Solved

Netgear Prosafe Client to Netgear FVS318 Router Setup

Posted on 2006-06-08
33
6,396 Views
Last Modified: 2008-01-09
I have read the session listed in "cannot establish connection between FVS318 and Prosafe Client" and have applied suggestions to my own configuration.

I have a curious situation in which, when attempting to connect via the prosafe client configuration...

1.  the netsafe virtual adapter is connected successfully and I can ping devices on the local lan behind the router with immediate success (response times<1ms)

2.  the VPN client never establishes the connection, despite attempting to do so for a considerable time.

3.   the virtual adapter connection disconnects immediately after the VPN connection finally gives up trying to establish a connection.

I would be most grateful if someone could provide me with both the applicable explanation as to this behavioral characteristic of the VPN as well as an information on how to correct the problem and eventually logon to the PDC on the local lan.

Thank you in anicipation of your assistance in tihis matter.

truebluerra
0
Comment
Question by:truebluerra
  • 18
  • 15
33 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16865353
Sorry truebluerra, but I don't understand. You say "netsafe virtual adapter is connected successfully " but then you also say "VPN client never establishes the connection". These are one in the same. Are you possibly trying to use the Windows VPN client as well or something similar. If the netsafe virtual adapter connects and you can ping a device on the remote end you should be connected and able to access remote resources without doing anything further. For example can you view a share using the IP address of the remote computer such as  \\192.168.0.1\ShareName ?
0
 

Author Comment

by:truebluerra
ID: 16865818
What happens is as follows ...

Upon selecting the connect option from the Prosafe Client icon on the taskbar ...

The pop-up window for the VPN connection is displayed onscreen which indicates that it is attempting to establish the connection to the fvs318.

At the taskbar, the popup for the virtual adapter is displayed showing a successful connection at 10.4 mpbs.

The VPN connection popup continues to attempt to connect ...

I am able to ping various network devices behing the router.

After several minutes the VPN connection popup states that it is unable to establish a connection.

Witihin 30 seconds, the virtual adapter icon on the taskbar disappears and the connection is lost.

I am unable to logon to the PDC behind the router and therefore have been unable to verify any shares on that server.

In addition, I receive no logging information on the VPN connection log and the VPN monitor never indicates a local ip address, just 0.0.0.0.

Thank you for your prompt response.

Any assistance would be much appreciated.

truebluerra
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16869797
truebluerra, may be a little hard to diagnose "blindfolded" but sounds like phase 1 may be complete but not phase 2. Try connecting and then, possibly with the router's remote management enabled, have a look at the VPN status page, and then click on the VPN status button and see if it reveals anything. It may show something like "Phase 1: M-ESTABLISHED / Phase 2: IDLE". Might help to shed some light on things. Also you could close the connection, clear the log, try to connect again, refresh the log, and then copy and paste the results here. Best you block out the last 2 octets of any public addresses for security such as 66.123.x.x
0
 

Author Comment

by:truebluerra
ID: 16870578
As requested, please find listed below the VPN Status Log from the Router.  As mentioned before, I receive no message logging on the VPN Client side.

