Re: [vpn-help] Shrew Cleint with Netgear FVX538

Mon, 23 Aug 2010 21:36:43 -0700 

On 8/20/2010 10:04 PM, Nathan Morrow wrote:

2.

If I try to use the netgear example on the shrew website (ike config
pull), I get

config message type is invalid for pull config”

in the shrew trace log and

[IKE] ISAKMP-SA established for WORKIP[4500]-REMOTEIP[4500] with
spi:2a66a846b45e6422:7b1231493b23d4cb_

[IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_

[IKE] Short payload_

in the netgear log.

Not sure what needs to change on the client side to make it a valid config.



I believe another user was experiencing problems with his netgear until
they upgraded the firmware. Are you running the latest version?

I updated to the latest firmware and YES it did help.  I got a connection.  But 
ready below for the dirt.  Not exactly as in the example.


3.

If I change that mode to “Ike config push” and actually fill in all the
necessary info in the shrew client that was set to auto, it gets much
further, but then I get

resend 1 phase2 packet(s) 192.168.50.132:4500 ->  WORKIP:4500

   in the shrew trace log.  And

No policy found: 192.168.2.5/32[0] 192.168.0.0/24[0] proto=any dir=in_
2010 Aug 18 04:16:57 [IKE] Failed to get proposal for
responder._

in the netgear log. Not sure if I am hosing everything with that
change.  But I did get further.

As always, any help is appreciated.  I am running 2.1.6 with DPD turned
off on both ends.



You should definitely be using 'ike config pull' with netgear. They use
the ipsec-tools based racoon daemon. If you still have problems after
upgrading your firmware, try gathering some debug output and sending it
to me directly. I'll have a look.

As stated above, I got the VPN to connect and work.  But not with 'ike config 
pull'.  That still fails with an invalid config message in the shrew trace log. 
 But if I take the exact same configuration and just change it to 'ike config 
push', it actually worked.  Connected with an IP and able to see the internal 
network.

Is there an issue with doing push?
Doesn't make much sense to be since I didn't fill in the rest of the details 
(DNS, IP, etc).
No, there is no issue with doing push. I'm just surprised. Netgear is obviously using vastly different firmware for different gateway models. I have a FVS338 in my lab, and it uses ipsec-tools racoon which only supports supports the ike pull method. But if you are receiving an IP address and DNS settings, it sounds like push is working for you. Go with it :) 

-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help

Reply via email to