nypan2
asked on
Unable to establish connection between Netgear FVS318 and ProSafe VPN Client
Scenario:
The office has a network with private IP:s ranging from 192.168.0.1 (the FVS318 router) to 192.168.0.255. The router has been set up for VPN according to instructions from Netgear docs, same goes for the ProSafe client.
The router can be accessed through a fixed IP or a DNS address. However, all traffic through this IP is forwarded to the fixed WAN IP of the router, which is 192.168.3.100. So, in other words, the public IP of the router is not the same as the one specified as the fixed WAN IP in the router configuration.
Whenever I try to access an IP of the office network, or try to manually establish the VPN tunnel, I get this message from the ProSafe client log:
7-13: 13:53:22.097 My Connections\OFFICE - Attempting to resolve Hostname (vpnrouter.wlst.se)
7-13: 13:53:22.147 My Connections\OFFICE - Initiating IKE Phase 1 (Hostname=vpnrouter.wlst.s
7-13: 13:53:22.167 My Connections\OFFICE - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
7-13: 13:54:07.252 My Connections\OFFICE - message not received! Retransmitting!
7-13: 13:54:07.252 My Connections\OFFICE - SENDING>>>> ISAKMP OAK MM (Retransmission)
All settings have been configured in exact accordance with the instruction doc from Netgear regarding Client-to-gateway setup, except for the Shared Key that is... I have tried disabling the firewall software on the client (which runs with a dynamic IP by the way), but that has no effect.
I have no clue what to do about this, so any help would be greatly appreciated. Is there any reason why it would cause problems to have a different WAN IP set than the one that the client is trying to access the router through?
The office has a network with private IP:s ranging from 192.168.0.1 (the FVS318 router) to 192.168.0.255. The router has been set up for VPN according to instructions from Netgear docs, same goes for the ProSafe client.
The router can be accessed through a fixed IP or a DNS address. However, all traffic through this IP is forwarded to the fixed WAN IP of the router, which is 192.168.3.100. So, in other words, the public IP of the router is not the same as the one specified as the fixed WAN IP in the router configuration.
Whenever I try to access an IP of the office network, or try to manually establish the VPN tunnel, I get this message from the ProSafe client log:
7-13: 13:53:22.097 My Connections\OFFICE - Attempting to resolve Hostname (vpnrouter.wlst.se)
7-13: 13:53:22.147 My Connections\OFFICE - Initiating IKE Phase 1 (Hostname=vpnrouter.wlst.s
7-13: 13:53:22.167 My Connections\OFFICE - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
7-13: 13:54:07.252 My Connections\OFFICE - message not received! Retransmitting!
7-13: 13:54:07.252 My Connections\OFFICE - SENDING>>>> ISAKMP OAK MM (Retransmission)
All settings have been configured in exact accordance with the instruction doc from Netgear regarding Client-to-gateway setup, except for the Shared Key that is... I have tried disabling the firewall software on the client (which runs with a dynamic IP by the way), but that has no effect.
I have no clue what to do about this, so any help would be greatly appreciated. Is there any reason why it would cause problems to have a different WAN IP set than the one that the client is trying to access the router through?
need a better idea of your config. This is what it appears to me...please let me know if it is diff.
LAN network------Netgear FVS318------ISP modem--------internet-----
What ip addresss are you trying to connect tofrom the client? (dont give me the full address...just fill in the X's X.X.private.private)
if you are trying to connect to 192.168.3.100 from the internet...this will never work. If this is the case I will need addtional info to help you.
LAN network------Netgear FVS318------ISP modem--------internet-----
What ip addresss are you trying to connect tofrom the client? (dont give me the full address...just fill in the X's X.X.private.private)
if you are trying to connect to 192.168.3.100 from the internet...this will never work. If this is the case I will need addtional info to help you.
whoops...tim beat me to the punch :-)
ASKER
I will check the port forwarding settings and then get back to you with a network diagram if that doesn't solve the problem!
ASKER
This is the layout of the network:
OFFICE NETWORK
|
SERVER (192.168.0.2)
|
FVS318 Router (192.168.0.1 (LAN)/192.168.3.100 (WAN))
|
ISP Router (197.xxx.xx.xx)*
|
INTERNET
|
PC Client running ProSafe VPN Client (Dynamic IP)
* The FVS318 router has it's WAN IP set to 192.168.3.100. The ISP's router forwards all traffic to it's public IP (197.xxx.xx.xx) to 192.168.3.100 on the private side. So, through the internet the client connects to 197.xxx.xx.xx, which is forwarded to 192.168.3.100, which is the FVS318 router that has a private IP of 192.168.0.1 in the office network.
I've looked over the port forwarding settings on the router, and this is the current setup:
TCP/UDP ports 50-51 is forwarded to 192.168.0.1 (the private LAN IP of the FVS318)
TCP port 50 is forwarded to 192.168.0.1 (the private LAN IP of the FVS318)
UDP port 500 is forwarded to 192.168.0.1 (the private LAN IP of the FVS318)
UDP port 10000 is forwarded to 192.168.0.1 (the private LAN IP of the FVS318)
This doesn't feel too logical, but since the tunnel is a connection between the PC client and the router itself, I cannot see where else it should be forwarded?
Thanks again for your help, guys! This is quite urgent for us, I hope you will be able to assist! Let me know if you need any additional info!