[2006-06-09 10:03:37][==== IKE PHASE 1(from 69.72.XX.XX) START (responder) ====]
[2006-06-09 10:03:37]**** RECEIVED  FIRST MESSAGE OF AGGR MODE ****
[2006-06-09 10:03:37]<POLICY: > PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,VID,VID,VID,VID,VID
[2006-06-09 10:03:37]<LocalRID> Type=ID_FQDN,ID DATA=XXXXXX
[2006-06-09 10:03:37]<RemoteLID> Type=ID_FQDN,ID DATA=XXXXXX
[2006-06-09 10:03:40]<POLICY: XXXXXX> PAYLOADS: SA,PROP,TRANS,KE,NONCE,ID,HASH,VID,NATD,NATD,NATD
[2006-06-09 10:03:40]**** SENT OUT SECOND MESSAGE OF AGGR MODE ****
[2006-06-09 10:03:40]**** RECEIVED  THIRD MESSAGE OF AGGR MODE ****
[2006-06-09 10:03:40]<POLICY: XXXXXX> PAYLOADS: HASH,NATD,NATD,NOTIFY
[2006-06-09 10:03:40]**** AGGR MODE COMPLETED ****
[2006-06-09 10:03:40][==== IKE PHASE 1 ESTABLISHED====]
[2006-06-09 10:03:41][==== IKE PHASE 2(from 69.72.XX.XX) START (responder) ====]
[2006-06-09 10:03:41]**** RECEIVED  FIRST MESSAGE OF QUICK MODE ****
[2006-06-09 10:03:41]<POLICY: XXXXXX> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2006-06-09 10:03:41]**** FOUND IDs,EXTRACT ID INFO ****
[2006-06-09 10:03:41]<Initiator IPADDR=209.XX.XX.XX>
[2006-06-09 10:03:41]<Responder IPADDR=209.XX.XX.XX MASK=255.XX.XX.XX>
[2006-06-09 10:04:24][==== IKE PHASE 2(from 69.72.XX.XX) START (responder) ====]
[2006-06-09 10:04:24]**** RECEIVED  FIRST MESSAGE OF QUICK MODE ****
[2006-06-09 10:04:24]<POLICY: XXXXXX> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2006-06-09 10:04:24]**** FOUND IDs,EXTRACT ID INFO ****
[2006-06-09 10:04:24]<Initiator IPADDR=209.XX.XX.XX>
[2006-06-09 10:04:24]<Responder IPADDR=209.XX.XX.XX MASK=255.XX.XX.XX>

[2006-06-09 10:05:03]<Responder IPADDR=209.XX.XX.XX MASK=255.XX.XX.XX>
[2006-06-09 10:05:45][==== IKE PHASE 2(from 69.72.XX.XX) START (responder) ====]
[2006-06-09 10:05:45]**** RECEIVED  FIRST MESSAGE OF QUICK MODE ****
[2006-06-09 10:05:45]<POLICY: XXXXXX> PAYLOADS: HASH,SA,PROP,TRANS,NONCE,KE,ID,ID
[2006-06-09 10:05:45]**** FOUND IDs,EXTRACT ID INFO ****
[2006-06-09 10:05:45]<Initiator IPADDR=209.XX.XX.XX>
[2006-06-09 10:05:45]<Responder IPADDR=209.XX.XX.XX MASK=255.XX.XX.XX>
[2006-06-09 10:06:27]**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****

At this point the attempted connection is aborted with the message that the Client has failed to complete the connection.  It would appear that Phase 2 is not established at this point.

As before, any assistance you may be able to provide would be greatly appreciated.

truebluerra
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16871866
Definitely looks like it is hanging on Phase 2. A few of thoughts:
-make sure on the client under phase 2 it has the identical encryption choices, as the VPN policy on the router such as DES/3DES and SHA-1/MD5
-I would use ESP protocol rather than AH
-if PFS (perfect forward secrecy) is enabled, make sure it is on both ends
-Very important; make sure the local and remote subnets are different. If the office uses 192.168.1.x then the remote site needs to use something like 192.168.2.x
-On the router at the site from which you are connecting see if there is an option to "enable IPSec pass-through"
0
 

Author Comment

by:truebluerra
ID: 16872960
I have checked the security settings, and all settings are matched on both the router as well as the client side.

One interesting circumstance is that of being able to ping device addresses on the lan side successfully when those addresses are not assigned to any hardware device.  They are however, within the range of static ip addresses assigned to the office as a whole.

When you speak of the local and remote subnets having to be different, will this not prevent the client from being on the same subnet as the server and therefore render it incapable of logging on to the server?  Is this difference set in the client side, the router or both?  

On additional note, the router's IKE policy, while allowing me to specify the local identity of the router's end as the WAN Ip address, will only allow me to choose a fully qualified doamin name for the remote endpoint of the VPN tunnel.  If I select an IP address, the configuration fails to save with an error message requiring FQDN.

