Netgear FVS318 V3 and TheGreenBow Client VPN

[zillah]

Hi
I tried to follow the instruction in the guide line below (Under Netgear FVS318 V3)
http://www.thegreenbow.com/vpn_gateway.html
It worked the first time then after that I do not know why stopped working!!!
This is my configuration for the router FVS 318 V3 and The Green bow client
http://img526.imageshack.us/i/ikepolicyfvs318.jpg/

http://img30.imageshack.us/i/vpnpolicy.jpg/http://img134.imageshack.us/i/vpnpolicyfvs318.jpg/

http://img130.imageshack.us/i/phase1.jpg/

http://img264.imageshack.us/i/p1advanced.jpg/

http://img137.imageshack.us/i/phase2.jpg/

I could not figure out where is the problem ?

Note: Screen shots might show different DH groups different but they are same.

Thanks

 

[zillah]

Log for router's VPN

[2009-11-12 22:31:08][==== IKE PHASE 1(from 203.56.x.x) START (responder) ====]
[2009-11-12 22:31:08]**** RECEIVED FIRST MESSAGE OF AGGR MODE ****
[2009-11-12 22:31:08]<POLICY: > PAYLOADS: SA,PROP,TRANS,VID,VID,VID,VID,VID,KE,NONCE,ID
[2009-11-12 22:31:08]SENDING NOTIFY MSG:
[2009-11-12 22:31:08]INVALID_ID_INFORMATION
[2009-11-12 22:31:08]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2009-11-12 22:31:08]<POLICY: > PAYLOADS: NOTIFY

Log for TheGreen Bow client

20091112 233105 Default (SA FVS318Phase1-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20091112 233105 Default (SA FVS318Phase1-P1) RECV Informational [NOTIFY] with INVALID_ID_INFORMATION error
20091112 233105 Default Received INFORMATIONAL message. Aborting connection

 

[claykin]

OK,

One of your pictures won't open. Check it

http://img134.imageshack.us/i/vpnpolicyfvs318.jpg/

Even without seeing this picture I see problems

1) Your IKE DH key size does not match You have DH1 in the Netgear and DH2 in Greenbow.

2) What you have listed as a FQDN is not really a FQDN. Not sure if its doing Reverse DNS so its best to change to a FQDN or another type of authenticator such as Email.

3) In Greenbow Phase 2 your Remote LAN IP must be a valid IP on the network, usually its the IP of the Netgear VPN endpoint.

Have you tried submitted a case to Greenbow support?

 

[zillah]

Hi Claykin

1) Your IKE DH key size does not match You have DH1 in the Netgear and DH2 in Greenbow.

Note: Screen shots might show different DH groups different but they are same.

2) What you have listed as a FQDN is not really a FQDN. Not sure if its doing Reverse DNS so its best to change to a FQDN or another type of authenticator such as Email.

please check the documentation in the link below
http://www.thegreenbow.com/vpn_gateway.html
or this
http://www.scribd.com/doc/3800513/NetGear-FVS318v3-GreenBow-IPsec-VPN-Configuration

3) In Greenbow Phase 2 your Remote LAN IP must be a valid IP on the network, usually its the IP of the Netgear VPN endpoint.

Documentation does not say that,,,could you please verify it I might be wrong
http://www.scribd.com/doc/3800513/NetGear-FVS318v3-GreenBow-IPsec-VPN-Configuration

Have you tried submitted a case to Greenbow support?

They do not have forum,,,I might send an email to them

Thanks

 

[zillah]

One of your pictures won't open. Check it

I just fixed it, please check it again

 

[claykin]

No need to change the Local and Remote ID type. You can safely use DNS and dummy (made up) FQDN. What you need to change is the Local and Remote ID on one side. If the Local ID in the Greenbow client says "FVS318Local" that should be the Remote ID in the Netgear. Think of it this way, they are exchanging ID's with each other so Local to one side is remote to the other.

The messages you are receiving in the Greenbow log are telling you the above ID's don't match.

Regarding the DH Key size, all I can tell you is that I see you have DH1 on one side of the IKE and DH2 on the other. Change it so they match.

last, I do not think you can successfully connect an IPSec client to an endpoint when using an address such as 192.168.0.0. This represents the range of addresses and is NOT a valid IP address. Try changing it to match the IP of your Netgear.

 

[zillah]

The messages you are receiving in the Greenbow log are telling you the above ID's don't match.

Yes you are right ,,I am aware of that, I will investigate that

Regarding the DH Key size, all I can tell you is that I see you have DH1 on one side of the IKE and DH2 on the other. Change it so they match.

On the image that I have posted in the first post it would not match,but I had changed it afterwaord to be matched.

I do not think you can successfully connect an IPSec client to an endpoint when using an address such as 192.168.0.0. This represents the range of addresses and is NOT a valid IP address

It is valid ip addresses for the LAN behind the Netgear router FVS318 V3. Second it is exactly as documantation has mentioned and you know that this docuemntation was tested by heaps not only me and you.

Try changing it to match the IP of your Netgear.

I have already used the public ip address that points theGreenBow client to the VPN server ( Netgear router FVS318 V3 ).

 

[zillah]

If the Local ID in the Greenbow client says "FVS318Local" that should be the Remote ID in the Netgear.

This alerted me to find out my mistake and solved the problem.

Thanks for your insight and highlighted the issue

On the Netgear router I configured this :

Local
Local Identity Type : FQDN
Local Identity Data : FVS318Local
Remote
Remote Identity Type : FQDN
Remote Identity Data : FVS318Remote

On TheGreenBow Client I configured it wrongly as below :

"Local ID"
Value : FVS318Local,,,,,,This is should be FVS318Remote
Type : DNS

"Remote"
Value : FVS318Remote,,,,,,This is should be FVS318Local
Type : DNS

The correct configuration should be as below

"Local ID"
Value : FVS318Remote
Type : DNS

"Remote"
Value : FVS318Local
Type : DNS

 

[zillah]

Although VPN Tunnel is working now.
On the router for Authentication I have got MD5 or SH-1 (no SH).
and On TheGreenBow I have got MD5 or SH (no SH-1).
In the documentation he used SH-1 on the router and SH on thegreenbow,,,,and I did same thing. wouldn't that be considered as mismatch authentication between the client (TheGreenBow) and the server (router) ?
Thanks

 

[claykin]

Good to hear you got it working...

In reviewing your screenshots you have SHA-1 set for IKE and ESP authentication in both. Not sure what you are asking?

I also checked again on the Remote LAN IP address and yes you can use the 192.168.0.0 address. I was originally reviewing setup instructions for another gateway that didn't want those settings. My bad.

 

[zillah]

In reviewing your screenshots you have SHA-1 set for IKE and ESP authentication in both. Not sure what you are asking?

I have used two PCs that has TheGreenBow client installed on it.

It seems to me one of them has an older version of TheGreenBow VPN client therefore there is one SH-1 for authentication.

The newer version of TheGreenBow VPN client does have SH-1

The screenshots that I have posted from the PC that does have newer version.

If you look at the link below he used an older version (And I did configure that on one of the PC that has an old version as well) of TheGreenBow VPN client which does not have SH-1

http://www.scribd.com/doc/3800513/NetGear-FVS318v3-GreenBow-IPsec-VPN-Configuration

How that would work if an authentication on both end does not use same algoritham ?