OFFICE NETWORK
|
SERVER (192.168.0.2)
|
FVS318 Router (192.168.0.1 (LAN)/192.168.3.100 (WAN))
|
ISP Router (197.xxx.xx.xx)*
|
INTERNET
|
PC Client running ProSafe VPN Client (Dynamic IP)
* The FVS318 router has it's WAN IP set to 192.168.3.100. The ISP's router forwards all traffic to it's public IP (197.xxx.xx.xx) to 192.168.3.100 on the private side. So, through the internet the client connects to 197.xxx.xx.xx, which is forwarded to 192.168.3.100, which is the FVS318 router that has a private IP of 192.168.0.1 in the office network.
I've looked over the port forwarding settings on the router, and this is the current setup:
TCP/UDP ports 50-51 is forwarded to 192.168.0.1 (the private LAN IP of the FVS318)
TCP port 50 is forwarded to 192.168.0.1 (the private LAN IP of the FVS318)
UDP port 500 is forwarded to 192.168.0.1 (the private LAN IP of the FVS318)
UDP port 10000 is forwarded to 192.168.0.1 (the private LAN IP of the FVS318)
This doesn't feel too logical, but since the tunnel is a connection between the PC client and the router itself, I cannot see where else it should be forwarded?
Thanks again for your help, guys! This is quite urgent for us, I hope you will be able to assist! Let me know if you need any additional info!
There is no need to forward internally in the FVS318...My guess would be that the ISP router is not forwarding all traffic to the 192.168.3.100 address...ESP is not TCP/UDP port 50...it is potocol 50 (an animal all to itself)...at this point I would contact your ISP and see if they can set the ISP router to be a true bridge and let your FVS318 do all of the work...Explain to them what you are trying to do...they should understand and know what to do.
ASKER
I have removed all internal forwarding settings. I will double check with the ISP to see that all traffic is actually flowing through to the router. If they acknowledge that that is the case, I'll try hooking it up to the internet directly, so that the public IP actually points directly to the router, without any NAT in between.
Thanks again for trying to resolve my problem!
Thanks again for trying to resolve my problem!
It's generally not possible to forward EVERYTHING from the ISP router to your Netgear, only pre-defined ports.
Do you have the ISP Router config ?
You need protocols 50, 51, TCP 50, UDP 500, UDP 4500, UDP 10000 all NATted to the WAN address of your Netgear 192.168.3.100.
This opens up all VPN services.
Is the ProSafe client configured with NAT transparency ?
You could always run Etherreal on your client to work out which ports the ProSafe is trying to reach -
1) Go to http://www.ethereal.com/download.html
2) Under Windows 98/ME/2000/XP/2003 Installers, select a site near you
3) Download WinPcap_3_0.exe and ethereal-setup-0.10.4.exe
4) Install WinPcap_3_0 - double click on the WinPcap_3_0.exe file, just
click OK / Yes throughout
5) Install ethereal-setup-0.10.4 - double click on the file, accept all the
defaults (OK / Yes throughout)
6) Start the Ethereal application
7) Go to Capture > Start
8) Under Interface, select your Internet facing interface. If you're
unsure, then select one, and continue. If it displays results, then you've
got the right interface, if your capture is empty, then select another
interface and carry on...
9) Under Capture Files, put \capture.cap
10) Click OK
11) Capturing will commence....
12) Capture what you need to
13) Go back to Ethereal, click Stop
Do you have the ISP Router config ?
You need protocols 50, 51, TCP 50, UDP 500, UDP 4500, UDP 10000 all NATted to the WAN address of your Netgear 192.168.3.100.
This opens up all VPN services.
Is the ProSafe client configured with NAT transparency ?
You could always run Etherreal on your client to work out which ports the ProSafe is trying to reach -
1) Go to http://www.ethereal.com/download.html
2) Under Windows 98/ME/2000/XP/2003 Installers, select a site near you
3) Download WinPcap_3_0.exe and ethereal-setup-0.10.4.exe
4) Install WinPcap_3_0 - double click on the WinPcap_3_0.exe file, just
click OK / Yes throughout
5) Install ethereal-setup-0.10.4 - double click on the file, accept all the
defaults (OK / Yes throughout)
6) Start the Ethereal application
7) Go to Capture > Start
8) Under Interface, select your Internet facing interface. If you're
unsure, then select one, and continue. If it displays results, then you've
got the right interface, if your capture is empty, then select another
interface and carry on...
9) Under Capture Files, put \capture.cap
10) Click OK
11) Capturing will commence....
12) Capture what you need to
13) Go back to Ethereal, click Stop
ASKER
I have talked to the ISP, and they have reconfigured the connection so that I am no longer behind their router. This means that they are no longer forwarding anything, all traffic is going directly to the FVS318 router.
I have routed port 8080 on the FVS318 to a server for remote management by PCAnywhere. This works fine. However, I have also tried routing port 80 to different web server enabled machines, but I can never access the web server through the router's public IP. Any suggestions to what this means?
When I try to connect to the router using the ProSafe client, I still get the same log message as before, "Message not received".
Thanks Tim for the tip about Ethereal, however, since all traffic is now going directly to the router, it shouldn't matter what ports are in use by the client.
Do you know of any settings in the ProSafe client that could be inaccurate that would generate "Message not received" in the log? Or perhaps some setting for the router's VPN configuration?
Thanks again, guys!
I have routed port 8080 on the FVS318 to a server for remote management by PCAnywhere. This works fine. However, I have also tried routing port 80 to different web server enabled machines, but I can never access the web server through the router's public IP. Any suggestions to what this means?
When I try to connect to the router using the ProSafe client, I still get the same log message as before, "Message not received".
Thanks Tim for the tip about Ethereal, however, since all traffic is now going directly to the router, it shouldn't matter what ports are in use by the client.
