Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Pirax
Pirax Author
User level: Level 1
0 points

VPN Connection to Netgear FVS338

Hey,
I´m already trying since weeks to connect the Iphone 3g via VPN to a Netgear FVS338 Router. Is it possible at all??

Thanks

Posted on Nov 12, 2008 7:58 AM

Reply
11 replies
User profile for user: Pirax
Pirax Author
User level: Level 1
0 points

Nov 13, 2008 12:35 AM in response to Envision99

Hey,

thanks for the answer. These are the settings in the Router menu:

*IKE Policy:*
Direction / Type: Responder
Exchange Mode: Aggressive
Local Identifier Type: FQDN
Remote Identifier Type: User-FQDN

Encryption Algorith: AES-256
Authentication Algorithm: SHA-1 MD5
Authentication Method: Pre-shared key
Diffie-Hellman (DH) Group: Group 2 (1024 bit)
SA-Lifetime (sec): 28800
Enable Dead Peer Detection: No

XAUTH Configuration: Edge Device
Authentication Type: User Database



*VPN Policy:*
Policy Name: **
Policy Type: Auto Policy
Remote Endpoint: FQDN: mobile
Enable NetBIOS? No
Enable Keepalive: No


Auto Policy Parameters:
SA Lifetime: 3600 Sec.
Encryptopm Algorithm: AES-256
Integrity Algorithm: MD5
Select IKE Policy: mobile



*And here is last few lines of the VPN log when the Iphone tries to connect:*
- Last output repeated 3 times -
2008 Nov 13 09:29:13 [FVS338] [IKE] Ignored attribute 5_
2008 Nov 13 09:29:13 [FVS338] [IKE] Local configuration for *IP Hidden*[17245] does not have mode config_
- Last output repeated 3 times -
2008 Nov 13 09:29:13 [FVS338] [IKE] Ignored attribute 28678_
2008 Nov 13 09:29:13 [FVS338] [IKE] Local configuration for *IP Hidden*[17245] does not have mode config_
- Last output repeated 3 times -
2008 Nov 13 09:29:13 [FVS338] [IKE] Ignored attribute 28683_
2008 Nov 13 09:29:14 [FVS338] [IKE] Failed to resolve remote FQDN "mobile". Backing off resolution for 4 seconds._
2008 Nov 13 09:29:18 [FVS338] [IKE] Failed to resolve remote FQDN "mobile". Backing off resolution for 8 seconds._
2008 Nov 13 09:29:19 [FVS338] [VPNKA] Peer *IP Hidden* failed 14059 of 3 times_
2008 Nov 13 09:29:19 [FVS338] [VPNKA] Failed to send Keep-Alive Request to _
2008 Nov 13 09:29:21 [FVS338] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. ESP *IP Hidden ->IP Hidden*_
2008 Nov 13 09:29:26 [FVS338] [IKE] Failed to resolve remote FQDN "mobile". Backing off resolution for 16 seconds._
2008 Nov 13 09:29:29 [FVS338] [VPNKA] Peer *IP Hidden* failed 14060 of 3 times_
2008 Nov 13 09:29:29 [FVS338] [VPNKA] Failed to send Keep-Alive Request to _

Message was edited by: Pirax

Message was edited by: Pirax
Reply
User profile for user: Pirax
Pirax Author
User level: Level 1
0 points

Nov 15, 2008 3:46 AM in response to Envision99

The Netgear Router only supports IPSEC...

I uploaded the configuration pages... maybe that explains some more... but like i already said: In the netgear forum they tell me that it won´t work.. 😟

http://img50.imageshack.us/my.php?image=netgear1fh8.jpg
http://img160.imageshack.us/my.php?image=netgear2je1.jpg
http://img160.imageshack.us/my.php?image=netgear3ax4.jpg

Thanks a lot for any help
Reply
User profile for user: DSA1
DSA1
User level: Level 1
96 points

Dec 2, 2008 7:01 AM in response to Pirax

Pirax wrote:
IKE Policy:
Direction / Type: Responder
Exchange Mode: Aggressive
Local Identifier Type: FQDN
Remote Identifier Type: User-FQDN
.
.
.
2008 Nov 13 09:29:14 [FVS338] [IKE] Failed to resolve remote FQDN "mobile". Backing off resolution for 4 seconds._


I came across your post looking for posts about how well the FVS338 works with OS X clients; I am interested in purchasing one to replace a Linksys VPN box.

