Questions

Cisco 871 and Netgear FVS338 VPN connection - what am I missing?

Tags:
+
0 Votes
Locked

Cisco 871 and Netgear FVS338 VPN connection - what am I missing?

robo456
Hi! I've been trying to get a VPN connection up between a Cisco 871 and Netgear FVS338 for several days now with no luck. Below are the configs from both routers. (I've replaced the IP addresses and password fields)

I have four Netgear routers (318 and 338's) and all of their VPNs work flawlessly; it's just the Cisco driving me crazy.

I went thru the Cisco's SDM for the site-to-site VPN config. I went thru each of the IPSec and IKE fields afterwards to double check everything and it seemed ok.

The only think I can think of... is the VPN supposed to be configured to use the VLAN1 (internal lan) interface or the FastEthernet4 (wan ip)? I have tried it both ways, but it seems the FastEthernet4 interface is the correct one to use. I had SDM create all the firewall entries. Do I need to create additional static routes?

I found an excel template on this site , "Cisco IOS IPSEC template" and one thing I noticed; not sure if it was a typo or not, was it specified group 2 as 768bit versus 1024bit.

Thank you for ANY input... if any additional info is needed, just write and I'll respond ASAP.

--rob


Netgear's VPN log:
2007-05-17 09:58:10: INFO: accept a request to establish IKE-SA: 69.249.84.34
2007-05-17 09:58:10: INFO: Configuration found for 69.249.84.34.
2007-05-17 09:58:10: INFO: Initiating new phase 1 negotiation: 69.253.68.146[500]<=>69.249.84.34[500]
2007-05-17 09:58:10: INFO: Beginning Identity Protection mode.
2007-05-17 09:58:11: INFO: Received Vendor ID: CISCO-UNITY
2007-05-17 09:58:11: INFO: Received unknown Vendor ID
2007-05-17 09:58:11: INFO: Received unknown Vendor ID
2007-05-17 09:58:11: INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2007-05-17 09:58:11: INFO: ISAKMP-SA established for LOCAL WAN IP[500]-REMOTE WAN IP[500] with spi:f1ed2ddf353e4c38:d0cd78f24f0bc815
2007-05-17 09:58:11: INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2007-05-17 09:58:12: INFO: Initiating new phase 2 negotiation: LOCAL WAN IP[500]<=>REMOTE WAN IP[0]
2007-05-17 09:58:12: ERROR: Unknown notify message from REMOTE WAN IP[500].No phase2 handle found.
2007-05-17 09:58:42: ERROR: Giving up on REMOTE WAN IP to set up IPsec-SA due to time up
2007-05-17 09:58:49: INFO: Responding to new phase 2 negotiation: LOCAL WAN IP[0]<=>REMOTE WAN IP[0]
2007-05-17 09:58:49: ERROR: Failed to get IPsec SA configuration for: 192.168.100.0/24<->10.119.69.0/24 from REMOTE WAN IP/32[500]


Netgear FVS338 (192.168.100.200)

"VPN POLICY"

Auto Policy
remote endpoint : ip address

Traffic Selection
local ip range
remote ip range

-------------------------------------------

"AUTO POLICY PARAMETERS"

SA Lifetime : 3600 sec
Encryption Algorithm : 3DES
Integrity Algorithm : SHA-1

PFS Key Group : DH Group 2 (1024 bit)

-------------------------------------------

"IKE POLICY"

Direction / Type : both
Exchange Mode : main

Local Identifier Type : Local WAN IP
Remote Identifier Type : Remote WAN IP

"IKE SA PARAMETERS"

Encryption Algorithm : 3DES
Authentication Algorithm : SHA-1
Authentication Method : Pre-Shared
Diffie-Hellman (DH) Group : Group 2 (1024 bit)
SA Lifetime : 2800 sec

XAUTH Config : None


=====================================================
=====================================================


Cisco 871 (IOS 12.4(4)T1 and SDM v2.3.3) (10.119.69.200)

Here is the running-config:


Building configuration...