Do you know of any settings in the ProSafe client that could be inaccurate that would generate "Message not received" in the log? Or perhaps some setting for the router's VPN configuration?
Thanks again, guys!
ASKER
Ted wrote:
"Do you know of any settings in the ProSafe client that could be inaccurate that would generate "Message not received" in the log? Or perhaps some setting for the router's VPN configuration?"
Of course I mean, do you know of any settings that would generate this error message although the client actually get's a response from the router?
"Do you know of any settings in the ProSafe client that could be inaccurate that would generate "Message not received" in the log? Or perhaps some setting for the router's VPN configuration?"
Of course I mean, do you know of any settings that would generate this error message although the client actually get's a response from the router?
>I have routed port 8080 on the FVS318 to a server for remote management by PCAnywhere. This works fine. However, I >have also tried routing port 80 to different web server enabled machines, but I can never access the web server through the >router's public IP. Any suggestions to what this means?
Does the router have any web based management that could be interfering ?
Can you PING the Netgear router from your VPN Client machine ?
What do the log files say on the Netgear router ?
Have you tried this from Netgear's website ? --
Troubleshooting the VPN Client
Installation Problems
You must not have more than one IPSec VPN client installed on your computer. If you have previously installed another VPN client (such as SafeNet, Checkpoint, Cisco, etc.) you must uninstall it and reboot your computer before installing the NETGEAR VPN Client.
Functional Problems
In the NETGEAR VPN Client configuration, the SA Lifetime is unspecified by default. This can cause frequent dropping of the tunnel. Be sure to set a value for this parameter.
Disable the Virtual Adapter unless you are sure you need it.
When connecting to a NETGEAR VPN router, be sure to configure the router for connection to "a single IP address" instead of "a subnet".
If your computer is running a software firewall (such as Norton Firewall, ZoneAlarm, or Windows XP Firewall) the VPN Client may not be able to initiate a tunnel. Disable the software firewall and try again.
Does the router have any web based management that could be interfering ?
Can you PING the Netgear router from your VPN Client machine ?
What do the log files say on the Netgear router ?
Have you tried this from Netgear's website ? --
Troubleshooting the VPN Client
Installation Problems
You must not have more than one IPSec VPN client installed on your computer. If you have previously installed another VPN client (such as SafeNet, Checkpoint, Cisco, etc.) you must uninstall it and reboot your computer before installing the NETGEAR VPN Client.
Functional Problems
In the NETGEAR VPN Client configuration, the SA Lifetime is unspecified by default. This can cause frequent dropping of the tunnel. Be sure to set a value for this parameter.
Disable the Virtual Adapter unless you are sure you need it.
When connecting to a NETGEAR VPN router, be sure to configure the router for connection to "a single IP address" instead of "a subnet".
If your computer is running a software firewall (such as Norton Firewall, ZoneAlarm, or Windows XP Firewall) the VPN Client may not be able to initiate a tunnel. Disable the software firewall and try again.
ASKER
Allright, we're almost there! The tunnel has been established, and I can ping IP's on the private network. However, I am not able to connect the client computer to the network domain.
We're running SBS 2003 on the network, and I can access the internal web site running on the server. I've tried connecting the client through the option presented on this web site, but I get an error since the server rejects the IP of the client computer.
How do I get a virtual IP for the client which identifies it towards the private network? The computers at the office are named 192.168.0.0, so I would like the client to assume an address within that subnet within the private LAN.
I don't think I can connect to the office domain unless the server recognizes a client within the right IP address range?
Thanks a lot guys, it feels as if we're close to the finish line! =)
We're running SBS 2003 on the network, and I can access the internal web site running on the server. I've tried connecting the client through the option presented on this web site, but I get an error since the server rejects the IP of the client computer.
How do I get a virtual IP for the client which identifies it towards the private network? The computers at the office are named 192.168.0.0, so I would like the client to assume an address within that subnet within the private LAN.
I don't think I can connect to the office domain unless the server recognizes a client within the right IP address range?
Thanks a lot guys, it feels as if we're close to the finish line! =)
ASKER
One more thing, I have tried entering an IP in the "Internal Network IP Address" field in the client settings. I've tried setting it to 192.168.0.147. The other computers on the office network are named 192.168.0.xxx.
