Hi, No, the communications never use TCP, ISAKMP use UDP (Port 500).
No trace in Shrew Debug ? Regards, On Wed, Nov 17, 2010 at 7:51 PM, <[email protected]> wrote: > Hi Alexis. Thanks again for your help. > > Well I noticed that there was a mismatch in the Key Group so I changed > my Netgear to use DH Group 2 as this is > what the Shrew client was using for DH exchange. I also explicitly > specified 3DES as the cipher algorithm on the > client side rather than auto because I was seeing a lot of trying the > different options on the Netgear side until > it settled on 3DES anyway. > > So now things are looking like they are getting further along (see > Netgear log below). It looks though like > the Netgear is trying to send back a response (the TX >> AM_R1 line) but I > am not seeing it at the client side. Is > there something else I should be doing as the client is behind a NAT > router? Should the communications from the > client not be over TCP rather than UDP to make this work? > > Again thanks for all your help. > > Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Receive Packet address:0x1396850 > from 216.254.149.98 > Wed, 11/17/2010 13:43:00 - TekSavvy IKE:Peer Initialized IKE Aggressive > Mode > Wed, 11/17/2010 13:43:00 - TekSavvy IKE:RX << AM_I1 : 216.254.149.98 > Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:New State index:1, sno:4 > Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Agg. Decoded Peer's ID Type is > ID_FQDN > Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Value=66 76 73 5f 72 65 6d 6f 74 > 65 2e 63 6f 6d > Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:Oakley Transform 1 accepted > Wed, 11/17/2010 13:43:00 - TekSavvy > IKE:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024 > Wed, 11/17/2010 13:43:00 - TekSavvy IKE:[Client_Shrew_tmp2] TX >> AM_R1 : > 216.254.149.98 > Wed, 11/17/2010 13:43:00 - TekSavvy IPsec:inserting event EVENT_RETRANSMIT, > timeout in 10 seconds for #4 > Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:event after this is > EVENT_RETRANSMIT in 4 seconds > Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:handling event EVENT_RETRANSMIT > for d8fe9562 "Client_Shrew_tmp2" #3 > Wed, 11/17/2010 13:43:04 - TekSavvy IPsec:inserting event EVENT_RETRANSMIT, > timeout in 20 seconds for #3 > > > -----------------------------------~~~~~~~----------------------------- > Doing what you love is Freedom. | o o | Kevin Pickard > Loving what you do is Happiness. | ^ | [email protected] > ------------------------------^^^-----------^^^------------------------ > > > On Wed 10/11/17 12:31 PM , Alexis La Goutte [email protected]: > > Hi Kevin, > > The identifier Information (fvs_remote.com [1] and fvs_local.com [2]) > > are actual values to be used, not need to resolve this address. > > Check your phase1 parameter (ISAKMP) > > > > Regards, > > > > On Wed, Nov 17, 2010 at 6:25 PM, wrote: > > Thank you Alexis. I went through the VPN Wizard again and > > followed the steps at the link you provided. I then > > rebooted my router to make sure it was starting with the proper > > configuration. Now it appears that my router is no > > longer flagging the ISAKMP packets as suspicious and tossing them > > (which is good). In fact it looks like my router > > is actually trying to process the packets now. But it is having > > trouble with what it is seeing, based on its own > > internal logs (below)...and a response is not being sent back to the > > Shrew client. > > My question now is, according to the link you provided, I was > > to set the Identifier information fields to > > fvs_remote.com [4] and fvs_local.com [5]. Are these just examples or > > are they the actual values to be used? Should these > > not resolve to real addresses? As can be seen below the FQDN of > > fvs_remote.com [6] is being sent by the Shrew client in > > the ISAKMP packet. The Netgear then complains about not having a > > connection. Is this because this address does not > > resolve? > > By the way, the Shrew client is on a network behind a router > > so is NAT. > > Anyway, below is the log from my Netgear. On the Shrew side I > > only see the ISAKMP packets being sent out every > > 5 seconds without any response coming back. > > Wed, 11/17/2010 10:44:22 - TekSavvy IKE:Trying Dynamic IP Searching > > Wed, 11/17/2010 10:44:28 - TekSavvy IPsec:Receive Packet > > address:0x1396850 from 216.254.149.98 > > Wed, 11/17/2010 10:44:28 - TekSavvy IKE:Peer Initialized IKE > > Aggressive Mode > > Wed, 11/17/2010 10:44:28 - TekSavvy IKE:RX Hi Kevin, > > > > > > There is a VPN wizard in your FVS318v1 ? > > > > > > Because use VPN Wizard and information in this blog > > > > > > http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN > > [9] > > > -NETGEAR[1] > > > And it should work ! > > > > > > Regards, > > > > > > On Mon, Nov 15, 2010 at 2:05 PM, Kevin Pickard wrote: > > > Thanks for the response Alexis. So have you managed to > > > get a FVS318v1 to work? Do you know what configuration I should > > use? > > > As I said in my initial post, my attempts at > > configuring > > > it have failed (see below). > > > At 03:59 AM 2010-11-15, Alexis La Goutte wrote: > > > >Hi Kevin, > > > > > > > >Yes, it