Fvx538

digitalbeachbum wrote:
Found this error in a log. Does any one know what it means? default ike_phase_1_inititor_send_sa:differing group descriptions in a proposal default exchange_run:doi->initator (00e59ce) failed

It looks like some of the settings do not match, check the passphrase or the local and remote subnets on the firewall and client.

Do I need to open a port? I've searched around and I keep seeing a port needing to be open in relation to this error message.

I'll double check all my stuff again.

Nhellie26 wrote:
It looks like some of the settings do not match, check the passphrase or the local and remote subnets on the firewall and client.

digitalbeachbum wrote:
Found this error in a log. Does any one know what it means? default ike_phase_1_inititor_send_sa:differing group descriptions in a proposal default exchange_run:doi->initator (00e59ce) failed

It seems that this is just a portion in the logs. Maybe you could take a look on this link as reference about the VPN console logs here: http://www.downloads.netgear.com/files/GDC/VPNG01L/VPNClient_UM_10Apr2013.pdf -- check Chapter7 on p132 onwards.

digitalbeachbum wrote:
Do I need to open a port? I've searched around and I keep seeing a port needing to be open in relation to this error message.

Check page 133 from the link I have given you.

I've made progress.

My logs are now showing a lot of different results and I've getting further. The manual has made a difference when I 'manually configured the client' but I'm still missing something.

Log from client

[VPNCONF] TGBIKE_STARTED received
20150608 22:25:13 Reading configuration...
20150608 22:25:14 IKEv1 configuration detected
20150608 22:25:14 No IKEv2 configuration
20150608 22:25:14 No SSL configuration
20150608 22:25:41:819 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150608 22:25:46:842 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150608 22:25:51:865 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150608 22:27:00:870 Default (SA Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]


Log from FW (VPN LOG)

2015 Jun 8 20:14:14 [FVX538] [IKE] Could not find configuration for xxx.xx.xx.xxx[500]_

When I used the manual configuration I made the most progress. The Wizard and the non-manual settings from the instruction guide did nothing for me.

Is there supposed to be a Phase 1 and Phase 2 cfg? I recall the older version of the client having this already built in to the cfg.

Try to disable PFS on the VPN policy of the FVX538 as well as disable PFS on the VPN Client software then check if you could open the tunnel.

Yes, there are Phase 1 (IKE) and Phase 2 (VPN or Mode Config) policies on each end of the tunnel.

adit wrote:
Yes, there are Phase 1 (IKE) and Phase 2 (VPN or Mode Config) policies on each end of the tunnel.

How come the Wizard doesn't auto create Phase 2? I see it in the manual version of the instructions. The older client I used to run on Win98 had it all built in and you just filled in the blanks.

Sasword wrote:
Try to disable PFS on the VPN policy of the FVX538 as well as disable PFS on the VPN Client software then check if you could open the tunnel.

Thanks, I will try this tonight

I started from scratch and actually got what you see below. After a few tries it gave up the connection. Every thing was exactly how it was in the manual except for a few things like the key and the remote/local identifiers. I did some searching for info on these errors but couldn't figure it out.

Client Log
VPNCONF] TGBIKE_STARTED received
20150609 21:47:21 Reading configuration...
20150609 21:47:21 IKEv1 configuration detected
20150609 21:47:21 No IKEv2 configuration
20150609 21:47:21 No SSL configuration
20150609 21:47:59:180 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20150609 21:47:59:751 Default (SA Ikev1Gateway-P1) RECV phase 1 Aggressive Mode [HASH] [SA] [KEY_EXCH] [NONCE] [ID] [NAT_D] [NAT_D] [VID] [VID] [VID]
20150609 21:47:59:766 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20150609 21:47:59:768 Default phase 1 done: initiator id remote.com, responder id local.com
20150609 21:47:59:770 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:04:764 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:09:800 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20150609 21:48:09:801 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:19:800 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:19:842 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20150609 21:48:24:866 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:29:897 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [HASH] [NAT_D] [NAT_D]
20150609 21:48:29:897 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID]
20150609 21:48:29:897 Default transport_send_messages: giving up on message 02216138
20150609 21:48:30:913 Default (SA Ikev1Gateway-P1) SEND Informational [HASH] [DELETE]
20150609 21:48:30:913 Default deleted


