Need a VPN expert
 

I'm trying to get my Android devices to talk to a NETGEAR ProSafe VPN Firewall FVS336GV2.

I have successfully configured two of these VPN gateways to talk to each other. I cannot get my Android devices to connect.

Picking correct vpn settings, encryption types, etc? Key exchange being done properly?

Have to be WAY more specific; there are a ton of "Android devices" along with their variants of operating systems.

The android application is pretty sparse. I'm trying to use the NCP client. It doesn't have all of the options that are on my firewall.

Firewall side - (key removed)

Config Removed

Sorry, took me a few minutes to get the screen shots off the Android device.

Looks good the only thing I would try to change would be your Group ID Type to Full Qualified Domain on the NCP Client. ID same as the one on the Netgear fvs_remote.com

Bob

What type of Android device is it, a phone or a random tablet? What version of Android?

My phone, has a vpn client built in, that I've managed to get to connect to my home firewall running ipsec, but then it's a Cisco firewall, and that is what I do for a living. A netgear is a little different.

Can you get anything else to connect to the firewall? It would be nice to confirm that something can connect to the firewall before a lot of time is spent troubleshooting the Android.

Are you getting an error message on the Android?

In the netgear, you have "fqdn" selected for the remote identifier, but the client shows ip address and tetralan for the IKE group info. I think the "remote identifier" in the netgear might be the IKE group, but I'm not certain. Those two not agreeing may be the problem.

+
I think Bob is right.

Most IPSec VPN will have 2 sets of usernames and passwords, IKE and IPSec. In this case, because you have xauth disabled, you've only got the one set, and I don't think you have them configured the same.

Switched to "Main" instead of Aggressive
Client says

VPN Error
VPN Gateway not responding
(waiting for Msg 6)

Firewall side log

2013 Jun 26 03:16:58 [FVS336GV2] [IKE] Received Vendor ID: CISCO-UNITY_
2013 Jun 26 03:16:58 [FVS336GV2] [IKE] Setting DPD Vendor ID_
2013 Jun 26 03:16:59 [FVS336GV2] [IKE] Received Malformed packet of payload length 19394 and total length 64._
2013 Jun 26 03:17:08 [FVS336GV2] [IKE] Received Malformed packet of payload length 8724 and total length 64._
- Last output repeated 2 times -
2013 Jun 26 03:17:26 [FVS336GV2] [IKE] Ignore information because ISAKMP-SA has not been established yet._
2013 Jun 26 03:17:59 [FVS336GV2] [IKE] Phase 1 negotiation failed due to time up for 76.31.194.205[10952]. 2dfeeacb86a5afca:f3549ca129cb446f_

Strange it says aggressive mode not accepted, when it's set....?

Use mode config on the Netgear and name both ends...

Samsung Galaxy Tab 7.0 Plus, Android 4.0.4

I have successfully connected two of these gateways through VPN. In fact, I'm HOME, connecting to the work gateway through the VPN. So it does work. I'm trying to get a client to gateway VPN to work.

I switched it to "Main", but the Netgear didn't accept the change, at first. I figured out how to disable it and switch both sides. Now the errors is "MSG 6" on the android side and the VPN log is above.

No it should be aggressive, main mode is for site to site tunnels.

OK, somehow the ID type switch, they are both now FQDN.

Still getting error 6, but the gateway log is

Config Removed

OK, I'll switch them back to aggressive.

Switched back to aggressive.

Client:

IKE Error (Phase 2)
Lost contact to peer

Gateway

Config Removed

Looks like we're getting closer...

I'm guessing I need to select XAUTH.