Need a VPN expert

[red-beard]

I'm trying to get my Android devices to talk to a NETGEAR ProSafe VPN Firewall FVS336GV2.

I have successfully configured two of these VPN gateways to talk to each other. I cannot get my Android devices to connect.

[id10t]

Picking correct vpn settings, encryption types, etc? Key exchange being done properly?

[stealthn]

Have to be WAY more specific; there are a ton of "Android devices" along with their variants of operating systems.

[red-beard]

The android application is pretty sparse. I'm trying to use the NCP client. It doesn't have all of the options that are on my firewall.

Firewall side - (key removed)

Config Removed

[red-beard]

Sorry, took me a few minutes to get the screen shots off the Android device.

[stealthn]

Looks good the only thing I would try to change would be your Group ID Type to Full Qualified Domain on the NCP Client. ID same as the one on the Netgear fvs_remote.com

Bob

[red-beard]

Config Removed

[masraum]

What type of Android device is it, a phone or a random tablet? What version of Android?

My phone, has a vpn client built in, that I've managed to get to connect to my home firewall running ipsec, but then it's a Cisco firewall, and that is what I do for a living. A netgear is a little different.

Can you get anything else to connect to the firewall? It would be nice to confirm that something can connect to the firewall before a lot of time is spent troubleshooting the Android.

Are you getting an error message on the Android?

In the netgear, you have "fqdn" selected for the remote identifier, but the client shows ip address and tetralan for the IKE group info. I think the "remote identifier" in the netgear might be the IKE group, but I'm not certain. Those two not agreeing may be the problem.

[masraum]

Quote:

Originally Posted by stealthn

I would try to change would be your Group ID Type to Full Qualified Domain on the NCP Client. ID same as the one on the Netgear fvs_remote.com

Bob

+

Quote:

Originally Posted by red-beard

2013 Jun 26 03:02:58 [FVS336GV2] [IKE] remote configuration for identifier "tetrawest.dyndns-home.com" found_
2013 Jun 26 03:02:58 [FVS336GV2] [IKE] Aggressive mode of 0.0.0.0[500] is not acceptable._

I think Bob is right.

Most IPSec VPN will have 2 sets of usernames and passwords, IKE and IPSec. In this case, because you have xauth disabled, you've only got the one set, and I don't think you have them configured the same.

[red-beard]

Switched to "Main" instead of Aggressive
Client says

VPN Error
VPN Gateway not responding
(waiting for Msg 6)

Firewall side log

2013 Jun 26 03:16:58 [FVS336GV2] [IKE] Received Vendor ID: CISCO-UNITY_
2013 Jun 26 03:16:58 [FVS336GV2] [IKE] Setting DPD Vendor ID_
2013 Jun 26 03:16:59 [FVS336GV2] [IKE] Received Malformed packet of payload length 19394 and total length 64._
2013 Jun 26 03:17:08 [FVS336GV2] [IKE] Received Malformed packet of payload length 8724 and total length 64._
- Last output repeated 2 times -
2013 Jun 26 03:17:26 [FVS336GV2] [IKE] Ignore information because ISAKMP-SA has not been established yet._
2013 Jun 26 03:17:59 [FVS336GV2] [IKE] Phase 1 negotiation failed due to time up for 76.31.194.205[10952]. 2dfeeacb86a5afca:f3549ca129cb446f_

[stealthn]

Strange it says aggressive mode not accepted, when it's set....?

Use mode config on the Netgear and name both ends...

[red-beard]

Quote:

Originally Posted by masraum

What type of Android device is it, a phone or a random tablet? What version of Android?

My phone, has a vpn client built in, that I've managed to get to connect to my home firewall running ipsec, but then it's a Cisco firewall, and that is what I do for a living. A netgear is a little different.

Can you get anything else to connect to the firewall? It would be nice to confirm that something can connect to the firewall before a lot of time is spent troubleshooting the Android.

Are you getting an error message on the Android?

In the netgear, you have "fqdn" selected for the remote identifier, but the client shows ip address and tetralan for the IKE group info. I think the "remote identifier" in the netgear might be the IKE group, but I'm not certain. Those two not agreeing may be the problem.

Samsung Galaxy Tab 7.0 Plus, Android 4.0.4

[red-beard]

Quote:

Originally Posted by masraum

Can you get anything else to connect to the firewall? It would be nice to confirm that something can connect to the firewall before a lot of time is spent troubleshooting the Android.

I have successfully connected two of these gateways through VPN. In fact, I'm HOME, connecting to the work gateway through the VPN. So it does work. I'm trying to get a client to gateway VPN to work.

[red-beard]

Quote:

Originally Posted by stealthn

Strange it says aggressive mode not accepted, when it's set....?

Use mode config on the Netgear and name both ends...

I switched it to "Main", but the Netgear didn't accept the change, at first. I figured out how to disable it and switch both sides. Now the errors is "MSG 6" on the android side and the VPN log is above.

[stealthn]

No it should be aggressive, main mode is for site to site tunnels.

[red-beard]

OK, somehow the ID type switch, they are both now FQDN.

Still getting error 6, but the gateway log is

Config Removed

[red-beard]

OK, I'll switch them back to aggressive.

[red-beard]

Switched back to aggressive.

Client:

IKE Error (Phase 2)
Lost contact to peer

Gateway

Config Removed

[red-beard]

Looks like we're getting closer...

[red-beard]

I'm guessing I need to select XAUTH.