Netgear FVS114 and the netgear VPNClient - How to setup - what's best known working configuration?

Hello,  I'm trying to set up a vpn for running a single Telnet-based application between some remote offices and a central site with several pcs and the central server running SCO 5.05.    The Netgear vpn client is not extablishing a tunnel from the remote to the NetGear FSV114 router which we've configured for VPN.  Because the remote clients are using the internet access to goto websites to get some critical info, we set up the client to connect manually.  I've tried several permutations of the setup and params - but the  router and the client can't seem to get past the first handshake.

We've installed the latest firmware (Version 1.1_01) on the router and we're using version 10.7.2 (Build 12) for the vpnclient.

I'm looking for some comments and guidance from somebody who has either set up this configuration or has been using one that is successfully using the netgear fvs114 with the netgear vpn client.

-  Grant
LVL 1
grant-ellsworthAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Rob WilliamsCommented:
The presage client is not the easiest one to set up for sure. But I have set up several with Netgear FVS318's. I don't know of any specific documentation for that unit but the following links would be similar.
http://kbserver.netgear.com/kb_web_files/n101437.asp
http://kbserver.netgear.com/kb_web_files/n101436.asp
http://kbserver.netgear.com/kb_web_files/n101500.asp
http://kbserver.netgear.com/kb_web_files/n101545.asp

Fairly lengthy set up to list here step by step, but happy to answer any questions.
Keep in mind the Netgear and the router at the remote site's WAN configuration, should have a true public IP. You can use dynamic IP's with a DDNS service, but they should not be a private IP's, i.e behind a NAT modem .
Also the subnets at opposite ends of the tunnel need to be different.
0
 
grant-ellsworthAuthor Commented:
To RobWill - do you know what ports the vpn initiation exchange uses?  I think I have a port issue with a firewall between the client and the Netgear fvs114.
0
 
Rob WilliamsCommented:
There are no ports that need to be opened on either end. You are connecting to the Netgear directly, so no ports have to be opened or forwarded, that would only be necessary if you were using a VPN server behind the router, such as a Windows VPN. At the remote site, because it is an outgoing connection, again no ports need to be opened or forwarded. However, at the remote site you may need to enable IPSec pass-through on the router.
To answer your question IPSec uses:
   IKE uses UDP port 500.
   IPSec NAT-T uses port UDP 4500.
   IPSec also uses protocols (not ports) 50 ESP & 51 AH  (usually referred to as IPSec pass-through)

When trying to connect you may need to disable or configure firewalls, however the client should show connected to the Netgear regardless.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
grant-ellsworthAuthor Commented:
For RobWill - I was not referring to ports on the netgear fsv114.  I have the following configuration:
---> vpnclient --- firwall#1 --- (pvt intranet) ------ Netgear --- doubly-secured host
What do i need to have open on firewall#1
------ Thanks for any info.
0
 
Rob WilliamsCommented:
>>"What do i need to have open on firewall#1"
Shouldn't have to open anything where it is an outgoing connection. That being said, some firewalls will block that. For example the Windows firewall will usually have a popup saying something to the effect of "application xyz is trying to connect to the Internet, do you wish to block or allow this application". Best if in doubt, to disable the firewall altogether, if you are safely behind a router. Once the connection is made you can re-enable and configure if it is a problem.
0
 
grant-ellsworthAuthor Commented:
I think I've confused the issue by an omission.  Here is configuratin with missing elements added ...
---
vpnclient - {router-the cloud-the inernet} - firewall#1 --- protected lan level 1 ---- netgear FVS114(vpn enabled)  --- 1 server

Firewall#1 is inbound from "internet"  

If I access the FVS114 from the protected LAN using the vpn client, the vpnclient connects and seems to work; but if I try to come in via the internet into firewall#1, the vpnclient will not connect.  What ports do i need to open on firewall#1 besides 500 (for IKE handling)?
0
 
Rob WilliamsCommented:
Ah ! That adds an important 'ingredient'.  I doubt you can get the VPN to work behind firewall#1 using port forwarding. The Netgear needs to be assigned a public IP. Behind the firewall it is likely assigned a private IP. If firewall#1 supports NAT-T and is configurable, such as a Cisco unit it may be possible. What make and model is firewall#1
0
 
grant-ellsworthAuthor Commented:
Firewall#1 is a Netopia 4652 - NAT NOT enabled.  I did find that I had a wrinkle in the setup ... and was indeed able to access thru firewall#1.   I actualy erred in my diagram.  Here is the real scenario ...
vpnclient (on subnet1) ----> w2kserver NIC1 - with ics on nic2 for subnet2
......................................> subnet2 ------> Netgear

When I put vpnclient on subnet2, the vpn connected.
When I put vpnclient on outside link to firewall#1, the vpn worked (I had port 500 tcp/udp open).

So my messy problem has become an issue with Windows2k (not 2k3) ICS.

Any comments on where to and how to configure Winserver2k ICS so it can handle this scenario?
0
 
Rob WilliamsCommented:
ICS performs NAT, it is a basic function of ICS. To the best of my knowledge you will need to be on the WAN side of the 2K server.
You show w2k--->subnet2--->netgear.   Does this mean you have a Netgear at that site as well? If so can you not share your network connection with the Netgear rather than ICS?
0
 
grant-ellsworthAuthor Commented:
You may have pinned the tail on the hee-haw ...  Subnet1 is the WAN side of the w2k server; Subnet2 is the LAN side.  The Netgear is a firewall/router for another subnet on the LAN side.  Thus we have:
vpnclient --> subnet1 (wan) ---> w2kserver nic1 (ICS) ----> w2kserver nic2 (LAN) ---> subnet2 ---> Netgear FVS114 (Subnet3) ---> the-unix/linux-server-in-the-vault

Notes: ICS on Nic1 is for a pvt subnet on nic2 - the netgear is the router/wall for further lockdown in subnet3.  Later, after this is set up so it works for awhile, I will be moving the netgear/subnet3 to another location where the netgear's wan side will be directly connected to a dsl-modem for internet access.

Comments?
0
 
Rob WilliamsCommented:
>>"vpnclient --> subnet1 (wan) ---> w2kserver nic1 (ICS) ----> w2kserver nic2 (LAN) ---> subnet2 ---> Netgear FVS114 "
I would never say something cannot work, because I am always proven wrong, however, to the best of my knowledge it will not work, and cannot be modified to work.
For a VPN to work, as a rule, the VPN device/server should be the first device on the inside of the modem. Some routers and modems can be configured to pass all necessary traffic, and some VPN's can be configured using NAT-T to be behind a router, but ICS had no configurable options.

That being said, it may be possible to disable ICS and enable RRAS (Routing And Remote Access) and configure it to work but I am doubtful. I think that would be your only option, other than the correct one, which is to change the position of the FVS114 within your network and your network configuration.

Do you really need the ICS with a hardware firewall ?
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
Rob WilliamsCommented:
grant-ellsworth, did you switch the FVS114 position within the network, leave as is, or find another solution? I was kind of curious as to how you would decide to go on this one.
--Rob
0
 
grant-ellsworthAuthor Commented:
Hi Robwill.  I did not switch the position in the network.  The network desribed did "work",,, sort of. However, this was the incorrect  testing environment.  To simplify the testing, I modified the network so that the vpn client was on the same subnet as the WAN side of the router based on your commentary (removing one element of complexity.  What we determined was that the VPN in the Netgear router + NetGear's VPN client software won't work with our target application.  Our target appliction runs thru Telnet.  The vpn firmware in the netgear + the vpn client combo caused telnet to do very funny things - mostly variations of locking up and timing out.  I went thru some long long diag sessions with Netgear's tech support.  The tech finally concluded that the vpn and telnet were hostile and we would need to upgrade to a different more expensive router if we wanted to use telnet over the vpn.  Wen we used telnet thru the port forwarding feature of the router to the Linux telnet server on the lan side of the router, everything worked fine - no timeouts, no lockups, etc..
0
 
Rob WilliamsCommented:
Interesting results. Normally all services are available through  a VPN, however I have seen a few conflicts with different routers and services, though never Telnet. I am quite surprised you were able to get any help from Netgear, they are notoriously bad. :-)  That is good to hear, maybe they are improving. There are a lot of reasonably priced commercial routers available, but if you want dependability and support I would recommend Cisco. The Cisco Pix would probably accomplish what you want, and pricing now a days is not much more than a WatchGuard, Sonicwall, or Netscreen commercial grade routers.

As suggested, I didn't think it would work with your existing configuration, but surprised Telnet won't work. Thanks for the update. Good luck with it.
--Rob
0
 
Rob WilliamsCommented:
ps- Thanks for the points. I didn't see that in the earlier post.
--Rob
0
 
grant-ellsworthAuthor Commented:
Netgear's support worked at the problem pretty thoroughly.  But, I have a deep suspicion that the techs I talked to didn't have access to all the facts.  I found this specific model netgear router very robust when I deployed it in what must have been a war zone which broke 2 linksys routers- but that's for a different thread/war story.  Thanks for your help!
0
 
Rob WilliamsCommented:
Very welcome. Must say I like the Netgear features, but support has only led to frustration.
Cheers.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.