 1).= or Mode Config (phase 2). I have always used DH group 5, but I imagine it will accept no DH group as well.

Message 12 of 13
vpnman
Guide

Re: L2TP/IPsec - Android to FVS336Gv3 - "the length of the isakmp header is too big"

Thanks.  It worked.

 

Regarding OpenVPN, I believe it'll be the de-facto VPN solution for consumer router products.  OpenVPN is propelled by it's open source community and comparatively low burden on consumer router makers to incorporate to their products.  I think all these madness on IPSEC VPN is due to efforts by networking gear makers to monetize when selling to business on both VPN server side, client side and services.  I think the interesting question is.... the small business customers (where FVS336GV3 or RV320/340 is aiming at)... they want the simplicity/free aspect of OpenVPN but need performance and flexibility of IPSEC VPN.

 

 

 

Message 13 of 13
Discussion stats
  • 12 replies
  • 7960 views
  • 3 kudos
  • 4 in conversation
Announcements