[The_KiD]

Hey all, i have yet another VPN issue that is confusing the fudge out of me!

I am trying to use a Netgear FVS318 Prosafe VPN Firewall/Router to create a connection between a branch ADSL connection and our head office.

We currently do this using one machine as a gateway at the branch, with Safenet Softremote software loaded on it. This creates the connection to our Head Office. This works well, apart from if something goes wrong with the gateway machine then none of the machines at that branch can connect.

So I decided to look into VPN routers and use those instead.

I have setup the VPN connection on the Netgear control panel and have done it right (I think) or it all looks right.

Now when I go the VPN status window on the Netgear it shows the following:

Phase 1: M-ESTABLISHED / Phase 2: ESTABLISHED

Which to me seems like a good thing , yet I am unable to browse the Head Office lan or connect to any services on the LAN.

If I look in the log for the netgear it shows this:

[2005-06-08 02:25:16]**** SENT OUT  FIRST MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:16]<POLICY: 1CAR1vpn> PAYLOADS: SA
[2005-06-08 02:25:16]**** RECEIVED SECOND MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:16]<POLICY: 1CAR1vpn> PAYLOADS: SA
[2005-06-08 02:25:16]**** SENT OUT  THIRD MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:16]<POLICY: 1CAR1vpn> PAYLOADS: KE
[2005-06-08 02:25:16]**** RECEIVED FOURTH MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:16]<POLICY: 1CAR1vpn> PAYLOADS: KE
[2005-06-08 02:25:17]<POLICY: 1CAR1vpn> PAYLOADS: ID
[2005-06-08 02:25:17]**** SENT OUT  FIFTH MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:17]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:17]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:17]<POLICY: 1CAR1vpn> PAYLOADS: ID
[2005-06-08 02:25:17]**** MAIN MODE COMPLETED ****
[2005-06-08 02:25:17]<POLICY: 1CAR1vpn> PAYLOADS: HASH
[2005-06-08 02:25:17]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-08 02:25:17]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-08 02:25:17]NO_PROPOSAL_CHOSEN

Which again to me looks good, apart from the last line which says "NO_PROPOSAL_CHOSEN" but I am at a loss as to what to do to make it connect.

I cannot ping addresses on the Head Office LAN, I basically can not see the Head Office LAN at all, even though all looks good.

Any Ideas?

[Advertisements]

OK a little more info!

After looking through the logs on the Head Office firewall which the Netgear is trying to make the connection with I am showing this:

2005/06/08 12:47:11: Source: 255.255.255.255 Dest: (Netgear External IP) Cookies: (2 sets of 16 character long letters and numbers), Sequence: 0 Description: SA proposal not accepted

Hope this sheds some light on the problem.

[The_KiD]

OK a little more info!

After looking through the logs on the Head Office firewall which the Netgear is trying to make the connection with I am showing this:

2005/06/08 12:47:11: Source: 255.255.255.255 Dest: (Netgear External IP) Cookies: (2 sets of 16 character long letters and numbers), Sequence: 0 Description: SA proposal not accepted

Hope this sheds some light on the problem.

[dsenette]

I honsestly don't have much of a clue, but from that last message i wonder if the SA proposal has anything to do with dns. (start of authority) though that usually would be SOA but you never know with other software. i only have experience with cisco VPNs so, they are different. (ie. easier). it could be an authentication problem as well.

[The_KiD]

Ok so this problem is still on going and it is driving me nutty

This is what I have discovered so far "NO_PROPOSAL_CHOSEN" effectively means that the netgear box and the Cyberguard (the head office firewall) cannot agree which authentication protocol to use.

However as I said we have 70+ branches all of which are connecting to the VPN fine. They however use a software client called Safenet SoftRemote which you may have seen/heard of.

These are the settings from the Safenet Client which work:

phase 1 settings


phase 2 settings


Now I have tried matching the Netgear settings to that, but it just doesnt seem to go am I missing something?

Here are the latest NetGear settings as I have them now:

IKE Policy


VPN Policy


I have hid certain parts to make sure I dont accidentally give out details about our lan/vpn.

I hope you can spot something here as I am totally confused.

