Orbi WiFi 7 RBE973
Reply

Re: Set up vpn to SRX5308 from IOS10, Win7 and Win10

bzness
Aspirant

Set up vpn to SRX5308 from IOS10, Win7 and Win10

I have spent a couple of days now to figure out a way to set up my SRX5308 so it can do the following:

 

Allow VPN connection from iPhone with OSX V10.

Allow VPN connection from Win7

Allow VPN connection from Win10

Allow VPN connection from Win7 and Win10 through iPhone (via hotspot)

 

So far I have managed to set up a connection that my iPhone can use (item1), but everything else fails.

 

Is what I try to do possible? Any hints of how to do that?

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 1 of 7
bzness
Aspirant

Re: Set up vpn to SRX5308 from IOS10, Win7 and Win10

Sorry, saw my typo in the subject line. Corrected.

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 2 of 7
bzness
Aspirant

Re: Set up vpn to SRX5308 from IOS10, Win7 and Win10

Another day wasted with a netgear router .... Getting frustrated.Is there anybody here? Am I wasting my time posting here?

 

So, today I tried to use the Netgear VPN Client as I thought that the router and the client from the same company should talk to each other. They do, but they don't seem to speak the same language. So, once again, here is what I have:

 

Office network ----  SRX5308 ---  Internet  --- FV318G  --- Home network.

 

The two routers are connected through an IPsec VPN tunnel, which works fine.

 

I am trying to set up VPN tunnels between the SRX5308 and various users who need access to the office resources when they are out on the road. And if no internet is near, I want them to be able to connect through their iphones (laptops tethered to the iphones), or, for simple tasks, simply use the iphone. Since the iphones don't support PPTP anymore (neither for PPTP passthrough), I have to do something else.

 

So, first order of business: Connect iphones. I went through a number of trials, but eventually found a setup that works. The paramters are very specific to allow the iphone to communicate, for example the encryption has to be AES-128, etc. I was able to set that up (had to go through mode config), and it seems to work.

 

Next step: Allow Windows client to connect. And here I am stymied. I tried the native Windows clients, as well as the Netgear client, and they don't work. The client initiates phase 1, but then I get this error message:

 

[IKE] WARNING:  Rejected phase 1 proposal as Peer's encryption type "3DES-CBC" mismatched with Local "AES-CBC".

 

Since the policy I set up for the iphones is the only one that uses this cypher, it looks like the router receives the request to negotiate, but then applies the wrong IKE policy, which brings me to my question: How does the router know which policy to apply when it gets a request for negotiation? in particular when I use the native clients for Windows and OSX, where I do not have an option to specify any IDs. Even with the Netgear client, where I can specify remote and local IDs, this happens. The requests all seem to end up in the policy that I set up for the iphones, and then I get the error above.

 

Here is a picture of the IKE policies that I use. the first one (with the blacked out names) is the tunnel between the two routers, which works fine.

 

IKE_pol.JPG

I also thought I would try to set up another mode config for the Win-clients, but then I ran into a problem with the L2TP server. I have to specify an IP address range there and in the Mode config, but apparently they cannot be the same subnet, but there is only one L2TP server range. Does that mean one can only define one mode config?

 

I am hoping someone can give me a pointer where to look.

 

Thanks.

 

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 3 of 7
DaneA
NETGEAR Employee Retired

Re: Set up vpn to SRX5308 from IOS10, Win7 and Win10

Hi bzness,

 

I'm glad to know that the box-to-box VPN between the SRX5308 and FVS318G works fine.  As far as I know, using the Windows client is not possible in setting up a client-to-box VPN connection.  

 

About setting up a client-to-box VPN connection, kindly refer to the articles below:

 

ProSAFE VPN Client: Client to Box Configuration

 

Configure IPSec VPN Tunnels With the Wizard - read pages 8-15 as your reference guide

 

You can download the latest version of the ProSAFE VPN Client Professional Software here.  Be reminded that ProSAFE VPN Client Professional Software has a 30-day free trial period.  You will need to purchase a license key from any NETGEAR Authorized Resellers here after the 30-day trial period if you would like to continue using it. 

 

Be sure that the local IP address of the Remote PC or laptop (where the ProSAFE VPN Client Professional software is installed) should be different from the local subnet of the SRX5308.  For example: if the local network address of the SRX5308 is 192.168.1.0, the local IP address of the Remote PC or laptop where the ProSAFE VPN Client Professional software is installed should be different from it such as 10.10.10.6 or 172. 16. 30.7.  Refer to the network setup below: 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 4 of 7
bzness
Aspirant

Re: Set up vpn to SRX5308 from IOS10, Win7 and Win10

thank you for your help. I followed your instruction to the letter, but when I try to connect, the Netgear VPN client gives up after 4 tries. Looking at the VPN log on the router, I see this 4 times:

Tue Jul 25 07:44:10 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Aggressive mode of (invalid)[(invalid)] is not acceptable.
Tue Jul 25 07:44:10 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Anonymous configuration selected for <<IP address>> [41155].

 

So, I go into the router, diable the VPN policy, change the IKE policy to "Main". Apply, and enable the VPN policy again. And I am getting the same exact log entries.

 

How is that possible? Perhaps I misunderstand the "Agressive mode" antry and it does not refer to "Agressive mode"? What does "(invalid)[(invalid)]" mean?

 

 

 

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 5 of 7
bzness
Aspirant

Re: Set up vpn to SRX5308 from IOS10, Win7 and Win10

Success!

I have a VPN tunnel now through my iPhone.

The (invalid)[(invalid)] error message was a configuration error. I had entered the client and router IDs, but not selected "DNS". When I saved it, the client would simply delete the entries again.

Thank you for your help.

 

 

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 6 of 7
DaneA
NETGEAR Employee Retired

Re: Set up vpn to SRX5308 from IOS10, Win7 and Win10

@bzness,

 

Thank you for the update.  I'm glad to know that you are able to established a VPN tunnel through your iPhone. 🙂 

 

Since your concern has been resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

 


Regards,

 

DaneA

NETGEAR Community Team

Message 7 of 7
Discussion stats
  • 6 replies
  • 4918 views
  • 0 kudos
  • 2 in conversation
Announcements