However, once I've entered an IP address, the connection fails. This is what the log says:
7-20: 17:12:35.826
7-20: 17:12:35.826 My Connections\KONTORET - Attempting to resolve Hostname (vpn.wallstedts.se)
7-20: 17:12:35.866 My Connections\KONTORET - Initiating IKE Phase 1 (Hostname=vpn.wallstedts.s
7-20: 17:12:35.876 My Connections\KONTORET - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
7-20: 17:12:35.906 My Connections\KONTORET - RECEIVED<<< ISAKMP OAK MM (SA)
7-20: 17:12:36.197 My Connections\KONTORET - SENDING>>>> ISAKMP OAK MM (KE, NON, VID 3x)
7-20: 17:12:39.171 My Connections\KONTORET - RECEIVED<<< ISAKMP OAK MM (KE, NON)
7-20: 17:12:39.381 My Connections\KONTORET - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONT
7-20: 17:12:39.411 My Connections\KONTORET - RECEIVED<<< ISAKMP OAK MM *(ID, HASH)
7-20: 17:12:39.411 My Connections\KONTORET - Using cached address. (Hostname=vpn.wallstedts.s
7-20: 17:12:39.411 My Connections\KONTORET - Established IKE SA
7-20: 17:12:39.411 MY COOKIE 92 80 5d 73 b0 43 7c 31
7-20: 17:12:39.411 HIS COOKIE 95 9d 32 19 85 c7 16 f7
7-20: 17:12:39.702 My Connections\KONTORET - Initiating IKE Phase 2 with Client IDs (message id: A76F843D)
7-20: 17:12:39.702 Initiator = IP ADDR=192.168.0.147, prot = 0 port = 0
7-20: 17:12:39.702 Responder = IP SUBNET/MASK=192.168.0.0/25
7-20: 17:12:39.702 My Connections\KONTORET - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
7-20: 17:13:24.777 My Connections\KONTORET - QM re-keying timed out (message id: A76F843D). Retry count: 1
7-20: 17:13:24.777 My Connections\KONTORET - SENDING>>>> ISAKMP OAK QM *(Retransmission)
7-20: 17:14:09.922 My Connections\KONTORET - QM re-keying timed out (message id: A76F843D). Retry count: 2
7-20: 17:14:09.922 My Connections\KONTORET - SENDING>>>> ISAKMP OAK QM *(Retransmission)
7-20: 17:14:54.936 My Connections\KONTORET - QM re-keying timed out (message id: A76F843D). Retry count: 3
7-20: 17:14:54.936 My Connections\KONTORET - SENDING>>>> ISAKMP OAK QM *(Retransmission)
Here I get the message saying that the connection failed. If I reset the "Internal Network IP Address" to blank again, the connection works like a charm. Except that I don't have a correct IP towards the VPN... :(
Thanks again, guys, hope I get to give out those points soon... =)
However, once I've entered an IP address, the connection fails. This is what the log says:
7-20: 17:12:35.826
7-20: 17:12:35.826 My Connections\KONTORET - Attempting to resolve Hostname (vpn.wallstedts.se)
7-20: 17:12:35.866 My Connections\KONTORET - Initiating IKE Phase 1 (Hostname=vpn.wallstedts.s
7-20: 17:12:35.876 My Connections\KONTORET - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
7-20: 17:12:35.906 My Connections\KONTORET - RECEIVED<<< ISAKMP OAK MM (SA)
7-20: 17:12:36.197 My Connections\KONTORET - SENDING>>>> ISAKMP OAK MM (KE, NON, VID 3x)
7-20: 17:12:39.171 My Connections\KONTORET - RECEIVED<<< ISAKMP OAK MM (KE, NON)
7-20: 17:12:39.381 My Connections\KONTORET - SENDING>>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONT
7-20: 17:12:39.411 My Connections\KONTORET - RECEIVED<<< ISAKMP OAK MM *(ID, HASH)
7-20: 17:12:39.411 My Connections\KONTORET - Using cached address. (Hostname=vpn.wallstedts.s
7-20: 17:12:39.411 My Connections\KONTORET - Established IKE SA
7-20: 17:12:39.411 MY COOKIE 92 80 5d 73 b0 43 7c 31
7-20: 17:12:39.411 HIS COOKIE 95 9d 32 19 85 c7 16 f7
7-20: 17:12:39.702 My Connections\KONTORET - Initiating IKE Phase 2 with Client IDs (message id: A76F843D)
7-20: 17:12:39.702 Initiator = IP ADDR=192.168.0.147, prot = 0 port = 0
7-20: 17:12:39.702 Responder = IP SUBNET/MASK=192.168.0.0/25
7-20: 17:12:39.702 My Connections\KONTORET - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
7-20: 17:13:24.777 My Connections\KONTORET - QM re-keying timed out (message id: A76F843D). Retry count: 1
7-20: 17:13:24.777 My Connections\KONTORET - SENDING>>>> ISAKMP OAK QM *(Retransmission)
7-20: 17:14:09.922 My Connections\KONTORET - QM re-keying timed out (message id: A76F843D). Retry count: 2
7-20: 17:14:09.922 My Connections\KONTORET - SENDING>>>> ISAKMP OAK QM *(Retransmission)
7-20: 17:14:54.936 My Connections\KONTORET - QM re-keying timed out (message id: A76F843D). Retry count: 3
7-20: 17:14:54.936 My Connections\KONTORET - SENDING>>>> ISAKMP OAK QM *(Retransmission)
Here I get the message saying that the connection failed. If I reset the "Internal Network IP Address" to blank again, the connection works like a charm. Except that I don't have a correct IP towards the VPN... :(
Thanks again, guys, hope I get to give out those points soon... =)
ASKER
Yet another thing...
It works fine if I use an "Internal Network IP Address" that starts with something else, for example 192.168.100.1.
But this address wouldn't be accepted by the server, for example when trying to join the domain, since it's not on the same subnet?
I want an internal address like 192.168.0.xxx.
It works fine if I use an "Internal Network IP Address" that starts with something else, for example 192.168.100.1.
But this address wouldn't be accepted by the server, for example when trying to join the domain, since it's not on the same subnet?
I want an internal address like 192.168.0.xxx.
If you can get the tunnel up and ping your SBS 2003 server, then you CAN get domain logon to work. On your VPN Client:
1) notepad c:\winnt\system32\drivers\
2) If file doesn't exist, create it
3) Add this line to the bottom:
199.199.199.1 ComputerName #PRE #DOM:DomainName
Where... 199.199.199.1 is the IP address of your domain controller, ComputerName it's name, and DomainName the Domain Name.
Computer Name and Domain Name may end up being the same - not a problem, but still put them both in anyway, eg:
199.199.199.1 OFFICE #PRE #DOM:OFFICE
4) Save the file
Alternatively, you could use WINS. Not sure if you get this on SBS 2003 ?