While the VPN connection is attempting to establish itself, and the virtual adapter (even when disabled in the client setup) connects, I am able to ping the server by name, which responds with the relative server ip address.

Thank you agai for your continuing assistance.

truebluerra


0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16874437
If you can ping addresses which are non existent I wonder if you are in fact connected to the appropriate LAN.
The VPN connection acts as a router, routing packets from one subnet to the other. If the local and remote subnets are the same the routing devices do not know to which subnet to route the packets and they are lost. Very important they be different.

>>"the router's IKE policy, while allowing me to specify the local identity of the router's end as the WAN Ip address, will only allow me to choose a fully qualified doamin name"
Different clients behave in different ways but this is usually an assumption on the part of the designers that the remote user is mobile. You can chose IP address if you are setting up a site-to-site (router-to-router) VPN. I would recommend using a Fully Qualified USER Name rather than domain name and use a name like me@somedomain.com It may be trying to resolve the FQDN to an IP.

>>"I am able to ping the server by name, which responds with the relative server ip address."
Make sure it is working properly and not using cached DNS information by running at a command line, first:
ipconfig  /flushdns
0
 

Author Comment

by:truebluerra
ID: 16879996
I am back on the case, subsequent to having taken a day off to attend to other matters ...

Will continue to search for an answer to this ongoing problem ...

Thank you again for your continuing assistance.

truebluerra  
0
 

Author Comment

by:truebluerra
ID: 16880795
I have reviewed all settings and am satisfied with matching settings having been established on both sides.

I ran the "ipconfig / flushdns" and was subsequently able to ping the server by name, receivng a reply from the appropriate ip addres of the server.

I have tried several other setting options, but still have the same results.

Looking at the "manual" for the fvs318, it states that subsequent to "id info extraction", the following should occur for a successful phase 2 to be established ...

<Initiator IPADDR=209.XX.XX.XX>
<Responder IPADDR=209.XX.XX.XX MASK=255.XX.XX.XX>
****** SENT OUT SECOND MESSAGE OF QUICK MODE ******
****** RECEIVED THIRD MESSAGE OF QUICK MODE ********
<POLICY: XXXXXXX> PAYLOADS: HASH
****** QUICK MODE COMPLETED ******
[****** IKE PHASE 2 ESTABLISHED ******]

My attempted Phase 2 always terminates with ...

<Initiator IPADDR=209.XX.XX.XX>
<Responder IPADDR=209.XX.XX.XX MASK=255.XX.XX.XX>

The final message following the failure to establish the VPN is ...

**** RECEIVED INFORMATIONAL EXCHANGE MESSAGE ****

Could this empasse be caused by port blocking at the router, which currently only allows incoming traffic for ...

SMTP
HTTP
and HTTPS

... due to a security compromise experienced in the past

Thanks again for your continuing assistance.

truebluerra
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16881185
Have you confirmed the subnets are different?

>>"Could this empasse be caused by port blocking at the router, which currently only allows incoming traffic for ..."
It is possible, but as I understand it the VPN & IKE policies are independent of firewall filtering rules on most routers. You could try saving/exporting the existing router configuration and then reset to defaults as a test. Afterward just import the saved settings and restore to your previous configuration.
0
 

Author Comment

by:truebluerra
ID: 16881672
The static IP address range allocated to the lan by the ISP is limited to the following ...

XX.XX.YY.224 to XX.XX.YY.253

When you speak of different subnets, I assume that you are referring to the third (3rd) set of numbers in the IP address, namely YY.

The only location (at the client end) to insert a similar IP address is in the virtual adapter address setting, which needs to be on the same subnet, otherwise I cannot ping any of the devices on the local lan.

Please find below the configurations for both the Router and the Client ends of the proposed VPN tunnel ...

