Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

VPN Problems


  • Please log in to reply

#1
The_KiD

The_KiD

    Member

  • Member
  • PipPip
  • 94 posts
Hey all, i have yet another VPN issue that is confusing the fudge out of me!

I am trying to use a Netgear FVS318 Prosafe VPN Firewall/Router to create a connection between a branch ADSL connection and our head office.

We currently do this using one machine as a gateway at the branch, with Safenet Softremote software loaded on it. This creates the connection to our Head Office. This works well, apart from if something goes wrong with the gateway machine then none of the machines at that branch can connect.

So I decided to look into VPN routers and use those instead.

I have setup the VPN connection on the Netgear control panel and have done it right (I think) or it all looks right.

Now when I go the VPN status window on the Netgear it shows the following:

Phase 1: M-ESTABLISHED / Phase 2: ESTABLISHED


Which to me seems like a good thing :tazz:, yet I am unable to browse the Head Office lan or connect to any services on the LAN.

If I look in the log for the netgear it shows this:

[2005-06-08 02:25:16]**** SENT OUT  FIRST MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:16]<POLICY: 1CAR1vpn> PAYLOADS: SA
[2005-06-08 02:25:16]**** RECEIVED SECOND MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:16]<POLICY: 1CAR1vpn> PAYLOADS: SA
[2005-06-08 02:25:16]**** SENT OUT  THIRD MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:16]<POLICY: 1CAR1vpn> PAYLOADS: KE
[2005-06-08 02:25:16]**** RECEIVED FOURTH MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:16]<POLICY: 1CAR1vpn> PAYLOADS: KE
[2005-06-08 02:25:17]<POLICY: 1CAR1vpn> PAYLOADS: ID
[2005-06-08 02:25:17]**** SENT OUT  FIFTH MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:17]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:17]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2005-06-08 02:25:17]<POLICY: 1CAR1vpn> PAYLOADS: ID
[2005-06-08 02:25:17]**** MAIN MODE COMPLETED ****
[2005-06-08 02:25:17]<POLICY: 1CAR1vpn> PAYLOADS: HASH
[2005-06-08 02:25:17]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-08 02:25:17]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-08 02:25:17]NO_PROPOSAL_CHOSEN


Which again to me looks good, apart from the last line which says "NO_PROPOSAL_CHOSEN" but I am at a loss as to what to do to make it connect.

I cannot ping addresses on the Head Office LAN, I basically can not see the Head Office LAN at all, even though all looks good.

Any Ideas?
  • 0

Advertisements


#2
The_KiD

The_KiD

    Member

  • Topic Starter
  • Member
  • PipPip
  • 94 posts
OK a little more info!

After looking through the logs on the Head Office firewall which the Netgear is trying to make the connection with I am showing this:

2005/06/08 12:47:11: Source: 255.255.255.255 Dest: (Netgear External IP) Cookies: (2 sets of 16 character long letters and numbers), Sequence: 0 Description: SA proposal not accepted


Hope this sheds some light on the problem.
  • 0

#3
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
I honsestly don't have much of a clue, but from that last message i wonder if the SA proposal has anything to do with dns. (start of authority) though that usually would be SOA but you never know with other software. i only have experience with cisco VPNs so, they are different. (ie. easier). it could be an authentication problem as well.
  • 0

#4
The_KiD

The_KiD

    Member

  • Topic Starter
  • Member
  • PipPip
  • 94 posts
Ok so this problem is still on going and it is driving me nutty :tazz:

This is what I have discovered so far "NO_PROPOSAL_CHOSEN" effectively means that the netgear box and the Cyberguard (the head office firewall) cannot agree which authentication protocol to use.

However as I said we have 70+ branches all of which are connecting to the VPN fine. They however use a software client called Safenet SoftRemote which you may have seen/heard of.

These are the settings from the Safenet Client which work:

phase 1 settings
Posted Image

phase 2 settings
Posted Image

Now I have tried matching the Netgear settings to that, but it just doesnt seem to go am I missing something?

Here are the latest NetGear settings as I have them now:

IKE Policy
Posted Image

VPN Policy
Posted Image

I have hid certain parts to make sure I dont accidentally give out details about our lan/vpn.

I hope you can spot something here as I am totally confused.