Current configuration : 7040 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco871
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 (blah blah)
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 pcanywheredata
ip inspect name DEFAULT100 pcanywherestat
ip tcp synwait-time 10
no ip bootp server
ip domain name (blah.com)
ip name-server 10.119.69.100
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1410502436
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1410502436
revocation-check none
rsakeypair TP-self-signed-1410502436
!
!
crypto pki certificate chain TP-self-signed-1410502436
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343130 35303234 3336301E 170D3032 30333031 30303131
34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313035
30323433 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C1FB 2589827C DAC71D60 3FCC8DB8 D553C203 9CAB8E61 63FA3693 D23C547E
9B97BF86 EC1D899D 2F92D044 3B0B6BEA 570A63A7 98AE12FE 9BF9603A 4F35BB38
6D879401 02B69338 304A6EA3 92BA294A BD630BB6 589496EA 8A1E898F 8496F2DF
0200CEED 9B76BC68 23972690 7661B898 24155A16 376C58AC E63D0FCD FA490537
C6A10203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 143C854F B118F0D3 5DE3F26F 5E6D1A44 09DDE0B0
F0301D06 03551D0E 04160414 3C854FB1 18F0D35D E3F26F5E 6D1A4409 DDE0B0F0
300D0609 2A864886 F70D0101 04050003 81810042 7A5CB5EB 1C66CECB C4A83266
6ADCE17A 9A65417F 95F28CE9 286EC5BF 4DDE36AC 8FC0C5E6 74B55227 26C2BDEC
2F31946D 7C7C7649 A5D3C995 ABB6CD6A 34D9E53C 5CAE37A7 DA3BD3FF A7BBEFBA
F1F7FC20 7567EFD8 82E63B88 307EE368 710F8657 064D2C78 132833DB 6F25F633
A7DED140 B9EAD069 7544FDCF CCEB951A 2103DA
quit
username admin privilege 15 secret 5 (blah blah)
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key (KEY HERE) address (REMOTE IP ADDRESS) no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toREMOTE IP ADDRESS
set peer REMOTE IP ADDRESS
set transform-set ESP-3DES-SHA
set pfs group2
match address 102
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.119.69.200 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static tcp 10.119.69.200 80 interface FastEthernet4 80
ip nat inside source static udp 10.119.69.100 5632 interface FastEthernet4 5632
ip nat inside source static tcp 10.119.69.100 5631 interface FastEthernet4 5631
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.119.69.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 10.119.69.100 eq domain any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.119.69.0 0.0.0.255
access-list 101 permit udp host REMOTE IP ADDRESS any eq non500-isakmp
access-list 101 permit udp host REMOTE IP ADDRESS any eq isakmp
access-list 101 permit esp host REMOTE IP ADDRESS any
access-list 101 permit ahp host REMOTE IP ADDRESS any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any any eq 5632
access-list 101 permit tcp any any eq 5631
access-list 101 permit tcp any any eq www
access-list 101 permit ip any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any
access-list 101 remark IPSec Rule
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.119.69.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.119.69.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 permit ip 10.119.69.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
  • +
    0 Votes
    p.adaktylos

    hi rob,
    we have nearly the same problem here.
    we use a netgear FVS338 (fw. 2.1.2-7) in our company and just configured a cisco 871 (fw. 12.4(4)T7) for a customer. the ipsec tunnel between the sites opens up initially. but if the tunnel is closed (e.g. one router reboots) it doesn't reopen. we used the settings from www.vpnc.org. these should work but they don't...
    any progress on your side?
    greetings

    philipp

    +
    0 Votes
    gp1200x

    I think the problem is the Netgear...I see the same thing...Usually what you will see if that if the Cisoc is rebooted, the Netgear does not recognize he tunnel dropped and keeps repeating packets to the Cisco, eventaully it will reset when the ike times out, or play with settings on keepalives but with a fast booting ASA the keepalives will also not be short enought,,,so again Netgear thinks tunnel is still active and keeps retransmitting. I know the issue is the Netgear and not the Ciscos.