Following is the configuration for the Router:-

IKE Setup
Policy Name: FVS318_VPN
Direction type: Remote Access
Exchange Mode: Aggressive
Local ID Type: Wan IP address
Local Identity Data: 216.XX.XX.XX
Remote ID Type: FQDN
Remote ID Data: FVS318_Client
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Authentication Method: Pre-shared Key
DH Group: Group 2 (1024 Bit)
SA Lifetime: 86400

VPN Setup
Policy name: FVS318_VPN
IKE Policy: FVS318_VPN
Remote VPN Endpoint Address Type: IP Address
Remote VPN Endpoint Address Data: 209.XX.XX.XX (Address of Virtual Adapter on Client)
SA Lifetime: 86400
IPSEC PFS (enabled) - PFS Key Group: Group 2 (1024 Bit)
Trafiic Selector Local IP Type: Subnet Address
Trafiic Selector Local IP Start: 209.XX.XX.XX (Local lan address of Router)
Trafiic Selector Local IP Subnet Mask: 255.XX.XX.XX (Local lan subnet mask)
Trafiic Selector Remote IP Type: IP Address
Trafiic Selector Remote IP Address: Any
AH Config (disabled)
ESP Config: Encryption enabled - Encryption Algorithm: 3DES
ESP Config: Authentication enabled - Authentication Algorithm: SHA-1
NetBios enabled:

*****************************************************
VPN Client Configuration:

Connection Name: FVS316
Connection Security: Secure - Only Connect Manually enabled
Remote Party ID Type: IP Subnet
Remote Party IP Subnet: 209.XX.XX.0 (Local lan Address of Router with 0 replacing last set of numbers)
Remote Party IP Subnet Mask: 255.XX.XX.XX  (Local lan subnet mask)
Protocol: All
Connect Using: Secure gateway Tunnel
ID Type: WAN IP address
IP Address: 216.XX.XX.XX (WAN IP address of Router)

My IDentity
Pre-shared Key (No Certificates) [same key as set in Ruter config)
ID Type: FQDN
ID Data: FVS318_Client
Virtual adapter enabled
Vitual Adapter Address: 209.XX.XX.XX ( Same as remote endpoint set at Router)

Security Policy
Phase 1 Negotiatiion mode: Agressive
PFS enabled
PFS Key Group: DH Group 2
Replay Detection enabled

Authentication Proposal 1(Phase 1):
Authentication Method: Pre-shared Key
Encryption Algorithm: 3DES
Hash Algorithm: SHA-1
SA Life: 86400
Key Group: DH Group 2

Key Exchange Policy (Phase 2):
SA Life: 86400
Compression: None
ESP enabled
Encryption Algorithm: 3DES
Hash Algorithm: SHA-1
Encapsulation: Tunnel
AH disabled

Global policy Settings:
Re-transmit interval: 45 secs
Number of retries: 3
Send Status notifications to peer hosts: enabled
Allow to specify internal network address: enabled

Hopefully this will permit you to shed further light on the problem.

Thank you again for your continuing assistance.

truebluerra













0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16882188
truebluerra, are you saying the LAN subnet is 209.x.x.x and that all of your PC's have 209.x.x.x address ? If so that explains why you are getting a response from IP's not on your network. An local net work needs to have a private subnet one of:
192.168.0.1  - 192.168.255.254
10.0.0.1 - 10.255.255.254
172.16.0.1 - 172.31.255.254
These addresses are reserved for private networks. You can create a routing nightmare using others and is likely the route of your problem.
Also the local subnet on site 1 and site 2 need to be different such as 192.168.1.x and 192.168.2.x  I am not referring to the VPN client but rather the configuration of the physical network adapter and local network.

Following is a sample router configuration:
IKE Setup
Policy Name: FVS318_VPN
Direction type: Remote Access
Exchange Mode: Aggressive
Local ID Type: Wan IP address
Local Identity Data:  {WAN/Public IP of your router - should fill in automaticly OK  216.x.x.x is the WAN IP} *
Remote ID Type: Fully Qualified User Name *
Remote ID Data: MyName@SomeDomain.co {can be most anything so long as agrees with client which uses e-mail name} *
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Authentication Method: Pre-shared Key
DH Group: Group 2 (1024 Bit)
SA Lifetime: 86400