Here is a copy of what shows in the Netgear VPN status log:

[2005-06-15 23:49:51]**** SENT OUT  FIFTH MESSAGE OF MAIN MODE ****
[2005-06-15 23:49:51]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2005-06-15 23:49:51]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2005-06-15 23:49:51]<POLICY: 1car1vpn> PAYLOADS: ID
[2005-06-15 23:49:51]**** MAIN MODE COMPLETED ****
[2005-06-15 23:49:51]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:49:51]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:49:51]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:49:51]NO_PROPOSAL_CHOSEN
[2005-06-15 23:51:51]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:51:51]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:51:51]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:51:51]NO_PROPOSAL_CHOSEN
[2005-06-15 23:53:23]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:53:23]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:53:23]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:53:23]NO_PROPOSAL_CHOSEN
[2005-06-15 23:55:22]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:55:22]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:55:22]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:55:22]NO_PROPOSAL_CHOSEN
[2005-06-15 23:57:22]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:57:22]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:57:22]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:57:22]NO_PROPOSAL_CHOSEN
[2005-06-15 23:58:54]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-15 23:58:54]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-15 23:58:54]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-15 23:58:54]NO_PROPOSAL_CHOSEN
[2005-06-16 00:00:53]<POLICY: 1car1vpn> PAYLOADS: HASH
[2005-06-16 00:00:53]**** SENT OUT  FIRST MESSAGE OF QUICK MODE ****
[2005-06-16 00:00:53]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****
[2005-06-16 00:00:53]NO_PROPOSAL_CHOSEN


Thanks in advance!
  • 0

#5
samir7399

samir7399

    Member

  • Member
  • PipPip
  • 13 posts
does the netgear support manual entry of rules?

if yes, perhaps you can enter smthing of this type

source public address,destination public address,traffic all,action-allowed,logging enabled
  • 0

#6
The_KiD

The_KiD

    Member

  • Topic Starter
  • Member
  • PipPip
  • 94 posts
Unfortunately there is no way to manually add rules :tazz:

Looking at the web logs on the NetGear shows this:

Sat, 2000-01-01 00:00:02 - UDP packet - Source: xxx.xxx.xxx.xxx - Destination: 194.74.65.68 - [Received DNS request with ID: 1 Src 1026 Dst 53 from SELF]
Sat, 2000-01-01 00:00:07 - UDP packet - Source: xxx.xxx.xxx.xxx - Destination: 194.74.65.69 - [Received DNS request with ID: 1 Src 1026 Dst 53 from SELF]
Sat, 2000-01-01 00:00:07 - UDP packet - Source: xxx.xxx.xxx.xxx - Destination: 194.74.65.69 - [Received DNS reply with ID: 1 Src 1026 Dst 53 from WAN]
Thu, 2005-06-16 03:43:40 - TCP packet - Source: 217.37.250.171 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 1883 Dst 139 from WAN]
Thu, 2005-06-16 03:44:17 - TCP packet - Source: 217.184.121.55 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3675 Dst 445 from WAN]
Thu, 2005-06-16 03:44:22 - TCP packet - Source: 217.184.121.55 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3675 Dst 445 from WAN]
Thu, 2005-06-16 03:45:32 - TCP packet - Source: 217.37.250.171 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 1274 Dst 139 from WAN]
Thu, 2005-06-16 03:45:35 - TCP packet - Source: 217.37.250.171 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 1274 Dst 139 from WAN]
Thu, 2005-06-16 03:46:59 - UDP packet - Source: 222.88.173.5 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 14824 Dst 1026 from WAN]
Thu, 2005-06-16 03:51:12 - TCP packet - Source: 217.218.64.229 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3959 Dst 445 from WAN]
Thu, 2005-06-16 03:51:15 - TCP packet - Source: 217.218.64.229 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3959 Dst 445 from WAN]
Thu, 2005-06-16 03:53:52 - TCP packet - Source: 217.43.204.117 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3146 Dst 445 from WAN]
Thu, 2005-06-16 03:53:52 - TCP packet - Source: 217.43.204.117 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3147 Dst 445 from WAN]
Thu, 2005-06-16 03:53:55 - TCP packet - Source: 217.43.204.117 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 3146 Dst 445 from WAN]
Thu, 2005-06-16 03:56:58 - TCP packet - Source: 221.203.229.176 - Destination: xxx.xxx.xxx.xxx - [Access Policy not found, dropping packet Src 1070 Dst 135 from WAN]

xxx.xxx.xxx.xxx represents the external IP of the netgear.

Mean anything to you?

Edited by The_KiD, 16 June 2005 - 06:44 AM.

  • 0

#7
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
maybe you should attempt to aquire the same software vpn client as the other branches.
  • 0

#8
The_KiD

The_KiD

    Member

  • Topic Starter
  • Member
  • PipPip
  • 94 posts
lol thats exactly the point!!!


I want to stop using the software client and want to start using these routers instead.

The software client is flakey and isnt an ideal solution.
  • 0

#9
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
ok..now we're on the same page..sorry
  • 0

#10
The_KiD

The_KiD

    Member

  • Topic Starter
  • Member
  • PipPip
  • 94 posts
In case it helps these are the other screens from the softremote client (the one that works).

Posted Image


Posted Image
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP