[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Netgear FVS114  and the netgear VPNClient - How to setup - what's best known working configuration?

Posted on 2006-05-06
17
Medium Priority
?
732 Views
Last Modified: 2012-06-21
Hello,  I'm trying to set up a vpn for running a single Telnet-based application between some remote offices and a central site with several pcs and the central server running SCO 5.05.    The Netgear vpn client is not extablishing a tunnel from the remote to the NetGear FSV114 router which we've configured for VPN.  Because the remote clients are using the internet access to goto websites to get some critical info, we set up the client to connect manually.  I've tried several permutations of the setup and params - but the  router and the client can't seem to get past the first handshake.

We've installed the latest firmware (Version 1.1_01) on the router and we're using version 10.7.2 (Build 12) for the vpnclient.

I'm looking for some comments and guidance from somebody who has either set up this configuration or has been using one that is successfully using the netgear fvs114 with the netgear vpn client.

-  Grant
0
Comment
Question by:grant-ellsworth
  • 10
  • 7
17 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16623592
The presage client is not the easiest one to set up for sure. But I have set up several with Netgear FVS318's. I don't know of any specific documentation for that unit but the following links would be similar.
http://kbserver.netgear.com/kb_web_files/n101437.asp
http://kbserver.netgear.com/kb_web_files/n101436.asp
http://kbserver.netgear.com/kb_web_files/n101500.asp
http://kbserver.netgear.com/kb_web_files/n101545.asp

Fairly lengthy set up to list here step by step, but happy to answer any questions.
Keep in mind the Netgear and the router at the remote site's WAN configuration, should have a true public IP. You can use dynamic IP's with a DDNS service, but they should not be a private IP's, i.e behind a NAT modem .
Also the subnets at opposite ends of the tunnel need to be different.
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 16626068
To RobWill - do you know what ports the vpn initiation exchange uses?  I think I have a port issue with a firewall between the client and the Netgear fvs114.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16626099
There are no ports that need to be opened on either end. You are connecting to the Netgear directly, so no ports have to be opened or forwarded, that would only be necessary if you were using a VPN server behind the router, such as a Windows VPN. At the remote site, because it is an outgoing connection, again no ports need to be opened or forwarded. However, at the remote site you may need to enable IPSec pass-through on the router.
To answer your question IPSec uses:
   IKE uses UDP port 500.
   IPSec NAT-T uses port UDP 4500.
   IPSec also uses protocols (not ports) 50 ESP & 51 AH  (usually referred to as IPSec pass-through)

When trying to connect you may need to disable or configure firewalls, however the client should show connected to the Netgear regardless.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:grant-ellsworth
ID: 16626307
For RobWill - I was not referring to ports on the netgear fsv114.  I have the following configuration:
---> vpnclient --- firwall#1 --- (pvt intranet) ------ Netgear --- doubly-secured host
What do i need to have open on firewall#1
------ Thanks for any info.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16626327
>>"What do i need to have open on firewall#1"
Shouldn't have to open anything where it is an outgoing connection. That being said, some firewalls will block that. For example the Windows firewall will usually have a popup saying something to the effect of "application xyz is trying to connect to the Internet, do you wish to block or allow this application". Best if in doubt, to disable the firewall altogether, if you are safely behind a router. Once the connection is made you can re-enable and configure if it is a problem.
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 16626579
I think I've confused the issue by an omission.  Here is configuratin with missing elements added ...
---
vpnclient - {router-the cloud-the inernet} - firewall#1 --- protected lan level 1 ---- netgear FVS114(vpn enabled)  --- 1 server

Firewall#1 is inbound from "internet"  

If I access the FVS114 from the protected LAN using the vpn client, the vpnclient connects and seems to work; but if I try to come in via the internet into firewall#1, the vpnclient will not connect.  What ports do i need to open on firewall#1 besides 500 (for IKE handling)?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16627302
Ah ! That adds an important 'ingredient'.  I doubt you can get the VPN to work behind firewall#1 using port forwarding. The Netgear needs to be assigned a public IP. Behind the firewall it is likely assigned a private IP. If firewall#1 supports NAT-T and is configurable, such as a Cisco unit it may be possible. What make and model is firewall#1
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 16627559
Firewall#1 is a Netopia 4652 - NAT NOT enabled.  I did find that I had a wrinkle in the setup ... and was indeed able to access thru firewall#1.   I actualy erred in my diagram.  Here is the real scenario ...
vpnclient (on subnet1) ----> w2kserver NIC1 - with ics on nic2 for subnet2
......................................> subnet2 ------> Netgear

When I put vpnclient on subnet2, the vpn connected.
When I put vpnclient on outside link to firewall#1, the vpn worked (I had port 500 tcp/udp open).

