?
Solved

Netgear FVG318 - Lose LAN connection when VPN tunnel enabled

Posted on 2006-05-25
29
Medium Priority
?
2,915 Views
Last Modified: 2008-01-09
I have a Netgear FVG318 Wireless VPN Firewall. I have a few problems that don't make sense. What I did was I set up VPN using the wizard so my IKE was built and VPN was built. I had to make some changed to the Client VPN tunnel so that it would agree with my client Netgear ProSafe VPN Client. No matter what I did I could not connect. I then set up a manual VPN tunnel using the same IKE as the Client VPN tunnel and was able to get the client to connect. I could ping the network and thought everything was fine. However come to find out, the clients on the LAN now can't see the router and therefor cannot connect to the internet.

This whole process has been a nightmare for me. The Netgear manual is useless. Maybe I'm missing something. I don't know what I'm doing wrong. Please help. I realize my description is a bit vague, but I'm not even sure where to being with giving information.

0
Comment
Question by:afitzgib
  • 12
  • 9
  • 6
  • +1
28 Comments
 
LVL 3

Expert Comment

by:JJT2750
ID: 16761264
Are you using the VPN for Wireless connectivity or are you VPNing from the internet?  You wouldn't happen to be on a DSL connection would you?
0
 

Author Comment

by:afitzgib
ID: 16761459
I'm not using the wireless at all. I'm VPNing from the internet. Basically when I enable the VPN Policy (not the VPN Client Policy) I can connect to the network remotely. I can connect to the servers fine (had to set up the host file for DNS resoultion). Even if I'm not connected via VPN I can load web pages, check email, etc. everything is normal. All incoming traffic is fine. But if I enable the tunnel, all outgoing traffic is blocked. Anyone connected to the LAN that uses the router to access the internet cannot get out. You cannot ping the router or anything. Turn the tunnel off and everything returns to normal.

I do have a DSL line coming into the facility. With a Dedicated IP address.
0
 
LVL 3

Expert Comment

by:JJT2750
ID: 16761488
What kind of a DSL modem is it?  Is it a Westell 6110?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:afitzgib
ID: 16762015
I'm not sure at the moment, I will get that information. Although I'm not that sure what the modem has to do with it. Like I said everything is fine until I enable the VPN tunnel. Could you explain why you think the modem is an issue. I'm not criticising and I appreciate the help, I just want to understand more about this and learn from you.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16762352
I suspect the problem is the VPN client software is forcing you to use the remote gateway.
You should be able to resolve by:
-open the "Security Policy Editor" for the client
-expand the connection
-click on My Identity and next to "Virtual Adapter"  see if disabled, preferred, or required
-if disabled, choose either of the others
-go to Control panel | Network connections | Right click on the virtual SafeNet (or ProSafe) adapter and choose properties
-go to Networking | TCP/IP properties | advanced | General | uncheck "use default gateway on remote network"
0
 

Author Comment

by:afitzgib
ID: 16762471
Thanks for the info, I'm not sure if we are talking about the same thing. On the Router, when the VPN tunnel is enabled, any incoming traffic from the web behaves normally. All outgoing traffic from the LAN is blocked. If I disable the tunnel on the router then outgoing traffic resumes.

Although you might be helping me with my other problem which is this. In the Netgear Configuration page on the router, there are two VPN configurations. The VPN Policies and the VPN Client Policies. I can get VPN Policies to work but then have the problem above, but if I set the VPN Client Policies to the exact same settings as the VPN Policies I get LAN access to the web, but my remote client cannot connect. I get this in the log

