Orbi WiFi 7 RBE973

Re: VPN MacOS client setup

morrisonkena
Aspirant

VPN MacOS client setup

Working to setup up a IPv4 Client-to-Gateway VPN tunnel for MacOS clients configuring the MacOS native VPN client (Network Settings, VPN Interface, Cisco IPSec type). It appears I have been successful, using an IKE Policy (though no VPN Policy appears to exists) and Mode_Config to define the pool of IPv4 addresses assigned to connecting clients. (This pool is separate from the pool of local addresses assigned by the VPN Firewall's DHCP service.) I can connect the client and see the assigned IPv4 address within the pool. I can send/receive email and browse through the tunnel.

 

But I cannot see any other resources on the local network behind the VPN Firewall, such as my NAS, or share screen or files with local computers, all which I can do with client directly connecting to the local network. I wonder if the VPN connection is not added to the default VLAN, so cannot see local devices connected on the VLAN. I would greatly appreciate any direction to solve this problem of device access over the tunnel!

 

- Ken M

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 1 of 17

Accepted Solutions
DaneA
NETGEAR Employee Retired

Re: VPN MacOS client setup

@morrisonkena,

 

I apologize for this is the only time I got back on this.  Is your network setup as well as the settings on your FVS336Gv3 and MAC OS X Sierra the same as indicated on the article below?  

 

Mac OS X VPN Client install with ProSAFE VPN Firewall/Router

 

 

Regards,

 

DaneA

NETGEAR Community Team

View solution in original post

Message 9 of 17

All Replies
DaneA
NETGEAR Employee Retired

Re: VPN MacOS client setup

Hi morrisonkena,

 

Kindly answer the questions below:

 

a. Was it working fine before?

b. Does same problem occurs if you will established a VPN tunnel using other MACbook or iMAC?

c. What is the specific MAC OS are you using? 

d. What is the current firmware of the FVS336Gv3?

 

Kindly post screenshots of the settings you have configured on the FVS336Gv3 and the MAC OS VPN client.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 17
morrisonkena
Aspirant

Re: VPN MacOS client setup

Hi Dane,

 

Thank you for the reply.

 

I am setting this up for the first time, so I can't say it was working fine before. I have tried the VPN tunnel on only one MacBook Pro. But I plan to try today or tomorrow on an iOS device as well.

 

The current firemware of the FVS336Gv3 is 4.3.4-2, which I believe is current. S/N 3NJ252530021B .

 

The client environment is a MacBook Pro, 13", 2016, Four Thunderbolt 3 ports, 16 GB 2133 MhZ LPDDR3 memory, 1 TB SSD disk, 3.3 GHz Intel Core i7 processor, Intel Iris Graphics 550 w/ 1536 MB. The MacBook is running MacOS Sierra, 10.12.3.

 

Thank you and regards,

- Ken (morrisonkena)

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 3 of 17
sqv
Aspirant
Aspirant

Re: VPN MacOS client setup

Hi Ken -

I would be interested in hearing about your experiences.

 

I tried the same type of connection a few months back (we have an SRX5308), with assistance of Netgear support (there is a KB article that describes the setup), and though it worked (including accessing resources - perhaps you need to do something about DNS resolution), the connection would always terminate after 5 minutes,even if I was actilvely using it. I tried changing various settings (I believe I opened a support ticket), but was never successful in resolving this.   It became a lower priority (because we have alternate methods of accessing the VPN) but it remains an issue for us.

 

I was also trying to connect iOS devices (iPhone & iPad) and got the same 5 min disconnect behavior. Here is the KB article for that:

 

http://kb.netgear.com/app/answers/detail/a_id/25836?cid=wmt_netgear_organic

 

Message 4 of 17
morrisonkena
Aspirant

Re: VPN MacOS client setup

Hi sqv,

 

I configured my FVS336Gv3 and my Mac's VPN client using a Netgear Application Notes document titled "How to Configure UTM with Apple OSX and iOS Devices for IPsec VPN", dated 2011. I can't recall how I stumbled upon this document but you could search for it.