    +
    0 Votes
    pmjm

    may not be quite the same problem, but I was trying for days to get a Netgear 338<->watchguard edge VPN up. The Phase2 error is due to the encryption negotiation failing. All the obvious settings were the same(e.g. Diffi-H Class2, Key etc) but eventually I found the SA timers default to different values in the Netgear versus Watchguard Kit. Change them both to 3600 secs/60 minutes and bingo its up. Had to reboot the watchguard to get it to use new value. good luck.

    +
    0 Votes
    douglasbuster

    I went through this recently with a Netgear FVS338 and a Cisco 857.

    The solution for me was on the Netgear side. The Policy Name in IKE policy has to be the address (IP address in my case but can be dns name) of the Cisco unit.

    When you look at the list of IKE policies the name and remote ID will be the same.

    Under VPN policies the name can be whatever you like.

    +
    0 Votes
    techrepublic

    this thread is old but I thought this might help somebody from getting crazy...

    I was failing a new VPN tunnel setup between a Cisco router 7206 and a Netgear FVS318, even though all settings were correct on both sides.

    Culprit was the preshared key had a # sign, which appears to NOT be processed properly by the Netgear. Netgear accepted the preshared key without errors, but it just was failing on the key exchange with various malformed packet/failed sanity check errors on both sides.

    ==> if you use special characters, try a simpler preshared key with just alphanumeric characters to confirm if it's the issue, then add some special characters one by one to see if Netgear takes them or not.

    This reminds me of a similar issue I had on older VPN boxes 7-8 years ago, can't remember the brand. I thought it would not be an issue nowadays but obviously it still is.

    Hope this helps somebody!

  • +
    0 Votes
    p.adaktylos

    hi rob,
    we have nearly the same problem here.
    we use a netgear FVS338 (fw. 2.1.2-7) in our company and just configured a cisco 871 (fw. 12.4(4)T7) for a customer. the ipsec tunnel between the sites opens up initially. but if the tunnel is closed (e.g. one router reboots) it doesn't reopen. we used the settings from www.vpnc.org. these should work but they don't...
    any progress on your side?
    greetings

    philipp

    +
    0 Votes
    gp1200x

    I think the problem is the Netgear...I see the same thing...Usually what you will see if that if the Cisoc is rebooted, the Netgear does not recognize he tunnel dropped and keeps repeating packets to the Cisco, eventaully it will reset when the ike times out, or play with settings on keepalives but with a fast booting ASA the keepalives will also not be short enought,,,so again Netgear thinks tunnel is still active and keeps retransmitting. I know the issue is the Netgear and not the Ciscos.

    +
    0 Votes
    pmjm

    may not be quite the same problem, but I was trying for days to get a Netgear 338<->watchguard edge VPN up. The Phase2 error is due to the encryption negotiation failing. All the obvious settings were the same(e.g. Diffi-H Class2, Key etc) but eventually I found the SA timers default to different values in the Netgear versus Watchguard Kit. Change them both to 3600 secs/60 minutes and bingo its up. Had to reboot the watchguard to get it to use new value. good luck.

    +
    0 Votes
    douglasbuster

    I went through this recently with a Netgear FVS338 and a Cisco 857.

    The solution for me was on the Netgear side. The Policy Name in IKE policy has to be the address (IP address in my case but can be dns name) of the Cisco unit.

    When you look at the list of IKE policies the name and remote ID will be the same.

    Under VPN policies the name can be whatever you like.

    +
    0 Votes
    techrepublic

    this thread is old but I thought this might help somebody from getting crazy...

    I was failing a new VPN tunnel setup between a Cisco router 7206 and a Netgear FVS318, even though all settings were correct on both sides.

    Culprit was the preshared key had a # sign, which appears to NOT be processed properly by the Netgear. Netgear accepted the preshared key without errors, but it just was failing on the key exchange with various malformed packet/failed sanity check errors on both sides.

    ==> if you use special characters, try a simpler preshared key with just alphanumeric characters to confirm if it's the issue, then add some special characters one by one to see if Netgear takes them or not.

    This reminds me of a similar issue I had on older VPN boxes 7-8 years ago, can't remember the brand. I thought it would not be an issue nowadays but obviously it still is.

    Hope this helps somebody!