VPN Setup
Policy name: FVS318_VPN
IKE Policy: FVS318_VPN
Remote VPN Endpoint Address Type: IP Address
Remote VPN Endpoint Address Data: 0.0.0.0 {this = any}*
SA Lifetime: 86400  {OK - default is 28800} *
IPSEC PFS (enabled) - PFS Key Group: Group 2 (1024 Bit)  {OK - default is off - if on make sure enabled on client} *
Trafiic Selector
  Local IP
    Type: Subnet Address *
    Start: {the  local LAN with last #=0 such as 192.168.1.0 -this is the subnet or network ID} *
    Finnish  0.0.0.0 *
    Subnet Mask: 255.XX.XX.XX (Local lan subnet mask)
  Remote IP
    Type: Any *
    Start: 0.0.0.0 *
    Finnish  0.0.0.0 *
    Subnet Mask 0.0.0.0 *
AH Config (disabled)
ESP Config: Encryption enabled - Encryption Algorithm: 3DES
ESP Config: Authentication enabled - Authentication Algorithm: SHA-1
NetBios enabled:

*****************************************************
VPN Client Configuration:

Connection Name: FVS318_VPN
Connection Security: Secure - Only Connect Manually enabled {manual not necessary - only automaticly starts on demand} *
Remote Party ID Type: IP Subnet
Remote Party IP Subnet: 209.XX.XX.0  {OK but as mentioned you must choose private IP addressing such s 192.168.1.0} *
Remote Party IP Subnet Mask: 255.XX.XX.XX  (Local lan subnet mask)
Protocol: All
Connect Using: Secure gateway Tunnel
ID Type: WAN IP address
IP Address: 216.XX.XX.XX (WAN IP address of Router)

My IDentity
Pre-shared Key (No Certificates) [same key as set in Ruter config)
ID Type: E-Mail Address *
ID Data: MyName@SomeDomain.co
Virtual adapter enabled  {Not necessary but OK} *
Internet Interface Any *
Vitual Adapter Address: will be grayed out *

Security Policy
Phase 1 Negotiatiion mode: Agressive
PFS enabled
PFS Key Group: DH Group 2
Replay Detection enabled

Authentication Proposal 1(Phase 1):
Authentication Method: Pre-shared Key
Encryption Algorithm: 3DES
Hash Algorithm: SHA-1
SA Life: Unspecified *
Key Group: DH Group 2

Key Exchange Policy (Phase 2):
SA Life: unspecifuied *
Compression: None
ESP enabled
Encryption Algorithm: 3DES
Hash Algorithm: SHA-1
Encapsulation: Tunnel
AH disabled

Global policy Settings:
Re-transmit interval: 45 secs
Number of retries: 3
Send Status notifications to peer hosts: enabled
Allow to specify internal network address: disabled *
0
 

Author Comment

by:truebluerra
ID: 16882313
The address range (format 209.XX.XX.XX)  was allocated by the ISP some ten years ago as a static range of addresses to be used by the company.  Each PC and the server use this range of static addresses.

The Wan IP address, 216.XX.XX.XX is a static address allocated by the ISP for the router.

The company hosts its own Exchange Server(IMS).

Would this cause the tunnel not to connect?

Also, the local client is a laptop running Windows XP, and the local adapter does not have an assigned subnet.  It is setup for DHCP ip address allocation.

 

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16882897
>>"The address range (format 209.XX.XX.XX)  was allocated by the ISP some ten years ago as a static range of addresses to be used by the company. "
That changes things. Are you wanting to connect to all devices on the Netgear network or just one?
If all try using the  216.XX.XX.XX IP range and subnet as described above and make sure you use the appropriate subnet mask, not a default. It should work fine. The bigger concern is accessing web pages with a similar IP range, but so long as the subnet id right you should be fine.

>>"Also, the local client is a laptop running Windows XP, and the local adapter does not have an assigned subnet.  It is setup for DHCP IP address allocation."
That is fine so long as it is not using the same 209.XX.XX.XX, even if DHCP.
0
 

Author Comment

by:truebluerra
ID: 16886443
I have applied your sample setup from above ( using the local static addressing where appicable) and have successfully established a VPN tunnel (Phase 2 actually completes and within expected time limits).

