How to assign an IP Address to Netgear VPN Client

you have to create a subnet for the vpn clients, that is different from your local network.
e.g. your lan is 10.1.10.0/24->use 10.1.11.0/24 for your vpn-clients.

with netgear, you can easily do that with mode-config.
setup a mode-config for this network and click in ike-policy to use it.

can you post some screenshots of your config? maybe you have a wrong vpn-policy.

do you use the latest FW?
do you use the netgear/safenet-client under win7? that wont work,
with win7 try www.shrew.net. that works fine.

http://delranems.org/chris/VPN.JPG
http://delranems.org/chris/IKE.JPG
http://delranems.org/chris/2392.spd (Right click and Save As)

you need to configure a different subnet for the mobile-users than in your lan.
you said, that the remoteclient should be in 10.1.10.0/24. but you configured that in the netgear as local lan.

did you configure local and remote identifier the same? im not quite sure, but i think that wont work. try fvs_local.com and fvs_remote.com.
fvs_remote.com has to the local-identifier on the client.

try to use mode-config. thats quite easy.

what about your firmware?
how old is your router?
is there modeconfig available
it looks like a very old firmware, but i dont know if there is a newer one for your model. the whole vpn-thing has changed on fvs338/336/538

System Name       FVS318v3
Firmware Version       v3.0_28

Its about a year old.  The identifier works.  That was just a test connection I made to try this ip.  But I can't seem to get the IP configured right so it gives it a local.

you configured 10.1.10.0 as local in your vpn policy
so this is the LAN in your office

you cant give ips out of this network to your vpn clients!
you must use a different network!

use 10.1.11.0 for your vpn clients. for example

this has to do with routing and how the clients address their packets at layer2 with the mac-address of the default-gw or directly to the client using arp.

if you trust me, i can configure a tunnel via remote mgmt.
but i dont have the netgear/safenet client installed. i use shrew so i can only give you a client-policy for that.

Thats fine.  But right now my modem is 10.1.11.1.  My VPN box is 10.1.11.38 / 10.1.10.1.  So would I have to use 10.1.12.1 now?

ok that means the fvs318 is behind a NAT-Gateway?
did you already successfully establish a tunnel?
i mean only ipsec.
did the netgear/safenet say that it established an ipsec-tunnel and you just have problems with higher layers?

I have vpn clients already working fine.  I don't need those assigned an ip so I really don't worry about what it gives him, as long as they can access network drives.

These other ones that I'm having a problem with is the ones that I need to have an ip assigned so they can be monitored daily in the spiceworks system.

ok, im a bit confused about the fvs beeing behind a nat gateway and having clients without assigned ip accessing the network.

but to come back to your question:
try an unused network. 10.1.12.0/24 will do its wirk, if it is not used otherwise.

I guess its easyer if I upload a diagram of my network.  Its different than a normal setup because of security measures I implied, haha.

ok, do so.
post a screenshot of the IKE and VPN-Policies as well

the list is enough, you dont have to post every single policy

But if I post this information, it will expose my network with the information for someone to configured their client and all they would need is the IP.  I would prefer not to post this information, haha.  Is there any other way to do this... if you contact me by email, I would give you this information, cbruder@delranems.org, then continue to post the results here.

ok, i understand.
when you click on IKE or VPN Policies, there is a list of the policies
you cant see the endpoints there. you cant see the PSK there.

do a screenshot and maybe you wipe out all information you dont want to give.

http://delranems.org/chris/IKE_2.JPG
http://delranems.org/chris/VPN_2.JPG

I blocked out a few of the Local ID and Remote ID on the IKE, because thats part of the information needed for clients to connect... I rather not put that information out there.

ok, you specified ANY as the remote-networks in VPN-Policy.
so you can give any ips to your clients, that you do not use otherwise
try the 10.1.12.0/24 network

but i am still confused about your fvs being behind a nat gateway.
there is nat traversal for nat issues, but i think only the initiator is allowed to stay behind nat.
the responder has to have a public ip.

can you post a network graph?

but to point it out once more:
i suggest mode-config for your road-warriors
much more easy to handle
only 1 modeconfig policy, only 1 IKE

does the 318 have modeconfig?
im not sure, because the gui looks like the very old firmware

http://delranems.org/chris/maps.JPG

10.1.11.1 is the modem
10.1.11.38 / 10.1.10.1 is the VPN / Firewall Box
10.1.10.57 is the server

The problem was the VPN / Firewall box was added in after the network was completed.  With out making major changes, all of our clients gateways were set to 10.1.10.1, so we had to make that the VPN / Firewall, then we had to make the modem 10.1.11.1 and set it as a DHCP server and the VPN / Firewall pulled down a 10.1.11.x ip.  The VPN / Firewall was also set as a 10.1.10.1 for the clients.

It works, trust me on that, we've been using it that way for over a year now.  Its just another way to do it, haha.

Well would this be easier to just use the windows xp vpn software to connect to the router?  Or if thats even possible?

I was looking at NCP Secure Entry Client, it supports IPSec.  But it doesn't seem to want to connect.

try www.shrew.net
its free and it works with netgear.
but i think you must enable XAUTH.
by the way: i would suggest this even with another client
shrew works with win7.
netgear/safenet does not...at the moment
and works with 64bit

take shrew!

strange setup....but if you say it works.....

do you actually have any more problems?
or are you now just looking for a new client?

I guess a new client because the netgear client software isn't working that good with this virtual adapter.