So my messy problem has become an issue with Windows2k (not 2k3) ICS.

Any comments on where to and how to configure Winserver2k ICS so it can handle this scenario?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16627596
ICS performs NAT, it is a basic function of ICS. To the best of my knowledge you will need to be on the WAN side of the 2K server.
You show w2k--->subnet2--->netgear.   Does this mean you have a Netgear at that site as well? If so can you not share your network connection with the Netgear rather than ICS?
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 16630104
You may have pinned the tail on the hee-haw ...  Subnet1 is the WAN side of the w2k server; Subnet2 is the LAN side.  The Netgear is a firewall/router for another subnet on the LAN side.  Thus we have:
vpnclient --> subnet1 (wan) ---> w2kserver nic1 (ICS) ----> w2kserver nic2 (LAN) ---> subnet2 ---> Netgear FVS114 (Subnet3) ---> the-unix/linux-server-in-the-vault

Notes: ICS on Nic1 is for a pvt subnet on nic2 - the netgear is the router/wall for further lockdown in subnet3.  Later, after this is set up so it works for awhile, I will be moving the netgear/subnet3 to another location where the netgear's wan side will be directly connected to a dsl-modem for internet access.

Comments?
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 750 total points
ID: 16630338
>>"vpnclient --> subnet1 (wan) ---> w2kserver nic1 (ICS) ----> w2kserver nic2 (LAN) ---> subnet2 ---> Netgear FVS114 "
I would never say something cannot work, because I am always proven wrong, however, to the best of my knowledge it will not work, and cannot be modified to work.
For a VPN to work, as a rule, the VPN device/server should be the first device on the inside of the modem. Some routers and modems can be configured to pass all necessary traffic, and some VPN's can be configured using NAT-T to be behind a router, but ICS had no configurable options.

That being said, it may be possible to disable ICS and enable RRAS (Routing And Remote Access) and configure it to work but I am doubtful. I think that would be your only option, other than the correct one, which is to change the position of the FVS114 within your network and your network configuration.

Do you really need the ICS with a hardware firewall ?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16757087
grant-ellsworth, did you switch the FVS114 position within the network, leave as is, or find another solution? I was kind of curious as to how you would decide to go on this one.
--Rob
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 16757387
Hi Robwill.  I did not switch the position in the network.  The network desribed did "work",,, sort of. However, this was the incorrect  testing environment.  To simplify the testing, I modified the network so that the vpn client was on the same subnet as the WAN side of the router based on your commentary (removing one element of complexity.  What we determined was that the VPN in the Netgear router + NetGear's VPN client software won't work with our target application.  Our target appliction runs thru Telnet.  The vpn firmware in the netgear + the vpn client combo caused telnet to do very funny things - mostly variations of locking up and timing out.  I went thru some long long diag sessions with Netgear's tech support.  The tech finally concluded that the vpn and telnet were hostile and we would need to upgrade to a different more expensive router if we wanted to use telnet over the vpn.  Wen we used telnet thru the port forwarding feature of the router to the Linux telnet server on the lan side of the router, everything worked fine - no timeouts, no lockups, etc..
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16757419
Interesting results. Normally all services are available through  a VPN, however I have seen a few conflicts with different routers and services, though never Telnet. I am quite surprised you were able to get any help from Netgear, they are notoriously bad. :-)  That is good to hear, maybe they are improving. There are a lot of reasonably priced commercial routers available, but if you want dependability and support I would recommend Cisco. The Cisco Pix would probably accomplish what you want, and pricing now a days is not much more than a WatchGuard, Sonicwall, or Netscreen commercial grade routers.

As suggested, I didn't think it would work with your existing configuration, but surprised Telnet won't work. Thanks for the update. Good luck with it.
--Rob
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16757425
ps- Thanks for the points. I didn't see that in the earlier post.
--Rob
0
 
LVL 1

Author Comment

by:grant-ellsworth
ID: 16757465
Netgear's support worked at the problem pretty thoroughly.  But, I have a deep suspicion that the techs I talked to didn't have access to all the facts.  I found this specific model netgear router very robust when I deployed it in what must have been a war zone which broke 2 linksys routers- but that's for a different thread/war story.  Thanks for your help!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16757476
Very welcome. Must say I like the Netgear features, but support has only led to frustration.
Cheers.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question