However, despite being able to ping the local lan address of the router, I can no longer ping any device behind the router ("request timed out" responses).

Does this suggest that I have to have a virtual adapter with an address of 209.XX.XX.XX.XX in order to access the device(s) on the local lan behind the router?

Thank you again for your continuing assistance.

truebluerra
 
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16886588
"Does this suggest that I have to have a virtual adapter with an address of 209.XX.XX.XX.XX in order to access the device(s) on the local lan behind the router?"
Yes but it is usually assigned dynamically by the router. This is where your static public IP's may be an issue. The other concern I have is that your local PC, the one on which the client is installed, would normally route any traffic destined for 209.x.x.x to the Internet and not through the virtual adapter. I was assuming:
a) if the default setting on the virtual adapter under advanced TCP/IP properties "use default gateway on remote network" was left enabled and
b) the subnet mask was correct for your network
It would force all traffic to the remote network through the tunnel. This may not be the case.
If you can assign a static IP to the virtual adapter you could try adding a route command by entering at a command line:
route  add  <Network ID>  mask  <subnet mask> <gateway>
for example
route add  209.123.123.0  mask  255.255.255.240  208.123.123.101
Where 101 is the virtual adapter's IP
By the way to make the route persistent on reboot add -p
route add  -p 209.123.123.0  mask  255.255.255.240  208.123.123.101
and to delete the route
route delete 209.123.123.0
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:truebluerra
ID: 16888117
When I was able to establish a VPN tunnel, the virtual adadpter did not have an assigned IP address, nor a subnet mask (DHCP enabled).

I tried both assigning a fixed IP address on the local lan as well as allowing a local ip address to be assigned within the client setup, but neither succeeded in establishing a vpn tunnel (failure on both accounts).

Subsequent to removing the virtual adapter settings and disabling the same, disallowing the local ip address on the client side, I can no longer establish a VPN tunnel at all.

Also, when successfully establishing the VPN tuneel earlier today, I was simultaneously logged into the router, after having made the applicable changes and in order to view the VPN status page.

I will attempt the other solutions you have suggested and will respond with the results later today.

Thank you again for your continuing assistance.

truebluerra
0
 

Author Comment

by:truebluerra
ID: 16889761
I have been able to re-establish the VPN Connection by using the local lan address of the router instead of having a "0" in the final address tab.  Using the "0" which worked this morning, now no longer even establishes a connection to the router (no VPN Status logging at all) and the Client IPSEC logging shows no response from router to initial IKE Phase I communication attempts.

As stated above, VPN now established using Router's local lan IP address.

I tried setting up a "route add" using the static IP address which I assigned to the virtual network adapter ...

However, each attempt failed with either an invalid mask error or an error suggesting that the destination and local address were not on the same subnet.

In reference to your suggestion ...
"If you can assign a static IP to the virtual adapter you could try adding a route command by entering at a command line:
route  add  <Network ID>  mask  <subnet mask> <gateway>
for example
route add  209.123.123.0  mask  255.255.255.240  208.123.123.101
Where 101 is the virtual adapter's IP"

Is the <Network ID> the local lan ip address of the router?
Is the <subnet mask> that of the local lan behind the router?

If not, please advise  ...

Thank you for your continuing assistance.

truebluerra
0
 

Author Comment

by:truebluerra
ID: 16891016
One more thought ....

Since the virtual adapter connectivity, when active, functions as long as the Phase 2 authentication attempts to establish itself, would it be possible to, using the global settings, to increase either the retransmit time or the number of retries or both in an effort to sustain the vitual adapter connectivity for an extensively long period of time, which would then allow for ...

  logon to the server,
  run E-mail service from the exchange server (to check mail)?

Theoretically, this should work, since I am able to ping the server (both by name and by address) while the Phase 2 authentication continues to establish itself.  It remains just a matter of logging onto the server's domain.

I realize that this is not the "perfect" solution to the problem, but since E-Mail checking isthe primary function of this VPN, this may prove to be a minor success.