1) notepad c:\winnt\system32\drivers\
2) If file doesn't exist, create it
3) Add this line to the bottom:
199.199.199.1 ComputerName #PRE #DOM:DomainName
Where... 199.199.199.1 is the IP address of your domain controller, ComputerName it's name, and DomainName the Domain Name.
Computer Name and Domain Name may end up being the same - not a problem, but still put them both in anyway, eg:
199.199.199.1 OFFICE #PRE #DOM:OFFICE
4) Save the file
Alternatively, you could use WINS. Not sure if you get this on SBS 2003 ?
ASKER
Hi!
I've created an LMHOSTS file, and in it I've typed:
192.168.0.2 SERVER #PRE #DOM:OFFICE
"SERVER" is the computer name of the server. "OFFICE" is the domain name.
However, when I try to join the domain through "My Computer" properties, I get an error stating that no controller can be found for the domain OFFICE.
I can still ping 192.168.0.2 (the server).
Do I need an internal network IP address assigned?
Thanks!
I've created an LMHOSTS file, and in it I've typed:
192.168.0.2 SERVER #PRE #DOM:OFFICE
"SERVER" is the computer name of the server. "OFFICE" is the domain name.
However, when I try to join the domain through "My Computer" properties, I get an error stating that no controller can be found for the domain OFFICE.
I can still ping 192.168.0.2 (the server).
Do I need an internal network IP address assigned?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Everything working now ?
ASKER
Everything works great, thanks a lot for the help, Tim! The VPN clients are now functioning exactly like the local computers in every aspect, works like a charm!
Take care!
Take care!
In the thread above it is mentioned:
"I have talked to the ISP, and they have reconfigured the connection so that I am no longer behind their router. This means that they are no longer forwarding anything, all traffic is going directly to the FVS318 router."
Can this be done with all ISPs?
Could there be a solution to this case if the ISP forced you to stay behind their router?
thanks!
"I have talked to the ISP, and they have reconfigured the connection so that I am no longer behind their router. This means that they are no longer forwarding anything, all traffic is going directly to the FVS318 router."
Can this be done with all ISPs?
Could there be a solution to this case if the ISP forced you to stay behind their router?
thanks!
The FVS-318 needs a WAN IP to let the VPN function properly!
The VPN router communicates back to your prosafe client, thinking that it has to send back the message to the LAN side of the ISP-router, but actually it had to send to the Prosafe client (but it'll never reach to that side!!)
The FVS-318 tries to establish a connection to the ISP-router, and the router will never respond with the right answer, since the router was not the originating request !
I have tried many times, and very different setups using the FVS-318 behind my ISP router... and it ended up in an error in the LOGS to my ISP router... Ever since we changed our ISP-router, to indeed the CPE directly to our FVS-318, the FVS-318 handled all VPN requests perfectly...
Since then we purchased a group of IP's, and hooked up the superior model FVL-328 onto another external WAN ip, and both work great together...
My advice : buy an ISP contract, with an external WAN... or simply take a cheap ADSL or cable contract, which has an ETHERNET MODEM (and NOT an ETHERNET ROUTER) of your ISP... as soon you have a ETHERNET MODEM, you will most certainly have an external IP onto the WAN side of your FVS-318...
Use the DYNDNS service (and in case of ADSL, set the timeout to 0)... you will have almost 95% access to your network, without a lot of worries... at least that is the setup that works fine at our offices, and home offices :)
Routers we use at the main office : FVS-318 and FVL-328
Routers used at home & home offices : FVS-318, Linksys WRV54G and SSH Sentinel or Prosafe client...
ps. The prosafe client is easier to manage, since you can export the profiles... which the freeware edition of SSH Sentinel cannot...
Hope this helps you a bit :)
The VPN router communicates back to your prosafe client, thinking that it has to send back the message to the LAN side of the ISP-router, but actually it had to send to the Prosafe client (but it'll never reach to that side!!)
The FVS-318 tries to establish a connection to the ISP-router, and the router will never respond with the right answer, since the router was not the originating request !
I have tried many times, and very different setups using the FVS-318 behind my ISP router... and it ended up in an error in the LOGS to my ISP router... Ever since we changed our ISP-router, to indeed the CPE directly to our FVS-318, the FVS-318 handled all VPN requests perfectly...
Since then we purchased a group of IP's, and hooked up the superior model FVL-328 onto another external WAN ip, and both work great together...
My advice : buy an ISP contract, with an external WAN... or simply take a cheap ADSL or cable contract, which has an ETHERNET MODEM (and NOT an ETHERNET ROUTER) of your ISP... as soon you have a ETHERNET MODEM, you will most certainly have an external IP onto the WAN side of your FVS-318...
Use the DYNDNS service (and in case of ADSL, set the timeout to 0)... you will have almost 95% access to your network, without a lot of worries... at least that is the setup that works fine at our offices, and home offices :)
Routers we use at the main office : FVS-318 and FVL-328
Routers used at home & home offices : FVS-318, Linksys WRV54G and SSH Sentinel or Prosafe client...
ps. The prosafe client is easier to manage, since you can export the profiles... which the freeware edition of SSH Sentinel cannot...
Hope this helps you a bit :)
ASKER
Thank you for your elaborate response. However, the FVS318 does have a fixed WAN IP. However, the connecting client does not. Is the problem that the FVS318 cannot reach the connecting client because the client's IP is behind the router?
(Once again, the connecting client is behind a wireless router. It tries to connect to a FVS318 with a fixed IP.)