FW LOG

2015 Jun 9 21:56:43 [FVX538] [IKE] Remote configuration for identifier "remote.com" found_
2015 Jun 9 21:56:43 [FVX538] [IKE] Received request for new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[500]_
2015 Jun 9 21:56:43 [FVX538] [IKE] Beginning Aggressive mode._
2015 Jun 9 21:56:43 [FVX538] [IKE] Received unknown Vendor ID_
2015 Jun 9 21:56:43 [FVX538] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2015 Jun 9 21:56:43 [FVX538] [IKE] Received unknown Vendor ID_
2015 Jun 9 21:56:43 [FVX538] [IKE] For x.x.x.x[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2015 Jun 9 21:56:43 [FVX538] [IKE] Floating ports for NAT-T with peer x.x.x.x[4500]_
2015 Jun 9 21:56:43 [FVX538] [IKE] Received Malformed packet of payload length 52014 and total length 72._
2015 Jun 9 21:56:43 [FVX538] [IKE] Could not start quick mode as there is no valid ISAKMP-SA:
2015 Jun 9 21:56:53 [FVX538] [IKE] Received Malformed packet of payload length 5542 and total length 72._
2015 Jun 9 21:56:53 [FVX538] [IKE] Could not start quick mode as there is no valid ISAKMP-SA:
2015 Jun 9 21:57:03 [FVX538] [IKE] Received Malformed packet of payload length 5542 and total length 72._
2015 Jun 9 21:57:08 [FVX538] [IKE] Could not start quick mode as there is no valid ISAKMP-SA:
2015 Jun 9 21:57:14 [FVX538] [IKE] Received Malformed packet of payload length 5542 and total length 72._
2015 Jun 9 21:57:14 [FVX538] [IKE] Could not start quick mode as there is no valid ISAKMP-SA:
2015 Jun 9 21:57:15 [FVX538] [IKE] Ignore information because ISAKMP-SA has not been established yet._

Don't use "remote.com". That is routable and not owned by you. Use the fvx_remote.com and fvx_local.com for the FQDN identifiers.

adit wrote:
Don't use "remote.com". That is routable and not owned by you. Use the fvx_remote.com and fvx_local.com for the FQDN identifiers.

I didn't I edited the logs and removed a private domain name.

Use exactly what is in the tutorial.

Does the private domain name resolve to the appropriate end point address ? If it doesn't it will cause a problem - you're better off using fvx_remote.com & fvx_local.com

adit wrote:
Use exactly what is in the tutorial.

I did... but on another note.

I found this thread
http://forums.prosecure.netgear.com/showthread.php?t=9396

It had some similar issues so I decided to reset to factory defaults and then start over but this time I applied each firmware upgrade then reboot. I did each upgrade hoping that maybe there was something missing.

When I finished I noticed several pages on the admin screens which had stuff I had never seen before. I am hoping that this will help solve my problem when I test it again.

So I did each firmware update on top of each other then when I tested it remotely, on the very first try, everything worked! No errors... well sort of.

Once I connected I wanted to see what I could see so I opened a command prompt and trying to ping a server. It pinged once and then I got a blue screen. The remote system rebooted and I tried again.

The second time I tried to drive map to a server and as soon as I clicked to move forward with the mapping... blue screen.

I found the following in windows. I'm looking at what it might be, but I bet a conflict of some kind.

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033

Additional information about the problem:
BCCode: 19
BCP1: 00000020
BCP2: 89BA06B8
BCP3: 89BA06D0
BCP4: 08030019
OS Version: 6_1_7601
Service Pack: 1_0
Product: 256_1

Files that help describe the problem:
F:\Windows\Minidump\061015-52759-01.dmp
F:\Users\root\AppData\Local\Temp\WER-110401-0.sysdata.xml

The Blue Screen is a Bad Pool Call and I believe it is a driver issue. I'll just need to track down which driver it is, but I'm betting USB 3.0 based on research I've done. I'll know more tonight but thanks for the help in narrowing down my problem with the VPN. At least I can more forward with out this problem lingering.