Thank you for your continuing assistance.

truebluerra



0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16891213
>>"Is the <Network ID> the local lan ip address of the router?
Is the <subnet mask> that of the local lan behind the router?"

The Network ID is the subnet. For example 192.168.123.0 is the network ID portion of 192.168.123.123/255.255.255.0  or 172.168.0.0 is the Network ID portion of 172.168.123.123/255.255.0.0  It can get far more complex than that and is different for your subnet since I'm doubtful you have been assigned 254 public IP's. Best bet to calculate your Network ID is to use the calculator at: http://tstools.co.uk/ipcalc.php   Enter one of your IP's in the forum 209.123.123.1/28   you may have adjust the last number '28' to get the result to match your subnet mask. However, once it agrees you will have a list of the minimum, and maximum usable IP as well as the Network ID and Broadcast address. If you want I can calculate for you, just send the appropriate information to my email address on my profile (click on RobWill) but for security reasons do not post here.  
The subnet or Network ID I was referring to earlier is that of the LAN side of the Netgear.

I don't think adjusting the "retransmit time or the number of retries" will solve your problem. When you can connect to the remote network and log on to the router's status page, you have a successful VPN connection, assuming you are using the LAN IP of the router and not the remote management WAN access. If you cannot connect to PC's from there, it is probably due to the connection being configured to the routers LAN IP rather than to the Network ID/Subnet which would allow you to connect to all devices. Specifying the router's IP only allows you to connect to that device. Netgear also gives you the option to specify a range of IP's if you would rather try that method than the subnet option.
0
 

Author Comment

by:truebluerra
ID: 16893175
What if I were to change the IP addressing scheme at the office from the static 209.XX.XX.XX addressing to a private set of addresses 192.XX.XX.XX by having the router assign ip addresses dynamically to all of the devices throughout the office?

Would I still have an issue on the client side with the local address allocated by the ISP on the client side not being on the same subnet as the server behind the router which I am seeking to connect to?

Please advise ...

Thank you for your continuing assistance.

truebluerra
0
 

Author Comment

by:truebluerra
ID: 16893579
Strangely enough, and most likely due to the public address of the server and other devices on the local lan, I am able to complete a connection with the virtual adapter static ip settings, completely independently of the VPN (No VPN connectivity).

Without even trying to establish a VPN connection, I am then able to ping the server by name and receive a reply relative to the correct ip address, but am unable to logon to the server.

Any advice as to whether or not this connection is valid and if so, how to logon to the server in order to use e-mail services.

Thank you again for continuing assistance.

truebluerra
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16893904
>>"What if I were to change the IP addressing scheme "
There is no question you can set up a VPN using public IP addresses. As a matter of fact at one time this was a requirement. Because of the shortage of IP's, most companies today use private IP addressing internally(192.168.x.x, 10.x.x.x, or 172.16-31.x.x) and NAT (Network Address Translation). This allows many computers behind a NAT router to access the Internet using only one public IP, and NAT alone creates a basic firewall. Public IP's are also reserved for their Web or mail servers. If you were setting up a site to site VPN between two routers this might not be as much of an issue, however the Netgear ProSafe client is really designed to be connected to a Netgear router performing NAT and running DHCP (even if the network addresses are static) on a private IP range. Most of the options are configurable so it should work but you are running into various issues because your LAN IP range is accessible and resolveable without the use of a VPN.

If you only wanted to connect to one device on the office network using the VPN it would likely be less of an issue, or if you changed the office to a private range, but I assume that could be a major job, especially where you have web and mail servers. As for connecting without the VPN that again is due to the fact that your LAN addresses are public IP's and if not behind a NAT router you need to be careful to protect yourself from the Internet, since if you can connect so can someone else.