If I connect the client directly to the internet, giving the client an external IP address, everything works fine. Does the wireless router or the FVS318 have to be configured in any special way to communicate correctly with the client when it is behind a router or NAT?
Thanks again for your help! It is greatly appreciated!
(Once again, the connecting client is behind a wireless router. It tries to connect to a FVS318 with a fixed IP.)
If I connect the client directly to the internet, giving the client an external IP address, everything works fine. Does the wireless router or the FVS318 have to be configured in any special way to communicate correctly with the client when it is behind a router or NAT?
Thanks again for your help! It is greatly appreciated!
Oh okay,
The only thing your wireless router should support is NAT traversal... (most of them do, but you never know)
Second, you should setup the VPN in the FVS-318 as follows :
--------------------------
Local Secure group : WANIP of FVS318
Remote secure group : 192.168.33.10 (example)
Subnet of local adresses
192.168.0.0 // 255.255.255.0
Single remote address
192.168.33.10
Remote WANIP or FQDN
0.0.0.0 (means any wanip is allowed)
Set the security options at your will
Configure your VPN client :
--------------------------
Secure & Only connect manually (but that is my choice, you could connect automatically if you ping an IP first in on the FVS318 side)
IP Subnet
192.168.0.0 // 255.255.255.0 (double check the subnet, by default the VPN client assigns 255.255.255.255 !!)
Protocol ALL
Connect using : "secure gateway tunnel"
IP Address : << your WAN IP >>
My Identity:
Certificate : None (and choose the same Preshared key ofcourse)
Virtual Adaptor : REQUIRED
192.168.33.10 (same as the example in your remote secure group)
Security Policy:
Set the same as in the FVS318 (use Diffie Hellman Group 2 though !!)
Authentication
I mostly use SHA-1 in the proposal, however MD5 works also... SHA-1 is more secure they say.
Set the SA Life time the same as Key Life in the FVS318
Key Exchange
Set the SA life time to IKE life time in your FVS
And set ESP active at the same SHA-1 or MD-5 that you chose in the Authentication field...
This should get you on the way... at least, that's how it works with me, on many many locations... no matter what router is in between.... (at least if their firewall isn't setup to block all) :):)
Let me know.
The only thing your wireless router should support is NAT traversal... (most of them do, but you never know)
Second, you should setup the VPN in the FVS-318 as follows :
--------------------------
Local Secure group : WANIP of FVS318
Remote secure group : 192.168.33.10 (example)
Subnet of local adresses
192.168.0.0 // 255.255.255.0
Single remote address
192.168.33.10
Remote WANIP or FQDN
0.0.0.0 (means any wanip is allowed)
Set the security options at your will
Configure your VPN client :
--------------------------
Secure & Only connect manually (but that is my choice, you could connect automatically if you ping an IP first in on the FVS318 side)
IP Subnet
192.168.0.0 // 255.255.255.0 (double check the subnet, by default the VPN client assigns 255.255.255.255 !!)
Protocol ALL
Connect using : "secure gateway tunnel"
IP Address : << your WAN IP >>
My Identity:
Certificate : None (and choose the same Preshared key ofcourse)
Virtual Adaptor : REQUIRED
192.168.33.10 (same as the example in your remote secure group)
Security Policy:
Set the same as in the FVS318 (use Diffie Hellman Group 2 though !!)
Authentication
I mostly use SHA-1 in the proposal, however MD5 works also... SHA-1 is more secure they say.
Set the SA Life time the same as Key Life in the FVS318
Key Exchange
Set the SA life time to IKE life time in your FVS
And set ESP active at the same SHA-1 or MD-5 that you chose in the Authentication field...
This should get you on the way... at least, that's how it works with me, on many many locations... no matter what router is in between.... (at least if their firewall isn't setup to block all) :):)
Let me know.
ASKER
It's all working now! Just had to make sure that the client had the correct IP behind the wireless router! Thanks a lot for the help! I'll try and post a complete settings doc later on, I've noticed that more people have had the same problem.
Thanks again!
Thanks again!
I just joined experts exchange last night to try to get answers to why I could not get my netgear fvs318 and netgear prosafe client connection to work. The handshaking was failing at the send of the ISAKMP OAK QM(....) point with no response coming back. My setup is:
Cable connection from Comcast to FVS318 with dynamic addresses.
FVS318 at firmware version 2.4.
DDNS service from TZO-DNS.
Client side Win-XP with prosafe client installed and firewall off with no virus software(now that I have everything working I am going to start adding back firewall and virus stuff - I'll post about that later)
Client communications was through a wireless GPRS card from T-Mobile.
I configured the router and client exactly like in the Netgear document 'Reference Manual for the NETGEAR ProSafe VPN Client' in Appendix C, except that my FQDN is different and I used a different PreShared key... and it would not work. I pulled my hair out for hours trying to figure out what was going wrong.
Then I removed the T-Mobile card and defined a plain old dial-up connection through my Earthlink account...and IT WORKED. The problem was the T-Mobile connection. So I called TMO support and the tech told me that I did not have the correct 'data plan', I needed the one that allowed VPN support.
I guess the whole point of this is that if you are connecting from a dynamic address remote client to a dynamic addressed FVS318 with a service like TZO-DNS, the instructions as written in the Netgear document work for sure.
Cable connection from Comcast to FVS318 with dynamic addresses.
FVS318 at firmware version 2.4.
DDNS service from TZO-DNS.
