Reply

Re: UTM25 SHA2-512 Integrity not working with VPN Client Pro

npl102
Initiate

UTM25 SHA2-512 Integrity not working with VPN Client Pro

UTM25 FW version 3.6.2-4

VPN Client Pro version 6.12.001

 

I've had some strange issues getting the VPN Client Pro to work with the UTM25 with different encryption settings.  It seems that I can't get any data through the tunnel (read ping) if SHA2-512 is selected as the Integrity Algorithm under mode config.  If I change it to SHA-1, it works perfectly.

 

The settings below work.  It creates the tunnel and I can ping devices on the other side of the tunnel with the client PC.

 

     IKE Policy:  AES-256, SHA2-512, DH16

     Mode Config: AES-256, SHA-1, DH16

 

However, changing the mode config to the settings below does create the tunnel (VPN Tunnel Opened on PC), but there is no ping response to anything on the other side of the tunnel.

     Mode Config:  AES-256, SHA2-512, DH16 = open tunnel, but can't ping

 

Yes, I'm making sure to match the encryption settings on both the UTM and VPN Client Pro.  In both cases, the tunnel is open (according to the software)

 

Now, to make things interesting.  I have a site-to-site VPN tunnel set up between the UTM25 and a UTM5.  Using the same settings on both (AES-256, SHA2-512) and that tunnel works fine.  

 

It appears to me that there may be an error in the implementation of the SHA2-256 algorithm on either the UTM5/25 or the VPN Client Pro.  The reason I say that is that the UTM25 and UTM5 communicate just fine with each other using SHA2-512, but both of them use the exact same firmware.  

 

Message 1 of 4
DaneA
NETGEAR Moderator

Re: UTM25 SHA2-512 Integrity not working with VPN Client Pro

Hi npl102,

 

Welcome to the community! Smiley Happy

 

Kindly answer the questions below:

 

a. What is the Operating System of the PC that you used?  Have you tried other PC/s or laptop/s as well?

b. Does same results occur if you will have a VPN Client-to-Box setup using the UTM5? 

c. Was the VPN Client-to-Box setup (using SHA2-512, etc)  working before the UTM25 was upgraded to v3.6.2-4?

 

I look forward to your response.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 4
npl102
Initiate

Re: UTM25 SHA2-512 Integrity not working with VPN Client Pro

Hello DaneA,

 

A. I tried 3 different machines: Windows 7 Professional 32, Windows 7 Ultimate 32 and Windows 7 Ultimate 64. All with identical results.


B. Have not tried Client-to-UTM5. UTM 5 is configured at a remote office. The Gateway-to-Gateway connection between the UTM5 and UTM25 is working fine with: AES256, SHA-256, DH16 for both the IKE and VPN policies.


C. This is a new configuration that I’m trying to get up and have only tried the latest version (v3.6.2-4) on both boxes. 

 

As I mentioned, I’m using Mode Config on the UTM25 for the Client-to-box configuration.  Any combination of settings works as long as the Integrity Algorithm is SHA-1 for the Mode Config TSL. If I change the Integrity Algorithm to SHA-256 or SHA-512, it will open the tunnel, but I can’t ping anything from the remote PC.


Below is a table showing the various combinations I’ve tried. Most of them work (I can access the network when the tunnel is opened) except for the 2 in red. In all cases the VPN Client Professional software shows the tunnel is open, I get an IP address from the pool and the DPD_R_U_THERE and DPD_R_U_THERE_ACK messages are being passed back-and-forth (shown in the console as I have dead peer detection enabled)

 

IKE       
Encryption3DESAES256AES256AES256AES256AES256AES256
AuthenticationSHA-1SHA-1SHA-512SHA-512SHA-512SHA-512SHA-512
Key GroupDH2DH2DH2DH2DH2DH16DH16
        
Mode Config TSL       
Encryption3DESAES256AES256AES256AES256AES256AES256
AuthenticationSHA-1SHA-1SHA-1SHA-256SHA-512SHA-1SHA-1
PFSDH2DH2DH2DH2DH2DH2DH16
        
Open TunnelYESYESYESYESYESYESYES
CommunicateYESYESYESNONOYESYES
Message 3 of 4
DaneA
NETGEAR Moderator

Re: UTM25 SHA2-512 Integrity not working with VPN Client Pro

Hi npl102,

 

With regard to the isolation of the problem you did, I encourage you to open an online case with NETGEAR Support then report about your concern.  It is possible that VPN logs will be needed to be analyzed as well.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 4 of 4
Discussion stats
  • 3 replies
  • 4077 views
  • 2 kudos
  • 2 in conversation
Announcements