Netgear FVS318 VPN Router

[littlejon]

I’m having a problem with the Netgear FVS318 and getting a VPN Phones to connect.
I used something similar to a previous thread but it won’t work.
Here’s what I’ve got –
IKE POLICY
GENERAL –
Policy Name: ipphone
Direction: Responder (tried Remote Access too)
Exchange Mode: Aggressive
LOCAL –
Local Identity Type: FQUN (tried FQDN too)
Remote Identity Data: ipphone
IKE SA PARAMETERS –
Encryption Algorithm: DES
Authentication Algorithm: MD5
PSK: presharedkey
Diffie-Hellman: Group 2
SA Life Time: 28800
VPN – AUTO POLICY
GENERAL –
Policy Name: ipphone
IKE Policy: ipphone
Remote VPN Endpoint: FQDN
• Address Data: ipphone
SA Life Time: 3600
IPSec PFS: Group 2
TRAFFIC SELECTOR –
Local IP: Subnet Address (tried Single IP Adress too)
• 192.168.55.0 / Mask 255.255.255.0
Remote IP: Range Address
• 172.16.22.101/111
ESP CONFIGURATION –
Enable Encryption – Algorithm: DES
Enable Authentication – Algorithm: MD5
NET BIOS Enable - UNCKECKED

IP PHONE -
Generic PSK
Server: correct
IKE ID: ipphone
PSK: presharedkey

IKE Parameters-
IKE ID Type: User-FQDN
Diff-Hellman: 2
Encryption ALG: DES
Auth ALG: ND5
IKE Xchg Mode: Aggressive
IKE Config Mode: Disable
XAuth: Enable
CertExpiryCheck: Enable
CerDNCheck: Enable

IP Sec Parameters-
Encryption ALG: DES
Authentication ALG: MD5
Diff-Hellman: 2

VPN Start Mode: Boot
Password Type: N/A
Encapsulation: Disable
Syslog: Not Using

Protected Nets-
Virtual IP: 172.16.22.106
Remote Net#1: 192.158.55.0 (also tried 192.168.55.0/255.255.255.0)
Remote Net#2: Not Used

Copy TOS: No
QTEST: Disable
Connectivity Check: Never


I get to IKE Phase 2 in the log. Unfortunately it won't save the entire log, but this is what's toward the end.

[2009-06-19 15:30:52]<POLICY: ipphone> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID,NOTIFY
[2009-06-19 15:30:52]**** FOUND IDs,EXTRACT ID INFO ****
[2009-06-19 15:30:52]<Initiator IPADDR=172.16.22.106>
[2009-06-19 15:30:52]<Responder IPADDR=192.168.55.0 MASK=255.255.255.0>
[2009-06-19 15:30:54][==== IKE PHASE 2(from 70.56.165.14) START (responder) ====]
[2009-06-19 15:30:54]**** RECEIVED FIRST MESSAGE OF QUICK MODE ****
[2009-06-19 15:30:54]<POLICY: ipphone> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID,NOTIFY
[2009-06-19 15:30:54]**** FOUND IDs,EXTRACT ID INFO ****
[2009-06-19 15:30:54]<Initiator IPADDR=172.16.22.106>
[2009-06-19 15:30:54]<Responder IPADDR=192.168.55.0 MASK=255.255.255.0>
[2009-06-19 15:30:56][==== IKE PHASE 2(from 70.56.165.14) START (responder) ====]
[2009-06-19 15:30:56]**** RECEIVED FIRST MESSAGE OF QUICK MODE ****
[2009-06-19 15:30:56]<POLICY: ipphone> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID,NOTIFY
[2009-06-19 15:30:56]**** FOUND IDs,EXTRACT ID INFO ****
[2009-06-19 15:30:56]<Initiator IPADDR=172.16.22.106>
[2009-06-19 15:30:56]<Responder IPADDR=192.168.55.0 MASK=255.255.255.0>

I also tried the setup identical to the IP Office Technical Tip #184 (FVS338 VPN Router)

Current Netgear Firmware is 3.0_27
IP Office Firmware is 4.2.14
10 VPN Licenses

Any help would be greatly appreciated.

 

[cmnstr]

According to Tech Tip 205, the FVS318 is not a supported router for VPN phones.

 

[intrigrant]

Setting up a Netgear FVG318 or FRV338 for Remote IP VPN Phone, should work with most Netgear routers as the GUI is the same

Assumed Points:
VoIP Extension created with VPN phone allowed
VPN Phone Valid License
Group number set to 876 (VPN) on the ip phone
VPN Firmware loaded onto IP Phone

Netgear Steps:

My Netgear External IP is 81.81.81.81, Internal Subnet is 192.168.1.0
Remote External IP Address and Internal Address does not come into effect
I use DES and MD5 as Encrytion Methods (You can use your preffered as long as you match)
My FQDN is iphone.com
My Pre-Shared Key is presharedkey

****Update to the latest Netgear firmware - won't work otherwise***
****Program Policies Manually - do not use Wizard*****
_________________________________________________________________________

Step 1A...Create an IKE Policy Under VPN Tab

General___
Policy Name: IPPhone
Direction: Responder
Exchange Mode: Aggressive

Local___
Identifier: Local WAN IP
Remote: USER-FQDN
IDENTIFIER: ipphone.com

IKE-SA Param___
Encryption Algo: DES
Authentication Algo: MD5
Authentication Method: Pre-Shared Key
Pre-shared Key: presharedkey (min 8 characters)
Diffie-Hellman: Group2
SA-LifeTime: 28800

Step 1B... Create a New VPN Policy (this is the policy which the IKE user applies to)

General___
Policy Details:
Policy Name: IPPhone
Policy Type: Auto
Remote Endpoint: FQDN ipphone.com
Enable Netbios: Not Ticked

Traffic___ (Program this part to suit your network)
Local IP: Subnet
Start IP: My local LAN 192.168.1.0
Subnet Mask: 255.255.255.0
Remote IP: Any (this means that the phone can be plugged into any connection and set up VPN)

Manual Policy Param____NOT USED

Auto Policy Param___
SA Lifetime: 3600 seconds
Enryption Algo: DES
Integrigty Algo: MD5
PFS Key Group: DH2

Assign the Above Policy to IKE Policy created in STEP1A Above


___________________________________________________________________________________________________________

IP Phone Settings:

Generic PSK Profile Selected
Server: 81.81.81.81
IKE ID: ipphone.com
PSK: presharedkey

IKE Parmamaters___
IKE ID Type: User-Fqdn
Diff-Hellman: 2
Encryption alg: DES
Authentic Alg: MD5
IKE Xchg Mode: Aggressive
IKE Config Mode: Disable
XAuth: Enable
CertExpiryCheck: Enable
CerDNCheck: Enable

IPSec Parameters___
Encryption Alg: DES
Authentication Alg: MD5
Diffie-Hellman: 2

VPN Start Mode: Boot
Password Type: N/A
Encapsulation: Disable
Syslog Server: Not Using

Protected Nets___
Virtual IP: 0.0.0.0 (Any)
Remote Net#1: 192.168.1.0/24
Remote Net#2...5: Not Used

Copy TOS: No
File Server: TFTP Server Address if using on remote network (I am using Boot mode VPN so sets up VPN first then looks for TFTP)
QTest: Disable
Conenctivity Check: Never

 

[littlejon]

Thanks Intrigrant. It's working for one phone and I'm hoping it will also work for multiple (3-4) phones as well.
Thanks again.