 5-25: 13:18:29.843
 5-25: 13:18:29.968 My Connections\NETGEAR_VPN_router - Initiating IKE Phase 1 (IP ADDR=64.65.241.111)
 5-25: 13:18:32.062 My Connections\NETGEAR_VPN_router - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
 5-25: 13:18:33.546 My Connections\NETGEAR_VPN_router - RECEIVED<<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, NAT-D 2x, VID 2x)
 5-25: 13:18:33.546 My Connections\NETGEAR_VPN_router - Peer is NAT-T draft-02 capable
 5-25: 13:18:33.546 My Connections\NETGEAR_VPN_router - NAT is detected for Client
 5-25: 13:18:33.546 My Connections\NETGEAR_VPN_router - Floating to IKE non-500 port
 5-25: 13:18:35.875 My Connections\NETGEAR_VPN_router - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_INITIAL_CONTACT)
 5-25: 13:18:35.875 My Connections\NETGEAR_VPN_router - Established IKE SA
 5-25: 13:18:35.875    MY COOKIE 87 a9 b3 ac 41 7e 36 f8
 5-25: 13:18:35.875    HIS COOKIE fd 8d c2 8b fc 65 f 4f
 5-25: 13:18:36.390 My Connections\NETGEAR_VPN_router - Initiating IKE Phase 2 with Client IDs (message id: 99D44A33)
 5-25: 13:18:36.390   Initiator = IP ADDR=192.168.1.102, prot = 0 port = 0
 5-25: 13:18:36.390   Responder = IP SUBNET/MASK=192.168.1.0/255.255.255.0, prot = 0 port = 0
 5-25: 13:18:36.390 My Connections\NETGEAR_VPN_router - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x)
 5-25: 13:18:51.390 My Connections\NETGEAR_VPN_router - QM re-keying timed out (message id: 99D44A33). Retry count: 1
 5-25: 13:18:51.390 My Connections\NETGEAR_VPN_router - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 5-25: 13:19:06.390 My Connections\NETGEAR_VPN_router - QM re-keying timed out (message id: 99D44A33). Retry count: 2
 5-25: 13:19:06.390 My Connections\NETGEAR_VPN_router - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 5-25: 13:19:21.390 My Connections\NETGEAR_VPN_router - QM re-keying timed out (message id: 99D44A33). Retry count: 3
 5-25: 13:19:21.390 My Connections\NETGEAR_VPN_router - SENDING>>>> ISAKMP OAK QM *(Retransmission)
 5-25: 13:19:36.390 My Connections\NETGEAR_VPN_router - Exceeded 3 re-keying attempts (message id: 99D44A33)
 5-25: 13:19:36.390 My Connections\NETGEAR_VPN_router - Disconnecting IKE SA negotiation
 5-25: 13:19:36.390 My Connections\NETGEAR_VPN_router - Deleting IKE SA (IP ADDR=64.65.241.111)
 5-25: 13:19:36.390    MY COOKIE 87 a9 b3 ac 41 7e 36 f8
 5-25: 13:19:36.390    HIS COOKIE fd 8d c2 8b fc 65 f 4f
 5-25: 13:19:36.437 My Connections\NETGEAR_VPN_router - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)


Regarding the ProSafe adapter in the network connections, there isn't one there.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16762567
>>"I'm not sure if we are talking about the same thing."
I agree  :-)

You mentioned; "was able to get the client to connect. I could ping the network and thought everything was fine. However come to find out, the clients on the LAN now can't see the router and therefor cannot connect to the internet."
....which is the problem I was trying to diagnose.

However; "On the Router, when the VPN tunnel is enabled, any incoming traffic from the web behaves normally. All outgoing traffic from the LAN is blocked. If I disable the tunnel on the router then outgoing traffic resumes."
....sounds different.

The problem I was describing the solution for is:
A remote user connects to the office using the ProSafe VPN client. They can access all corporate resources over the VPN but so long as the VPN is connected they cannot connect to the Internet or any local network devices.

When you refer to "when the VPN tunnel is enabled" are you talking about a site to site hardware tunnel?
and what do you mean by incoming and outgoing traffic. To have information come in a request has to go out, so I'm not sure we are on the same wavelength.  

Virtual adapter may not have been created when the client was installed. Seems to me enabling it in the Security Policy Editor will force it's creation, though it may require a reboot. However, it seems that may not be the issue.

 
0
 

Author Comment

by:afitzgib
ID: 16762953
Ok Let see if I can make a little more clear.

On the Netgear Router, there is the two VPN tunnel settings, on that I assume one is for gateway to gateway and one that is gateway to client. Take the VPN Clients out of the mix for a second. I created two identical VPN tunnel settings, on in the gateway to gateway and one in the gateway to client. When I enable the gateway to gateway profile, all computer physically connected to the Netgear router can't connect to the internet, all incoming traffic is fine and VPN clients can connect. The clients on the LAN are not using any VPN software, they are there physically with ethernet cables attached to the router.

When I enable the gateway to client profile, traffic is fine both ways, but I get the above problem with having retransmission on the Prosafe Client so VPN clients cannot connect.