Client side Win-XP with prosafe client installed and firewall off with no virus software(now that I have everything working I am going to start adding back firewall and virus stuff - I'll post about that later)
Client communications was through a wireless GPRS card from T-Mobile.
I configured the router and client exactly like in the Netgear document 'Reference Manual for the NETGEAR ProSafe VPN Client' in Appendix C, except that my FQDN is different and I used a different PreShared key... and it would not work. I pulled my hair out for hours trying to figure out what was going wrong.
Then I removed the T-Mobile card and defined a plain old dial-up connection through my Earthlink account...and IT WORKED. The problem was the T-Mobile connection. So I called TMO support and the tech told me that I did not have the correct 'data plan', I needed the one that allowed VPN support.
I guess the whole point of this is that if you are connecting from a dynamic address remote client to a dynamic addressed FVS318 with a service like TZO-DNS, the instructions as written in the Netgear document work for sure.
ASKER
Forget the Netgear documentation, follow the instructions in this thread instead! I tried to resolve the issue on numerous occasions in accordance with Netgear documentation and support, but that didn't help me at all. Read through this thread thoroughly and you should be able to get it up and running.
It is up and running and I did follow the Netgear instructions. The point was that my situation was an exact replica of their example.
- The document that netgear described worked out for me as well (but only if both sides have a direct WAN connection)
- The document did not mention NAT traversals
- The document even disregards (read: does not support) FVS318 being setup behind another router (we have one customer working behind a router of their ISP, and magically enough this one works just fine using Virtual Adaptor...)
Anyway, we are a very happy customer of Netgear.
Currently we have a setup of many different brands with their VPN routers.
FVS318 <--> Linksys WRV54G (a pain, I can assure you, but it works if the WRV54G sets up the link)
FVS318 <--> Linksys BEFSX41 (works fine)
FVS318 <--> DLINK 824VUP+ (works GREAT !!)
FVS318 <--> SSH Sentinel 1.3 (works great, pitty it lacks an export/import function)
FVS318 <--> Netgear & Netscreen VPN client (they both are 99% the same ~ the differ in the logo :-D ) (btw works great)
FVL328 <--> DLINK 824VUP+ (works GREAT !!)
FVL328 <--> FVS318 (works GREAT !!)
FVL328 <--> Watchguard (don't know model, we set this one up with an external company, and it works just fine)
FVS318 <--> Linksys WAG54G (don't know yet, have to set it up next week)
(FVL328 is bigbrother of netgear with its 100 tunnels)
- The document did not mention NAT traversals
- The document even disregards (read: does not support) FVS318 being setup behind another router (we have one customer working behind a router of their ISP, and magically enough this one works just fine using Virtual Adaptor...)
Anyway, we are a very happy customer of Netgear.
Currently we have a setup of many different brands with their VPN routers.
FVS318 <--> Linksys WRV54G (a pain, I can assure you, but it works if the WRV54G sets up the link)
FVS318 <--> Linksys BEFSX41 (works fine)
FVS318 <--> DLINK 824VUP+ (works GREAT !!)
FVS318 <--> SSH Sentinel 1.3 (works great, pitty it lacks an export/import function)
FVS318 <--> Netgear & Netscreen VPN client (they both are 99% the same ~ the differ in the logo :-D ) (btw works great)
FVL328 <--> DLINK 824VUP+ (works GREAT !!)
FVL328 <--> FVS318 (works GREAT !!)
FVL328 <--> Watchguard (don't know model, we set this one up with an external company, and it works just fine)
FVS318 <--> Linksys WAG54G (don't know yet, have to set it up next week)
(FVL328 is bigbrother of netgear with its 100 tunnels)
ASKER
morrisford, I'm sorry, I didn't read your post thoroughly enough. I got the connection to work to by following the docs from Netgear, but only if the connecting client was connected directly to the internet. The problems occured when the client was trying to connect from behind a router, in my case a wireless one. I thought this was weird since it should've worked as long as the router supports VPN pass-through. Anyways, I followed the tips I got here on EE and everything worked fine. Therefore I say that the Netgear docs have insufficient information about connection scenarios where the client is behind a router, which they usually are.
Just a little update on my last post. T-Mobile has updated my connection for my wireless card to the 'VPN Data Plan' and my connection now works using the TMO GPRS network. I also turned back on the Windows firewall and reinstalled the virus software (AntiVir) and the connection still works.
I've been following this post due to the faC that it is very similiar to my set up. However, where I differ is my network looks loke this:
network ----FVS318----Internet Broadband Modem-----Internet
^ ^ | ^ ^ | ^
1 2 3 4 5
1= Network address Private IP 192.168.168.0
2=FVS318 Lan Address Private IP 192.168.168.1
3=FVS318 WAN address Private IP 172.16.0.13
4=Internet modem LAN address Private IP 172.16.0.254
5=Internet modem WAN address Public IP 68.166.119.143
I'm trying to set up a VPN to access either via from a remote network or from a laptop anywhere. Mostly from the laptop using a dial-up connection. Does having a private IP address on the wan side of the FVS318 create problems?
This post mostly covers situations where the FVS318 is connected to a router and not to an internet modem that dishes out private IP addresses.
network ----FVS318----Internet Broadband Modem-----Internet
^ ^ | ^ ^ | ^
1 2 3 4 5
1= Network address Private IP 192.168.168.0
2=FVS318 Lan Address Private IP 192.168.168.1
3=FVS318 WAN address Private IP 172.16.0.13
4=Internet modem LAN address Private IP 172.16.0.254
5=Internet modem WAN address Public IP 68.166.119.143
I'm trying to set up a VPN to access either via from a remote network or from a laptop anywhere. Mostly from the laptop using a dial-up connection. Does having a private IP address on the wan side of the FVS318 create problems?