 

As I said, I can connect from my Mac laptop to my FVS336Gv3 over the VPN, and I can send/receive email and web browse, but I cannot yet access LAN resources, such as my network storage. I am certain the solution is some configuration adjustment on the FVS336Gv3 (perhaps DNS resolution as you suggest) but I have not had the time to experiment and have not received any reply from Netgear or any other community member.

 

What I have not experienced is the timeouts you are seeing. The tunnel appears to stay up until I close it.

 

I have not yet configured iOS devices, as that is less critical to me that MacOS. Thank you for the KB article!

 

- Ken

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 5 of 17
DaneA
NETGEAR Employee Retired

Re: VPN MacOS client setup

@morrisonkena,

 

I apologize for this is the only time I got back on this.

 

Kindly check if the VPN policy is configured to allow access to all of the network and not just the client. To check, on the web-GUI of the FVS336Gv3, go to VPN > IPSec VPN > VPN Policies  then select the corresponding VPN policy then click Edit.  The start IP Address in the Traffic Selection section should have 0 in the last octet, to allow access to the entire network.

 

Also, kindly ensure that the local IP address of the MacOS native VPN client is in a different LAN subnet than what is indicated on the LAN subnet of FVS336Gv3, if this is not possible you should use Mode Config.  For example, if the existing LAN subnet of the FVS336Gv3 is on 192.168.1.x network, then the LAN IP address of the computer where you are using the MacOS native VPN client should be on a different LAN subnet such 10.10.10.x or 192.168.9.x network. 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 6 of 17
DaneA
NETGEAR Employee Retired

Re: VPN MacOS client setup

@morrisonkena,

 

I just want to follow-up on this.  Were you able to try the suggestions? 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 7 of 17
morrisonkena
Aspirant

Re: VPN MacOS client setup

Hi DanaA,

 

I am back from my travels out-of-town, cleared my backlog of tasks and am now fully focused on solving this VPN connectivity issue.

 

Know that I am not at all skilled in setup of VPN's. My current setup has an IKE Policy using a Mode Config, but has no VPN Policy set up. Perhaps I don't need an IKE Policy at all, and just a VPN Policy??

 

I am absolutely a believer in "reading the manual" before asking for help, so please do direct me to any background I can read before I ask for your generous help.

 

I confirrm the local IP address of my MacBook VPN client is different from the LAN subnet the firewall sits on. It should also be so, but I will have different DHCP assiged IP addresses as I move around to different host networks.

 

 

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 8 of 17
DaneA
NETGEAR Employee Retired

Re: VPN MacOS client setup

@morrisonkena,

 

I apologize for this is the only time I got back on this.  Is your network setup as well as the settings on your FVS336Gv3 and MAC OS X Sierra the same as indicated on the article below?  

 

Mac OS X VPN Client install with ProSAFE VPN Firewall/Router

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 9 of 17
morrisonkena
Aspirant

Re: VPN MacOS client setup

DaneA,

 

Thank you for sharing this document, "Mac OS X VPN Client install with ProSAFE VPN Firewall/Router". I had not seen that in my searches.

 

Since I already had an IKE Policy set I did not use the VPN WIzard, but did edit my existing IKE Policy configuration to match that shown in the document. I then created a VPN Policy that matched that shown in the document. Then I downloaded and installed the IPSecuritas VPN client for Mac, configuring it also as shown in the document. Running the client from a different, outside network, testing the VPN connection back to my work network fronted by the ProSAFE FVS336Gv3 I could *not* connect.

 

I verified the settings and tried again. No luck. The error log generated by IPSecuritas shows me this message:

Connection KennyNetVPN is not started because of address collision between local (( "127.0.0.1/8", "::1/128", "fe80::1/64", "fe80::aede:48ff:fe00:1122/64", "fe80::47e:6959:af4c:25c5/64", "192.168.1.93/24", "fe80::4422:cdff:fe7e:f936/64", "fe80::dd35:9b1a:7cf6:2221/64", "fe80::7ab7:4e99:2578:c3df/64", "fe80::c0f:a40b:f157:9d6c/64", "fd28:7e35:d34b:5f8:c0f:a40b:f157:9d6c/64" )) and remote (( "192.168.1.0/24" )) networks

 

Any idea about this failure? Should I delete my policies completely and start over, using the wizard?