Basically I've got two problems. If I can solve either one, I should be good to go. Either make the VPN Tunnel work and allow wired LAN clients to connect to the web, or get the Client VPN Tunnels to connect.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16763113
A light is starting to shine, I'm catching up.  :-)
So you would be happy to have the gateway to gateway connection to your remote site working, right ?
I would disable for now the client configuration for simplicity.
Next, any chance the two sites are using the 192.168.1.x subnet? They must be different or you will have major routing issues. You will need to have 1 site 192.168.1.0 or similar and the other something like 192.168.2.0

For the record, you are aware that you cannot initiate a client to any VPN gateway when a gateway to gateway connection is established ? In other words if the gateway to gateway tunnel between the two sites is up an running , a client cannot use an IPSec VPN client from either site to any gateway. IPSec is in use and cannot be used for 2 purposes. However, a client from a 3rd site can connect using the client software. Thus the client to gateway configuration is ideal for someone like a traveling sales person, connecting to the office.
0
 

Author Comment

by:afitzgib
ID: 16763236
Ok, this IPsec stuff is all new to me, I've used PPTP for years with no problems. Here is my goal and maybe you can point me in the correct direction. I need to be able to have multiple computers connect via VPN to my LAN from various remote locations, regardless of the subnet.

I guess I need to get the client to gateway service up an running. So can we proceed to try to solve that problem and let's drop the gateway to gateway on as that will not satisfy my ultimate needs.

My SOHO LAN that I'm trying to connect to is on the 192.168.1.x network. I have the log file from above that I run into regardless of what IP my system has when connecting via VPN. At this very moment my system is on the 192.168.1.x network at a different location, I can understand the issue with routing, however I have the same issue when I change the IP subnet, such as at another location I have it on the 10.181.252.x subnet.
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 1000 total points
ID: 16764026
A little theory to help explain. You may be quite familiar with, this but if not, it is good to understand why....
The IP issue is this. If a local network uses 192.168.1.0 for example and the remote network uses the same, any routing does not know where to send the packets, to the local or the remote network, and they are lost. With a default PPTP client connection as with the ProSafe Client (in DEFAULT configuration) it forces ALL traffic through it's virtual adapter to the remote network and it is not usually an issue. However, disable the "default gateway option" in my first post, and again you have a routing issue. So, rule of thumb, either ends of a tunnel always have to be on different subnets.
Because you "need to be able to have multiple computers connect via VPN to my LAN from various remote locations, regardless of the subnet" do not use a common subnet for the office to which they will be connecting. This avoids any chance of a conflict down the road. 192.168..0.0, 192.168.1.0, 192.168.100.0, 10.0.0.0, and 10.0.1.0 are all extremely common as they are the defaults for many systems, so I would recommend avoiding any of those. Something like your 10.181.252.x is ideal.

You can easily have the gateway to gateway configuration as well as client to gateway, it's just no user (not router) can use both simultaneously. The gateway to gateway is the proper configuration to connect 2 VPN routers at different sites, and use the client to gateway for the remote/traveling users who will not be behind one of the VPN hardware tunnels.

As for the problem.
In you log file was:
5-25: 13:18:36.390   Initiator = IP ADDR=192.168.1.102, prot = 0 port = 0
5-25: 13:18:36.390   Responder = IP SUBNET/MASK=192.168.1.0/255.255.255.0, prot = 0 port = 0
Which indicated both ends of the tunnel were 192.168.1.0, and the time out errors followed that.

If you would prefer to get the client to gateway working for now disable the gateway to gateway.
Where there are so many parameters it is hard to locate the problem without seeing it. Is it possible for you to post a screen shot of the IKE policy and VPN policy pages? or you can send a copy to the e-mail on my profile (click on RobWill)
However, please blank out your public IP address for security reasons.
0
 
LVL 3

Expert Comment

by:JJT2750
ID: 16765885
Is your dlink in router or gateway mode?   If it is in router mode change it over to gateway mode and see if that fixes the problem.  I just went through this at a customer site and making the change fixed the problem.

Good Luck
0
 

Author Comment

by:afitzgib
ID: 16766013
It's a Netgear router not a dlink.
0
 
LVL 3

Expert Comment

by:JJT2750
ID: 16766060
Oh sorry about that, same question though can you change it from router mode to gateway mode?  Also on the netgears turn Rip on, Your VPN client is telling your PC to use the far end gateway to get out to the internet It can't get there because it doesn't know the route.  Try gateway mode with rip on.

