Hi, Which mode you use ? Xauth ? ModeConfig ? Because there is a "known issue" with NETGEAR Router and ModeConfig without XAUTH
http://lists.shrew.net/pipermail/vpn-help/2010-February/001962.html Regards, On Mon, Dec 13, 2010 at 8:33 PM, Shad L. Lords <[email protected]> wrote: > Problem: > > I'm trying to establish a IPSec VPN to a Netgear SRX5308 with the Shrew > Soft VPN Client. I've got it configured correctly to do mode config and > xauth. If I point the exact same configuration at my Netgear FVX538 or > Netgear FVS336G (also setup the same as the SRX5308) it connects just fine. > However on the SRX5308 I get a "invalid message from gateway" message on the > VPN client. I've tried using the 3.0.6-9.1 firmware as well as the beta > 3.0.7-11.1 firmware. They both behave the same way. > > VPN Client Version = 2.1.7 and 2.2.0-alpha10 > Windows OS Version = Windows 7 Ultimate (32-bit and 64-bit) > Gateway Make/Model = Netgear SRX5308 (broken) > Gateway OS Version = 3.0.6-9.1 and 3.0.7-11.1 (beta) > > Gateway Make/Model = Netgear FVX538 and FVS336G (working) > Gateway OS Version = 3.0.6-29 > > In comparing the IKE decrypted packed dumps between the FVS336G and the > SRX5308 they are the same up to the point of doing the mode config > negotiation. The FVS336G does a ISAKMP_CFG_REQUEST (1) and receives a > ISAKMP_CFG_REPLY (2) with all the data needed (ip, mask, dns, etc). The > SRX5308 does the same ISAKMP_CFG_REQUEST (1) and receives a ISAKMP_CFG_SET > (3) with the needed information (ip, mask, dns, etc). Because the packet is > a SET instead of a REPLY the client doesn't recognize the packet as one it > expects and fails to bring up the tunnel. > > I've got packet captures of both firewalls that I can send if necessary. > _______________________________________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/mailman/listinfo/vpn-help >
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