Where are you mail servers located in reference to the network. Are they behind the Netgear router? or on a DMZ of the router, or are they connected directly to the Internet? Are all of the PC's behind the Netgear or are they connected directly to the Internet?
0
 

Author Comment

by:truebluerra
ID: 16897403
I really need only to connect to the PDC which also hosts the Exchange Server (obviously a different IP address than the router)

Thank you for your continued assistance.

truebluerra
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16897976
If that is the case you should be able to connect to it by chaging the following to the server's IP and subnet mask:
Trafiic Selector
  Local IP
    Type: Single Address
    Start: {the  server's IP}
    Finnish  {the  server's IP}
    Subnet Mask: {Server/LAN subnet mask}
0
 

Author Comment

by:truebluerra
ID: 16905495
Tried your suggested IP address changes ....

"Trafiic Selector
  Local IP
    Type: Single Address
    Start: {the  server's IP}
    Finish  {the  server's IP}
    Subnet Mask: {Server/LAN subnet mask}"

The VPN appeared to establish itself successfully (according to the setup window), but could not log onto Server, despite all my best efforts both using "net use" as well as "My Computer" and the virtual adapter login window.

Upon further review of the VPN connection log, I noticed that despite a VPN having been successfully established, the viewer was consistently logging "error assigning proxy id" message with reference to the server's address.

I have resolved to attempt to reconfigure the network for local private ip address range later tonight, and will contact you with the results of this change tomorrow ...

Thank you again for your continuing assistance.

truebluerra

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16906095
Sorry I haven't been much help. Let me know how it goes with the changes.
--Rob
0
 

Author Comment

by:truebluerra
ID: 16907989
On the contrary, you have been of valuable assistance, and I will most likely require further assistance subsequent to completing the necessary changes.

In my opinion you have already earned half the points related to this issue!

Thank you again for your continuying assistance.

truebluerra
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16908078
Thanks truebluerra. Happy to assist as much as possible.
--Rob
0
 

Author Comment

by:truebluerra
ID: 16914307
Alright, having completed the IP address scheme change at 5:00 a.m, and having managed a few hours sleep, I have begun to attempt to establish a connection to the server with little success.



The VPN establishes itself as before, ising a Wan Ip address on the local side and a FQDUsername on the cleint side.

I have to employ the virtual adapter in order establish an ip address on the same subnet in order to ping devices on the local lan, but as yet have been unable to connect to the server...

Any ideas ...

Thank you again for your continuing assistance.

truebluerra
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 16917299
I am missing something here. Perhaps have a look at the following articles and see if they shed any light:
http://kbserver.netgear.com/kb_web_files/n101436.asp
http://www.howtonetworking.com/Routers/fvs318&w2k3.htm
http://www.vpncasestudy.com/casestudy/FVM318/v21/casestudy.html

>>"I have to employ the virtual adapter in order establish an ip address on the same subnet in order to ping devices on the local lan,"
You local LAN needs to be different that the remote. As a result the IP assigned to the virtual adapter will be outside of the local LAN. By default you will not be able to connect to any device on the local LAN when connected to the VPN. This is by design and protects the remote network. You can get around this, but you cannot change the virtual adapter's address to the local subnet. It must match the remote/main office subnet.
If you want to enable local access while connected to the VPN, the Virtual Adapter must be enabled and then right click on it and choose properties, , networking tab, click on TCP/IP and choose properties, advanced button, general, uncheck use default gateway on remote network

If still stuck on Saturday, it looks like I will have an FVS318 here. I can set up temporarily and send you a pre-configured security policy file with which you can connect, and try to duplicate.
0
 

Author Comment

by:truebluerra
ID: 16922629
Everyhing OK now ...

IP Address on Client was on same subnet as Local Lan! (I had made so many configuration changes in an effort to make it work that the local ip address on the client side was incorrect)

Thank you again for all of your assistance.

Enjoy the points, you have earned them!

Have a great weekend! I know I will ...

truebluerra
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 16924225
Thanks truebluerra, you are very welcome.
Bet your glad to have that done, especially before the weekend. Look on the bright side, if it had been easy you wouldn't be as familiar as you are now with the Netgear router and client.

Enjoy the weekend, I only have to work about 18 hours this weekend so I may even get a break  <G>
Cheers.
--Rob
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now