Re: VPN use Mode Config Record fails

genesearch · ‎2016-02-16

The FVS336G is the gateway and the LAN uses 192.168.1.x IP range.

I can create the IPSEC VPN, using VPN Policy as per the instruction manual, and it works great, and so easy to configure.

All my computers are Apple Mac OS X, and using IPSecuritas as the VPN client, according to Netgear KB http://kb.netgear.com/app/answers/detail/a_id/24242

However, I have obvious problem when the remote client LAN also has same local IP address range of 192.168.1.x. Its not a reasonable option for me to change my business LAN ip addresses.

After studying the manuals, KB etc, I see that the way to overcome this is to assign a different subnet to the incoming VPN clients and this is simply managed by changing the IPSEC VPN to use Mode Config Record.

This is pretty basic stuff, On the Netgear just create a pool 192.168.169.1 to 254, and set the security the same as before, and enable Mode Config.

On the client, simply change the endpoint IP adress from 192.168.1.0/24 to 192.168.169.0/24 and go

The error message in the client is:

IKE [Netgear host IP] give up to get IPsec-SA due to time up to wait.

Error message in Router:

ERROR: Failed to get IPsec SA configuration for: 192.168.169.1/24<->192.168.43.178/32 from vpnclient.private

I contacted Netgear support who then took remote control of my computes and configured IPSEC VPN straight from the manual - doiing nothing different than what I did, and get exactly the same problem.

If I flip the settings back to before, on both client and host, the VPN works again.

It makes no difference whether XAUTH is set to none, or user login, the problem is the same.

Have tried on two different client MAC's on two different networks.

Netgear also attempted to create built in OS X vpn client using Cisco IPSEC configuration and result pretty much the same.

Any ideas? I thought this should be simple.

genesearch · ‎2016-02-16

The complete log from the router.

Wed Feb 17 10:22:49 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  192.168.169.1 IP address has been released by remote peer.
Wed Feb 17 10:22:49 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  ISAKMP-SA deleted for 59.100.xx.xxx[500]-1.132.9.76[500] with spi:414c513b9c0a8545:f63016e5a78baa48
Wed Feb 17 10:22:48 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=414c513b9c0a8545:f63016e5a78baa48.
Wed Feb 17 10:22:41 2016 (GMT +1000): [FVS336GV3] [IKE] ERROR:  Failed to get IPsec SA configuration for: 192.168.169.1/24<->192.168.43.178/32 from vpnclient.private
Wed Feb 17 10:22:41 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Responding to new phase 2 negotiation: 59.100.xx.xxx[0]<=>1.132.9.76[0]
Wed Feb 17 10:22:36 2016 (GMT +1000): [FVS336GV3] [IKE] ERROR:  Failed to get IPsec SA configuration for: 192.168.169.1/24<->192.168.43.178/32 from vpnclient.private
Wed Feb 17 10:22:36 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Responding to new phase 2 negotiation: 59.100.xx.xxx[0]<=>1.132.9.76[0]
Wed Feb 17 10:22:31 2016 (GMT +1000): [FVS336GV3] [IKE] ERROR:  Failed to get IPsec SA configuration for: 192.168.169.1/24<->192.168.43.178/32 from vpnclient.private
Wed Feb 17 10:22:31 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Responding to new phase 2 negotiation: 59.100.xx.xxx[0]<=>1.132.9.76[0]
Wed Feb 17 10:22:30 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]
Wed Feb 17 10:22:30 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  ISAKMP-SA established for 59.100.xx.xxx[500]-1.132.9.76[500] with spi:414c513b9c0a8545:f63016e5a78baa48
Wed Feb 17 10:22:30 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  192.168.169.1 IP address is assigned to remote peer 1.132.9.76[500]
Wed Feb 17 10:22:29 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Received Vendor ID: DPD
Wed Feb 17 10:22:29 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Received unknown Vendor ID
Wed Feb 17 10:22:29 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Beginning Aggressive mode.
Wed Feb 17 10:22:29 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Received request for new phase 1 negotiation: 59.100.xx.xxx[500]<=>1.132.9.76[500]
Wed Feb 17 10:22:29 2016 (GMT +1000): [FVS336GV3] [IKE] INFO:  Remote configuration for identifier "vpnclient.private" found

adit · ‎2016-02-16

If I remember correctly Mode Config did not work with IPSecuritas.

LAN1 192.168.1.0 to LAN2 192.168.1.0 will never work.

If you are concerned about common LAN subnets having an issue with yours then you will need to change it.

These are the one you should not use if you have VPN Client users attaching to your network.

LAN Subnets NOT to Use

192.168.0.0

192.168.1.0

192.168.5.0

192.168.10.0

192.168.50.0

192.168.100.0

10.0.0.0

10.0.10.0

172.16.0.0

172.31.0.0

Hex/IP Converter - Online Subnet Calculator - LAN Subnets NOT to Use

genesearch · ‎2016-02-16

Thanks for responding, I will follow up with IPSecuritas support to check.

I know I can change my IP address range, but its probably 20 years already, and as you can imagine, its not easy. Otherwise I would have done so already.

As an alternative, Does setting up buily in OS X client work with FVS336G

http://kb.netgear.com/ci/fattach/get/7606/1398700025/redirect/1/filename/Application_Notes-UTM_MAC_i...

Netgear support referred me to it, I cant get it to work, and neither can they (by remote controlling my computers and setting up themselves)

adit · ‎2016-02-16

I'm not an Apple guy so I'm not the best resource.

I think that tutorial was hit or miss back on the old forums. Searching the Archive in the new forum is useless.

That IPSecuritas issue goes back for maybe 10 years. I'm not aware of it ever getting resolved.

I think MC worked with Equinix VPN Tracker, but again just going off of memory.

Hex/IP Converter - Online Subnet Calculator - LAN Subnets NOT to Use