work but you should not use the Xauth & ModeConfig (no > > > available in FVS318v1) > > > > > > > >Regards, > > > > > > > > > > > >On Sat, Nov 13, 2010 at 11:19 PM, Kevin Pickard wrote: > > > > I take it no-one else has any experience with this? > > > Andreas was the only one to respond but his FVS318 appears to be a > > > newer version and is completely different from mine. I have the > > older > > > v1 hardware (FVS318v1). Anyone? > > > >At 16:59:21 2010-10-26, wrote: > > > >>Message: 2 > > > >>Date: Tue, 26 Oct 2010 16:59:21 +0200 > > > >>From: > > > >>Subject: Re: [vpn-help] Netgear FVS318 > > > >>To: > > > >>Message-ID: > > > >>Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"; > > > >> DelSp="Yes" > > > >> > > > >>Zitat von : > > > >> > > > >>> Hello. Does anyone know if the Shrew client will work > > > with the > > > >>> Netgear FVS318 router? > > > >>> > > > >>> I have scanned the archives and I have found > > references > > > to the > > > >>> FVG318 but nothing specific about the FVS318. I have seen > > > references > > > >>> to needing Mode and Xauth enabled to get the FVS318 to work > > but > > > >>> neither of those options exist on the FVS318 (that I can > > find). > > > So I > > > >>> think those people are confusing the FVS318 with another > > model. > > > >>> > > > >>> Has anyone been able to get the Netgear FVS318 (V1 > > > hardware > > > >>> running V2.4 firmware) to work with the Shrew client? > > > >>> > > > >>> My initial attempts at trying various configurations > > > have only > > > >>> resulted in security warnings on my FVS318 indicating that UDP > > > >>> packets (from the Shrew Client) are being tossed because they > > > >>> contain 'Suspicious UDP Data'. I have configured to > > use > > > PSK. On the > > > >>> client > > > >>> side, via Wireshark, I only see the ISAKMP packet being sent > > out > > > >>> (this is the one being tossed by the FVS318) at 5 second > > > intervals. > > > >>> The > > > >>> Shrew client itself shows "bringing up tunnel ...", then > > > eventually > > > >>> followed by "negotiation timout [sic] occurred" after the > > ISAKMP > > > >>> packet has been sent 4 times. > > > >> > > > >>Only some guess: > > > >>If the netgear has some form of firewall you maybe need to allow > > > >>inbound UDP port 500 and if using UDP encapsulation port 4500 as > > > well > > > >>to get the tunnel up. > > > >> > > > >>Regards > > > >> > > > >>Andreas > > > >> > > > >> > > > >>-------------- next part -------------- > > > >>A non-text attachment was scrubbed... > > > >>Name: smime.p7s > > > >>Type: application/pkcs7-signature > > > >>Size: 6046 bytes > > > >>Desc: S/MIME Cryptographic Signature > > > >>URL: > > > >> > > > >>------------------------------ > > > >> > > > >>_______________________________________________ > > > >>vpn-help mailing list > > > >> > > > >>http://lists.shrew.net/mailman/listinfo/vpn-help [10] [19] > > > >> > > > >> > > > >>End of vpn-help Digest, Vol 49, Issue 25 > > > >>**************************************** > > > > > > > > >-----------------------------------~~~~~~~----------------------------- > > > > Doing what you love is Freedom. | o o | Kevin Pickard > > > > Loving what you do is Happiness. | ^ | > > > > > > > > >------------------------------^^^-----------^^^------------------------ > > > >_______________________________________________ > > > >vpn-help mailing list > > > > > > > >http://lists.shrew.net/mailman/listinfo/vpn-help [11] [24] > > > > > > > > -----------------------------------~~~~~~~----------------------------- > > > Doing what you love is Freedom. | o o | Kevin Pickard > > > Loving what you do is Happiness. | ^ | > > > > > > > > ------------------------------^^^-----------^^^------------------------ > > > > > > > > > Links: > > > ------ > > > [1] > > > > > > http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN > > [12] > > > -NETGEAR[15] > > > > > > http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att > > [13] > > > achment-0001.bin[16] > > > > > > http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att > > [14] > > > achment-0001.bin[19] > > http://lists.shrew.net/mailman/listinfo/vpn-help [15] > > > [24] http://lists.shrew.net/mailman/listinfo/vpn-help [16] > > > > > > > > > > > > Links: > > ------ > > [1] http://fvs_remote.com > > [2] http://fvs_local.com > > [4] http://fvs_remote.com > > [5] http://fvs_local.com > > [6] http://fvs_remote.com > > [9] > > > http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN > > [10] http://lists.shrew.net/mailman/listinfo/vpn-help > > [11] http://lists.shrew.net/mailman/listinfo/vpn-help > > [12] > > > http://blog.igut.fr/post/2009/02/07/Client-VPN-IPSec-Shrew-avec-Routeur-VPN > > [13] > > > http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att > > [14] > > > http://lists.shrew.net/pipermail/vpn-help/attachments/20101026/6b0c93e4/att > > [15] http://lists.shrew.net/mailman/listinfo/vpn-help > > [16] http://lists.shrew.net/mailman/listinfo/vpn-help > > > > > > _______________________________________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/mailman/listinfo/vpn-help >
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
