How to assign an IP Address to Netgear VPN Client

I have a few machines that connect in to the network from an outside connection.  They use the Netgear VPN Client to connect to our Netgear VPN Firewall / VPN box.  Its a FVS318v3.  When they connect, I want them to be assigned an IP Address (10.1.10.x) for my inventory software.  The inventory software pulls the machines information using its local ip (10.1.10.x).  For some reason, when I add the ip to the virtual adapter option, it shows it connects and the virtual adapter shows up in the network connections panel, but when I try to ping a local ip, it can't ping them.  Its like its not even making the connection when it says it is.
LVL 1
cmb991Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

deibelCommented:
you have to create a subnet for the vpn clients, that is different from your local network.
e.g. your lan is 10.1.10.0/24->use 10.1.11.0/24 for your vpn-clients.

with netgear, you can easily do that with mode-config.
setup a mode-config for this network and click in ike-policy to use it.

can you post some screenshots of your config? maybe you have a wrong vpn-policy.

do you use the latest FW?
do you use the netgear/safenet-client under win7? that wont work,
with win7 try www.shrew.net. that works fine.
0
deibelCommented:
you need to configure a different subnet for the mobile-users than in your lan.
you said, that the remoteclient should be in 10.1.10.0/24. but you configured that in the netgear as local lan.

did you configure local and remote identifier the same? im not quite sure, but i think that wont work. try fvs_local.com and fvs_remote.com.
fvs_remote.com has to the local-identifier on the client.

try to use mode-config. thats quite easy.

what about your firmware?
how old is your router?
is there modeconfig available
it looks like a very old firmware, but i dont know if there is a newer one for your model. the whole vpn-thing has changed on fvs338/336/538
0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

cmb991Author Commented:
System Name       FVS318v3
Firmware Version       v3.0_28

Its about a year old.  The identifier works.  That was just a test connection I made to try this ip.  But I can't seem to get the IP configured right so it gives it a local.
0
deibelCommented:
you configured 10.1.10.0 as local in your vpn policy
so this is the LAN in your office

you cant give ips out of this network to your vpn clients!
you must use a different network!

use 10.1.11.0 for your vpn clients. for example

this has to do with routing and how the clients address their packets at layer2 with the mac-address of the default-gw or directly to the client using arp.
0
deibelCommented:
if you trust me, i can configure a tunnel via remote mgmt.
but i dont have the netgear/safenet client installed. i use shrew so i can only give you a client-policy for that.
0
cmb991Author Commented:
Thats fine.  But right now my modem is 10.1.11.1.  My VPN box is 10.1.11.38 / 10.1.10.1.  So would I have to use 10.1.12.1 now?
0
deibelCommented:
ok that means the fvs318 is behind a NAT-Gateway?
did you already successfully establish a tunnel?
i mean only ipsec.
did the netgear/safenet say that it established an ipsec-tunnel and you just have problems with higher layers?
0
cmb991Author Commented:
I have vpn clients already working fine.  I don't need those assigned an ip so I really don't worry about what it gives him, as long as they can access network drives.

These other ones that I'm having a problem with is the ones that I need to have an ip assigned so they can be monitored daily in the spiceworks system.
0
deibelCommented:
ok, im a bit confused about the fvs beeing behind a nat gateway and having clients without assigned ip accessing the network.

but to come back to your question:
try an unused network. 10.1.12.0/24 will do its wirk, if it is not used otherwise.
0
cmb991Author Commented:
I guess its easyer if I upload a diagram of my network.  Its different than a normal setup because of security measures I implied, haha.
0
deibelCommented:
ok, do so.
post a screenshot of the IKE and VPN-Policies as well
0
deibelCommented:
the list is enough, you dont have to post every single policy
0
cmb991Author Commented:
But if I post this information, it will expose my network with the information for someone to configured their client and all they would need is the IP.  I would prefer not to post this information, haha.  Is there any other way to do this... if you contact me by email, I would give you this information, cbruder@delranems.org, then continue to post the results here.
0
deibelCommented:
ok, i understand.
when you click on IKE or VPN Policies, there is a list of the policies
you cant see the endpoints there. you cant see the PSK there.

do a screenshot and maybe you wipe out all information you dont want to give.
0
cmb991Author Commented:
http://delranems.org/chris/IKE_2.JPG
http://delranems.org/chris/VPN_2.JPG

I blocked out a few of the Local ID and Remote ID on the IKE, because thats part of the information needed for clients to connect... I rather not put that information out there.
0
deibelCommented:
ok, you specified ANY as the remote-networks in VPN-Policy.
so you can give any ips to your clients, that you do not use otherwise
try the 10.1.12.0/24 network

but i am still confused about your fvs being behind a nat gateway.
there is nat traversal for nat issues, but i think only the initiator is allowed to stay behind nat.
the responder has to have a public ip.

can you post a network graph?

but to point it out once more:
i suggest mode-config for your road-warriors
much more easy to handle
only 1 modeconfig policy, only 1 IKE

does the 318 have modeconfig?
im not sure, because the gui looks like the very old firmware
0
cmb991Author Commented:
http://delranems.org/chris/maps.JPG

10.1.11.1 is the modem
10.1.11.38 / 10.1.10.1 is the VPN / Firewall Box
10.1.10.57 is the server

The problem was the VPN / Firewall box was added in after the network was completed.  With out making major changes, all of our clients gateways were set to 10.1.10.1, so we had to make that the VPN / Firewall, then we had to make the modem 10.1.11.1 and set it as a DHCP server and the VPN / Firewall pulled down a 10.1.11.x ip.  The VPN / Firewall was also set as a 10.1.10.1 for the clients.
0
cmb991Author Commented:
It works, trust me on that, we've been using it that way for over a year now.  Its just another way to do it, haha.
0
cmb991Author Commented:
Well would this be easier to just use the windows xp vpn software to connect to the router?  Or if thats even possible?
0
cmb991Author Commented:
I was looking at NCP Secure Entry Client, it supports IPSec.  But it doesn't seem to want to connect.
0
deibelCommented:
try www.shrew.net
its free and it works with netgear.
but i think you must enable XAUTH.
by the way: i would suggest this even with another client
shrew works with win7.
netgear/safenet does not...at the moment
and works with 64bit

take shrew!
0
deibelCommented:
strange setup....but if you say it works.....

do you actually have any more problems?
or are you now just looking for a new client?
0
cmb991Author Commented:
I guess a new client because the netgear client software isn't working that good with this virtual adapter.
0
deibelCommented:
i never had problems with netgear/safenet
but there are some tricks installing the adapter
i dont really remember, but you have to do some work in safe-mode
be alsways sure, that you get the latest version from netgearsupport.
but at the moment the dont have one for win7

i am happy with shrew now.
a co-worker is happy with "the green bow"
but he didnt get it running with netgear, only with zyxel.
maybe he made some mistakes, i dont know
shrew works fine and it is free
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.