IPSEC is annoyingly difficult to get to work with Apple Products, though it can be done with actual Macs. I never figured out how to get an actual working IPSEC tunnel working with my iPhone to a Linksys router using IPSEC.

While the iPhone supposedly supports Cisco VPN, it appears to be only account based VPN (you need a user name and personal password in addition to the group and secret keys). My Linksys WRVS4400N (a Cisco product) doesn't support that type of connection, so I doubt your Netgear product does.

That aside, you have a problem with your settings:

You can't use FQDN as the identification type. FQDN (Fully Qualified Domain Name) for remote identifier would require your iPhone's IP address to resolve to a domain name. It looks like you put the value "mobile" in that parameter. That value needs to be in the mydomain.com type format to work properly, doesn't it? Your iPhone won't have any such DNS record unless you setup a DynDNS account and somehow keep it pointed to your iPhone's current IP address. (I can think of a way to do that, but it would be a pain in the butt unless our iPhone's keep the same IP address from AT&T all the time, which I am sure they do not.)

Anyways, I suspect you'll never get it to work with those identifier settings; you'll need to set it up to "any" if your VPN supports that.

It looks like the only solution would be to set the VPN box to passthrough L2TP or PPTP traffic and setup a server for those connections behind the FVS338. An inexpensive Linksys WRT54 with one of the open source firmwares would do the trick nicely.
Reply
User profile for user: Neil McGillivray
Neil McGillivray
User level: Level 1
41 points

Dec 5, 2008 11:26 AM in response to Pirax

For the IPsec implementation on the iPhone you really need login, password and secret, not just a secret as used in a vanilla Netgear VPN/IKE policy setup (I cannot talk for all of them, but do have experience of the FWG114P, FVS318, FVG318, FVS338 and FVS538 units).

I think you have 3 options;

1.On page 47 the Enterprise Deployment Guide http://manuals.info.apple.com/enUS/Enterprise_DeploymentGuide.pdf, it states;
+iPhone supports the following authentication methods:+
+Pre-shared key IPSec authentication with user authentication via xauth.+

I suspect you could use Netgear XAUTH in combination with a radius server to get what you need. http://kbserver.netgear.com/kbwebfiles/n101494.asp i.e. login, password, secret.

+I have not tried this, because we use a Netgear SSL312 VPN Concentrator for session VPN tunnels. However it's something I might try over the holidays - relatively easy to allow our OD master to supply authentification to the Netgear ( http://www.macosxhints.com/article.php?story=20071130134610850)+

The simpler option would be to bypass IPSec and use either PPTP or L2TP.

2. Use OS X Server and the built-in VPN Server for either PPTP or L2TP

3. Access the VPN Server built into OS X Client
http://www.macupdate.com/info.php/id/27619/ivpn - £15 or an older version forked http://ivpn24bfork.sourceforge.net/ - free

You can then (in theory) connect. Hope this gives you some extra options.
Reply
User profile for user: Neil McGillivray
Neil McGillivray
User level: Level 1
41 points

Dec 5, 2008 12:06 PM in response to Neil McGillivray

I do see from your IKE/VPN config, that you are using "user database" for your XAUTH.

To troubleshoot;
If you have a Mac, try IPSecuritas from lobotomo - use the config you have, without the XAUTH part - see if you can get a successful connection.

From the Deployment pdf, it states the iPhone supports

Encryption Algorithms: 3DES, AES-128, AES-256
Authentication Algorithms: HMAC-MD5, HMAC-SHA1

On our Netgears, we have most success using 3DES and SHA1 - I'd suggest trying these.
Reply

VPN Connection to Netgear FVS338

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up