Here is a copy of what shows in the Netgear VPN status log:

[2005-06-15 23:49:51]**** SENT OUT  FIFTH MESSAGE OF MAIN MODE ****
[2005-06-15 23:49:51]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2005-06-15 23:49:51]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2005-06-15 23:49:51]<POLICY: 1car1vpn> PAYLOADS: ID
[2005-06-15 23:49:51]**** MAIN MODE COMPLETED ****
[2005-06-15 23:49:51]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:49:51]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:49:51]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:49:51]NO_PROPOSAL_CHOSEN
[2005-06-15 23:51:51]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:51:51]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:51:51]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:51:51]NO_PROPOSAL_CHOSEN
[2005-06-15 23:53:23]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:53:23]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:53:23]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:53:23]NO_PROPOSAL_CHOSEN
[2005-06-15 23:55:22]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:55:22]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:55:22]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:55:22]NO_PROPOSAL_CHOSEN
[2005-06-15 23:57:22]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:57:22]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:57:22]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:57:22]NO_PROPOSAL_CHOSEN
[2005-06-15 23:58:54]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:58:54]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:58:54]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:58:54]NO_PROPOSAL_CHOSEN
[2005-06-16 00:00:53]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-16 00:00:53]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-16 00:00:53]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-16 00:00:53]NO_PROPOSAL_CHOSEN

Thanks in advance!

[samir7399]

does the netgear support manual entry of rules?

if yes, perhaps you can enter smthing of this type

source public address,destination public address,traffic all,action-allowed,logging enabled

[The_KiD]

Unfortunately there is no way to manually add rules

Looking at the web logs on the NetGear shows this:

Sat, 2000-01-01 00:00:02 - UDP packet - Source: xxx.xxx.xxx.xxx - Destination: 194.74.65.68 - [Received DNS request with ID: 1 Src 1026 Dst 53 from SELF]
Sat, 2000-01-01 00:00:07 - UDP packet - Source: xxx.xxx.xxx.xxx - Destination: 194.74.65.69 - [Received DNS request with ID: 1 Src 1026 Dst 53 from SELF]
Sat, 2000-01-01 00:00:07 - UDP packet - Source: xxx.xxx.xxx.xxx - Destination: 194.74.65.69 - [Received DNS reply with ID: 1 Src 1026 Dst 53 from WAN]
Thu, 2005-06-16 03:43:40 - TCP packet - Source: 217.37.250.171 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 1883 Dst 139 from WAN]
Thu, 2005-06-16 03:44:17 - TCP packet - Source: 217.184.121.55 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3675 Dst 445 from WAN]
Thu, 2005-06-16 03:44:22 - TCP packet - Source: 217.184.121.55 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3675 Dst 445 from WAN]
Thu, 2005-06-16 03:45:32 - TCP packet - Source: 217.37.250.171 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 1274 Dst 139 from WAN]
Thu, 2005-06-16 03:45:35 - TCP packet - Source: 217.37.250.171 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 1274 Dst 139 from WAN]
Thu, 2005-06-16 03:46:59 - UDP packet - Source: 222.88.173.5 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 14824 Dst 1026 from WAN]
Thu, 2005-06-16 03:51:12 - TCP packet - Source: 217.218.64.229 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3959 Dst 445 from WAN]
Thu, 2005-06-16 03:51:15 - TCP packet - Source: 217.218.64.229 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3959 Dst 445 from WAN]
Thu, 2005-06-16 03:53:52 - TCP packet - Source: 217.43.204.117 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3146 Dst 445 from WAN]
Thu, 2005-06-16 03:53:52 - TCP packet - Source: 217.43.204.117 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3147 Dst 445 from WAN]
Thu, 2005-06-16 03:53:55 - TCP packet - Source: 217.43.204.117 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3146 Dst 445 from WAN]
Thu, 2005-06-16 03:56:58 - TCP packet - Source: 221.203.229.176 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 1070 Dst 135 from WAN]

xxx.xxx.xxx.xxx represents the external IP of the netgear.

Mean anything to you?

Edited by The_KiD, 16 June 2005 - 06:44 AM.

[dsenette]

maybe you should attempt to aquire the same software vpn client as the other branches.

[The_KiD]

lol thats exactly the point!!!


I want to stop using the software client and want to start using these routers instead.

The software client is flakey and isnt an ideal solution.

[dsenette]

ok..now we're on the same page..sorry

[The_KiD]

In case it helps these are the other screens from the softremote client (the one that works).