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16775363
I assume no response to "Is it possible for you to post a screen shot"  is a no.
--Rob
0
 

Author Comment

by:afitzgib
ID: 16775571
Rob, I sent an email to you with the screen shots. At this point I'm prepared to start from scratch as far a settings. If you can refer me to a site, or some directions better then the manual's, perhaps something that outlines the setup in a nice easy manner, that would be great.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16775603
Sorry afitzgib, I didn't get the e-mail. I checked deleted folders, junk mail etc. in case I accidentally lost it. Address is working, I just received a couple of messages. Perhaps you could try again.

There is no question it is a nuisance to set up, but it works well and once you have done a couple it only takes 10-15 minutes to do the router and client. Best on line references, I have seen are:
http://kbserver.netgear.com/kb_web_files/n101436.asp
http://www.vpncasestudy.com/casestudy/FVM318/v21/casestudy.html
0
 

Author Comment

by:afitzgib
ID: 16777777
Thank You for the info. Part of my problem is that all the resources I find our for FVM318 and I've got a FVG318 which has a somewhat different interface, seems a bit more complex. I was able to get the client to connect for phase 1 I guess, I get the SafeNet adapter to connect, shows up as connected in the network connections. I still get the SENDING>>>> ISAKMP OAK QM *(Retransmission) issue in what I assume is Phase 2.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16777813
I haven't seen anything specifically referencing the FVG318 either, although I would have thought the IKE policy and VPN policy pages would have been the same. As for the error, there are too many possible issues to diagnose from just that. I assume since "sending", that is from the client log. Does the router log show any received from messages.
0
 
LVL 3

Expert Comment

by:JJT2750
ID: 16783773
If you are using the router for DHCP do you have your providers DNS entries in the DHCP template? This entry would normally be on the page where you set up DHCP.  When the tunnel is closed everything gets forwarded out the default route.  It sounds like once you open the tunnel in your default route gets lost.  
0
 

Author Comment

by:afitzgib
ID: 16784256
I have a seperate DHCP server. My router has my providers DNS in it, but my DHCP server is setup to pass out my internal DNS servers. I have seen on some VPN routers that they have to be the one passing out DHCP, is that true of this one?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16784470
Better to have the server manage DHCP, gives you far more options.
If using router to router both have assigned IP's anyway. and if doing client to router in the client security policy editor, under the policy, "My Identity" set the virtual adapter to disabled, and there is no need to configure DHCP. If you wish to enable, doing so will allow you to specify a LAN IP within the client as per Figure 1.3 :
http://homepage.mac.com/xtremeracingteam/casestudy/study101/HowtoFVS318v24_VPNclient.pdf
0
 
LVL 3

Expert Comment

by:JJT2750
ID: 16785305
Let me see if I have this straight,  you have set up your VPN client and connect  to your network so that means your tunnel is working fine, When the tunnel is up your users can not get to the internet but when you drop the tunnel  your users can get to the internet  Is that pretty much the problem?  
0
 

Author Comment

by:afitzgib
ID: 17034752
Please close this question. I've not solved my problem, simply given up on it.
0
 

Author Comment

by:afitzgib
ID: 17095897
Naser72, I'm sorry, I'm new to this and didn't quite realize that I need to resolve this as far as closing the question. RobWill and JJT2750 gave help, but I never solved my problem. How should I proceed? I am willing to give point because they helped but I really can't accept an answer.
0
 

Author Comment

by:afitzgib
ID: 17096153
I've been told to post this: Please close this question. I gave up on the Netgear Router for my VPN solution and went with PPTP throught my Windows server.
0
 
LVL 15

Expert Comment

by:Naser Gabaj
ID: 17099790
Sorry for not coming to u on time, I've been away from my office for a while.

Re-your comment:

>>I am willing to give point because they helped but I really can't accept an answer.
All you need to do is to press on the ACCEPT button which is above the comment of the expert you feel he helped you.

Here is more info:

http://www.experts-exchange.com/help.jsp#hi68

Good luck.

Naser

CV Networking
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 17103762
Thanks afitzgib, I appreciate that.
--Rob
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question