NetGear FVL328 2

[Zcript3r]

I am currently in the process of setting up a FVL328 VPN/Firewall device at corporate. I am currently hosting our mail server behind it and am successfully and receiving mail.

Whenever I go in and begin setting up an IKE and VPN connection, all of a sudden no one on the internal network can get out, nor is any email traffic flowing.

Deleting the IKE and VPN policy allows internal network users to again have access to Internet and e-mail.

Any ideas why this would be happening?

Thanks,
Rob

 

[mikefish]

You probably have the VPN Policy - Traffic Selector - Remote IP set to "ANY".

When a client on your internal network tried to contact ANY network address, the FVL328 attempts to initial a VPN tunnel.

I had the same problem. The Netgear docs & tips on the side bar are misleading and in some places inaccurate.

After many days of hacking, mine is working well. I have posted 2 documents that may help with your set-up:

http://www.shoalcomputers.com/VPN/FVL328 with Netscreen Remote on Dynamic IP.pdf

http://www.shoalcomputers.com/VPN/FVL328 with Netscreen Remote on Fixed IP.pdf

Mike

 

[Zcript3r]

Had you tried getting XP to connect using IPSec Policies? I tried but no luck, even with all of the help available on this site. It amazes me that Netgear has not published the docs to get this working. Almost as if marketing material was completed before final testing and approval took place.

I had downloaded the LT version of client software you have in your docs (SafeNet SoftRemote 9.2.1). Do you know where that is able to be purchased from?

Thanks for all your help!!
Rob

 

[mikefish]

I didn't go near the Win 2000 or XP VPN clients. I seem to remember that they don't work with dynamic IPs.

I purchased netscreen from

http://www.1stsecuritywarehouse.com/catalog/product_info.php?cPath=1_16_10&products_id=145

it's a UK company. You may be able to find other resellers at

http://www.netscreen.com

I also found a similar client at

http://www.skylabcomputers.com/softrem9.zip

but have not tested this.


Good luck

 

[Zcript3r]

Mike,

Your documents have gotten me closer than I have ever been! I am getting a message in my log on the client side that states that I

"Cannot match Policy Entry:"
local host=IP ADDR=10.10.10.113, lcl_port = 0
remote host=IP ADDR=192.168.0.15, dst_port = 0
NO MATCHING SECURE CONNECTION - Failed to initiate negotiation.

I am using the Security Policy Editor 9.2.1 (Build 2) from CoSine Communications, IPSec Dial Client. All screens look exactly like the NetScreen application. Any ideas what I can check? I have printed out your doc, and written in my IP values where your are so that I am sure that my setup is identical to yours, just using my IP Addresses.

Thanks for any help you can give!!
Rob

 

[mikefish]

Have you set-up the virtual adapter with your local IP address?

On the client, are you trying to connect to 192.168.0.15 on the office LAN?

I found that this error often occured when I had a typo. Re-check all the entries and ensure that they match on both sides. Also check that the identities match (IP address or IP Range).

If you still have no luck, can you post some screen dumps to a web space? Just blank out your WAN IP addresses & key.

Mike

 

[Zcript3r]

Here is the link to the screenshots.

These shots show how my FVL328 is configured.

http://www.preceptsoft.com/VPNPics/FVL328VPNSettings_files/frame.htm

These shots show how my VPN Client is configured.

http://www.preceptsoft.com/VPNPics/VPNClientScreenShots_files/frame.htm

Thank again for any help you can provide!!
Rob

 

[mikefish]

FVL328 VPN Policy: change the IP Subnets to:
1. Local IP RANGE 192.168.0.1 to 192.168.0.15 (assuming that .1 is the address of your FVL328)
2. Remote IP: SINGLE address 10.10.10.113
3. Remote VPN endpoint, enter 0.0.0.0 as the IP address data(this means any address)

I would also set the IKE, VPN & IPSEC names the same. I'm not sure if this makes a difference, but just in case.

IPSEC

1. Change FROM IP address 192.168.0.1, TO 192.168.0.15

2. My Identity - change internet interface to "ANY". Make sure that the Virtual Adapter interface IP ISN'T the same as your actual machine IP. This confused me for a while. If you change the IP, make sure that you change it on the FVL VPN policy.

 

[mikefish]

Sorry, ignore the bit about setting the Remote VPN endpoint address on the FVL policy to 0.0.0.0. As (I assume) you are connecting from a static WAN IP at the remote site, this address should be entered here.

 

[Zcript3r]

Mike, you are THE man!!

Thank you for your help!!

I have another quick question on the FVL328. For the past 2 days now, the Lan at the Office seems to have a crawling Internet connection (only happens sporadically). This should not be as it is cable and consistently yielding download speeds of 2.5mbps. I have them cycle power to the FVL328, and all is well. Anybody have this happen to them?

 

[mikefish]

Glad to hear that it's working.

Re slow connections - not sure as this hasn't happened to me. I do remember reading something about it on a forum somewhere... Tried a google search?

 

[Zcript3r]

I upgraded the firmware to the latest Beta, and the slowness has seemed to go away. I do have a quick question about the IP Addresses of each of my sites.

Is is true that each one of my sites will need to have a unique set of Internal IP Addresses? I have a situation where the vendor who wrote the backoffice communication software for the Panasonic cash register did not allow for the IP Address to be configurable (Yeah, not real sure what they were thinking, but anyway). So all of my stores (34) will need to have an internal IP Address of 10.10.10.x, and my internal Backoffice PC must have the IP of 10.10.10.97 in order to talk to the register.

Will this still work, or am I going to have to install a second NIC card to make up for the lack of invention this vendor has stuck me with?

Thanks again,
Rob

 

[mikefish]

Is the store PC:

1. Using the remote VPN software?

2. On a LAN or stand-alone?

 

[Zcript3r]

It will be a mixture. For the most part, we will have the FVL318 at most of the sites, but some will have the remote VPN Software.

Stores that are running the VPN software will only have 1 computer that might possibly need to be RDP'd or VNC'd into.

Stores that have an FVS318 will typically have a Backoffice PC, a PC dedicated to running the camera system, and a training PC. These computers will be running on a Lan.

What I did figure out was that I can assign an additional IP Address to the NIC card, and this might aleviate my problem. I am going to try this today. I will let you know of my results.

Thanks,
Rob

 

[mikefish]

You may come up against routing problems when the network address ranges are the same on each side of the VPN tunnel.

Do any of the IP addresses on either side of the tunnel conflict? If not, then you may be ok. I've not tried this.

I have a laptop user that unplugs from the office LAN and connects using VPN client software. His machine has a static LAN IP. This works without problems. However, I set up the VPN client to connect using a virtual adapter address than is not on the LAN subnet. You should therefore have not problems with the remote client software machines.

 

[JohnInChester]

Thanks guys. You have solved what I have been tearing my hair out over being able to access my network when out on the road. I had a couple of problems which were solved by reducing the MTU on the FVL328 to 1452 which is the optimum for UK DSL connections to avoid packet fragmentation. Before I did this I was getting message timeouts on the client, even though the FVL328 log showed a successful connection.

Much appreciated!