 

Thanks, Ken

Message 10 of 17
DaneA
NETGEAR Employee Retired

Re: VPN MacOS client setup

@morrisonkena,

 

Kindly delete the existing IKE & VPN policies then start over use the VPN Wizard.  

 

Let us know result.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 11 of 17
morrisonkena
Aspirant

Re: VPN MacOS client setup

DaneA -

Did as you asked, deleted existing IKE and VPN policies then started over using the VPN Wizard. Verified all settings, including those of the IPSecuritas client. From an outside LAN I initiated a connection, the color indicator turned yellow, then red. Opening the log I noticed these errors:

 

TIme        Severity  Src   Message

11:42:37  Error       IKE   phase 2 negotiation failed due to time up waiting for phase1. ESP 136.24.0.247[500]->10.10/10/115[510]

11:42:38  Error       IKE   phase 1 negotiation failed due to time up. fc325fd40062cb8c:0000000000000000

 

136.24.0.247 is the public IP address of my FVS336Gv3. 10.10.10.115 is my LAN address of the outside network from which I am connectted back to my home network. I can sent the full error log if you wish. Any ideas?

 

- Ken

Message 12 of 17
DaneA
NETGEAR Employee Retired

Re: VPN MacOS client setup

@morrisonkena,

 

Thanks for the update.  I apologize for the late response.  

 

I found another article online which is a bit different to the first one I've shared with regard to some settings configured.  Kindly access it below and try to follow the steps:

 

IP Securitas Os X – Netgear FVS336G VPN Settings 

 

Kindly delete the existing IKE & VPN policies then start over again.  Let us know the result.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 13 of 17
genesearch
Aspirant

Re: VPN MacOS client setup

Ken

 

11:42:37  Error       IKE   phase 2 negotiation failed due to time up waiting for phase1. ESP 136.24.0.247[500]->10.10/10/115[510]

 

About a year ago, I got exact same error message as you,  when connecting to a VPN created by Netgear Support just for me to test with

 "setup a IKE policy with mode config enabled in our laboratory"

 

my error message was:

 

Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 124.83.33.11[0]->192.168.1.198[0]

 

Netgear support are telling me that they received no connection attempt from my network.  It was at that point I have up on the whole idea of setting up a VPN and tossed it into the too hard basket. 

 

Did you ever get it working?

Message 14 of 17
morrisonkena
Aspirant

Re: VPN MacOS client setup

DaneA,

 

Thank you for the additional article with alternate settings. I did try those alternate settings, but also without sucess. The two articles had variations on similiar settings, which has suggested to me to play around a bit more with those settings, in hope of finding a combination that works. I'll update this thread with any successful findings.

 

Regards,

- Ken

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 15 of 17
morrisonkena
Aspirant

Re: VPN MacOS client setup

genesearch,

 

DaneA, on this thread, has provided references to two articles purporting to have the configuration deteils I require. However I have tried both configuration settings sets without success. The similiarity of the settings between the two articles has me believig that I am close, so I will "play" with variations on these settings to see if I can break through. I will update the thread with news of any breaktrough. I'll also drop you a brief note as well. But then again, if after experimenting, I might also have need for the "too hard" bucket!

 

Still, given the growing popularlity of Macs, I find Netgears weak support for that platform baffling. There should be good, tested, instructions for setting up this VPN on the FVS336G ("with SSL and IPSec VPN") using MacOS. There also shoud be a MacOS version of Netgear Smart Control Center. One can hope NetGear comes to recognize this market.

 

- Ken

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 16 of 17
genesearch
Aspirant

Re: VPN MacOS client setup

Ken

I have since got the VPN working using the above instructions and it worked,  however I didnt do anything different than last time.

 

Since I had updated both the Netgear router firmware and using Updated version of Ipsecuritas,  i can only assume that there was something wrong with older software.     Especially that I was gettin the same errors connecteding to the Netgear supports test VPN they created in their lab.

 

 

 

Message 17 of 17
Discussion stats
  • 16 replies
  • 11250 views
  • 0 kudos
  • 4 in conversation
Announcements