This post mostly covers situations where the FVS318 is connected to a router and not to an internet modem that dishes out private IP addresses.
Your setup here, is the same case at my site...
BUT, I was able to ask my ISP to open all ports on my Broadband router (ps. if you have private addresses, you don't own a modem, but a router !)
The only thing left for you to do, is to ask to open ALL ports to your FVS318 private IP, and you should be able (by using some trickery into the Prosafe client) to connect to it !
ps. FVS318 to FVS318 setup, will most likely fail here !!!
BUT, I was able to ask my ISP to open all ports on my Broadband router (ps. if you have private addresses, you don't own a modem, but a router !)
The only thing left for you to do, is to ask to open ALL ports to your FVS318 private IP, and you should be able (by using some trickery into the Prosafe client) to connect to it !
ps. FVS318 to FVS318 setup, will most likely fail here !!!
Thank you woodmouse for the information. I won't be needing to connect another router ie FVS318 to FVS318. What I will be needing to do is VPN from the outside from both a dial up connection and possibly from behind another private network. I'll look into contacting my ISP to have them open the door. I did contact them in the very begining and asked if every thing was wide open, and they said yes. What I should have asked was for them to route every thing to 172.16.0.13. Right? The reason I thought I had a modem was because that's what it says on it. However when I Googled it's model number "LinkMax HSA300A-2" and came up with an article on "How to switch your modem from router to bridge mode" it was a dead giveaway. I'll keep you posted. Thanks Again. Vfret
If you have login details of your ISP, you'd better winding up setting up the linkmax to bridge mode... this way, you'll save a lot of misery... however, it can be done using the FVS318 behind the other router.
I assume you have ADSL, and that you could be using PPPoE... using your login details... this way, your FVS318 will get a WAN ip adress...
This is supported by Netgear, and should set you up in seconds, to make a VPN tunnel using the ProSafe client.
Using the FVS318 behind your router, is not supported by Netgear (but as mentioned before, it is possible using the above setup ~ I'm using it with one customer of ours, and works just fine)
I assume you have ADSL, and that you could be using PPPoE... using your login details... this way, your FVS318 will get a WAN ip adress...
This is supported by Netgear, and should set you up in seconds, to make a VPN tunnel using the ProSafe client.
Using the FVS318 behind your router, is not supported by Netgear (but as mentioned before, it is possible using the above setup ~ I'm using it with one customer of ours, and works just fine)
I called Earthstink and not a single soul could perform my request to forward all traffic to a specific IP address or assist me in changing my connection over to bridging. So I guess Earthstink is out and I'll have to find another ISP to take my money. I guess this is on hold until then.
Update, I decided to give Earthlink another call to see if the next techsupport professional in line was any better. After making my request he simply said , and I quote, "No sweat man", and in a very short time we had everything reconfigured in bridging mode. I was paying extra for a stattic IP address to begin with. I had no idea that changing over to bridging mode would place that stattic IP on the WAN side of the FVS318. What could be easier than having a public IP on the WAN side of your router. I thought I was going to have to still contend with the internet modem/router. Its like it dosen't even exist now. It looks like everything should configure smothly now. For awhile there I was getting my a$$ handed to me. I'll post back if I have any more problems. Thanks again all. Vfret
hate to impose, but u guys seem to know what is going on.
I have a netgear fvs318 firewall. I want to set up a vpn. Do I need the client VPN software??? Or does XP have a setting for this.
I have a netgear fvs318 firewall. I want to set up a vpn. Do I need the client VPN software??? Or does XP have a setting for this.
bman9111 - please post up a new question, and we'll answer it
hi their please advice me how to configure vpn tunnel between vpn prosafe client and fvs318v3 fire wall
using adsl us robotic router (usr9108) with dynamic WAN ip (11.22.33.44) at my office
after that i install netgear firewall fvs318 and its getting one dynamic ip from us robotic in range 172.26.93.0 and i given one static ip in 192.168.1.1
my local lan ip is 192.168.1.0 range
internet is working fine in my office
AT CLIENT SIDE:-
windows xp with adsl line which having dynamic ip (22.33.44.55)
system havin ip address 172.16.33.0 range from adsl router
i installed netgear prosafe vpn client onit
i given the complease scenario for my neetwork please help me to configure the vpn connection between these two networks . and provide me step by step method to do it by using this ip addresses
using adsl us robotic router (usr9108) with dynamic WAN ip (11.22.33.44) at my office
after that i install netgear firewall fvs318 and its getting one dynamic ip from us robotic in range 172.26.93.0 and i given one static ip in 192.168.1.1
my local lan ip is 192.168.1.0 range
internet is working fine in my office
AT CLIENT SIDE:-
windows xp with adsl line which having dynamic ip (22.33.44.55)
system havin ip address 172.16.33.0 range from adsl router
i installed netgear prosafe vpn client onit
i given the complease scenario for my neetwork please help me to configure the vpn connection between these two networks . and provide me step by step method to do it by using this ip addresses
eg -
VPN Client
|
ADSL Router ?
|
Internet
|
ISP Router (vpnrouter.wlst.se) (IP ADDR=xxx.xx.xx.xxx)
|
??
Router
192.168.3.100
|
Internal network - 192.168.0.x
Your VPN client must not already have a 192.168.0.x address - this would not work.
Are all VPN ports forwarded to 192.168.3.100 - eg protocols 50,51, TCP 50, UDP 500, UDP 10000 ?