NetGear FVS318 VPN to remote W2K client using IPSEC 16

[Darrenzo]

Hi folks,
I have set up an established a VPN tunnel using IPsec policy (set up in the mmc) from a remote Windows 2000 client to my main Office VPN router (Netgear FVS318). I can ping the router and the main server on the main office LAN (after I added a static route into the router), I can also bring up the default web page on the server.
My problem is that I cannot access the any of the shares on the server or browse the network or anything like that.
I am concered that this may be due to the fact I am not "signing into" a VPN server, merely passing through the router, is there another step involved?
I have added a HOST and LMHOST entry on the local remote PC, the server's netbios name resolves ok, but I still cannot map to or browse the domain.
Should I add the remote computer name into the domain? I have tried to join the domain from the remote PC but it cannot find the domain I am trying to join.
I have found several posts on this site concerning this very problem. But none of them is very detailed.

Any help would be greatly appreciated

 

[ourITguy]

Rundown,
I get the same invalid or corrupt message on that zip.Any chance you could c.c. me with the original as well?Many thanx.
Jack
Ljacksc@netscape.net

 

[ourITguy]

Rundown,
Almost forgot,you know how to read these VPN logs?Where is the Rosetta Stone for these things?Can I send you one?I keep getting the same logs and I have no idea how to relate them to an actual occurence--"this" means "this".

 

[Darrenzo]

DezUK,

Sorry I have'nt replied sooner.
If you can't ping your routers Internet IP address then forget your VPN configration woes and try and resolve this first.

OurITGuy,
I don't know if XP Home will do the job or not. I see what you're saying with the gpupdate file, again, I don't know if that will do it. I've never used XP Home, I must say I'm surprised it even has the IPSEC Policy.
What to do, if you can't run gpupdate to refresh your policy, leave your 'connection' on, your policy should refresh automatically within an hour.


Everyone else,

I have no experience using SoftRemote or any other VPN Client Software package. I have successfully connected a Windows XP Pro client using IPSEC.

I'll try my best to assist with windows XP to NetGear FVS318

 

[shaferbus]

Hi guys

DezUK - do you have the "respond to ping on Internet WAN port" box checked in the FVS318 ports setup? If not, that's why you're getting a timeout - it's by design, so some hacker can't tell there's a router listening on that IP. If it is checked, then there must be some internet connectivity problem which, like Darren said, you need to resolve before VPN can even be contemplated.

I say that with one caveat, and perhaps some of the others can check me out on this as I'm on the ragged edge of my understanding of IPSec... I thought I read that once your tunnel is established, the only way to get access to the internet at large is to designate the FVS318 as your gateway (for the duration of your session), which is an extra step. If that's the case, and DezUK was successfully creating the tunnel, he wouldn't be able to ping the WAN port until he made that adjustment. However, if that were the case, DezUK SHOULD be able to ping the router's INTERNAL port, as well as the other IP's on the network... damn, thought I had it there!

Darrenzo, are you operating your client machine behind a router? I notice that DezUK says his client IP is of the 192.168.xxx.xxx internal format, so he must be. I am also. If you are not, I'm wondering if NAT could be our problem. Microsoft released an updated VPN client specifically for NAT-compliance (but they removed it because it was broken). I've never been able to decipher whether it was to address NAT on the remote client or the VPN server end though. Perhaps it was supposed to address the problems some of us are having?

Rundown - if those kind folks at Skylab are OK with it, I could probably put their instructions and file online so readers of this thread aren't burning up their bandwidth downloading them

OurITguy - Now that Darren mentions that automatic refresh after time, it reminds me of something. As you know, I'm also using XP home and having the same problems, and have no gpupdate. BUT, one time I fell asleep poring over Darren's instructions trying to figure out where I went wrong ;-) In the VPN log on the FVS318 the next day, I got the usual stuff, but at the end it said something about terminating the tunnel for some forgotten reason - and this was HOURS after any other log entries! I have to wonder if I didn't establish a successful tunnel in my sleep! LOL
Could that be possible guys? That it would connect without any further action from me?

Thanks for all of the help Darrenzo, MattWray, et al. I'm so close I can smell the coffee at the office!

Tim

 

[Darrenzo]

Tim / Shaferbus,


My setup is as follows:

Remote end
Windows XP Pro (with IPSEC policy set up as described in the now infamous doc!) connected to a broadband line (no router / firewall etc) with a STATIC internet IP address (that cost a little extra from my ISP - gits!) but now loks like money well spent.

Office End:
ADSL modem connected to FVS318 VPN router (with STATIC Internet IP address) which is connected to main office switch.

Simple setup (exactly as laid out in the dreaded doc).

I've got a wild and crazy idea... those using XP Home at the remote end, why not get another PC/laptop or whatever and get a 'copy' of XP Pro on there! Or why not re-install your pc with XP pro, hell whats another few hours onto this problem!!

-Darren

 

[shaferbus]

Don't think that hasn't crossed my mind! ;-)

"we have the technology..."

Of course, it started out with the idea that this was going to be simple - just set up the native XP client - and it's kind of snowballed from there. If I'd known what I was getting into, I'd have done just as you suggest in the first place!

I do have to admit to a little "Bill Gates won't beat me!" at work here... :-D

I am interested in whether the gpupdate from an XP pro machine will work with XP Home, but I keep forgetting to email the file to myself. What's the worst that can happen? Having to reload it with XP Pro???

If any of you guys have the "resources" to load XP Pro, it's a good suggestion, but I'm still wondering about having that router in the mix...

How many of those that are still having problems are using XP Home? How many are behind a router? Has anyone successfully connected with either or both?

Thanks

Tim

 

[rundownbytechnology]

Updated the Zip file for IPSec client.

http://www.skylabcomputers.com/softrem9.zip

This Zip file works.
Keep pluggin away.

 

[sicer]

Darrenzo, or anyone else who has this working, what does your configuration on the router end look like? I would like to do this without any third party software on winXP using just the IPSEC policy tools.

For some reason, the router configuration is the hard part for me.

Thanks,
Tim

 

[shaferbus]

thanks rundown, that link does work.

I got safenet installed and configured per your example - and the darn connection failed in exactly the same manner as when I tried it using XP! I'm beginning to think that perhaps I have a broken router...?

I guess I'll try setting Safenet up according to Netgear's latest manual next. It's getting to be a bore...

If anyone thinks they can decipher it, I posted a copy of the FVS318 VPN log at

http://home.stny.rr.com/ranch/reference/safenetvpn.txt

a screenshot of the FVS318 VPN settings for the safenet connection is at

http://home.stny.rr.com/ranch/reference/fvs318forsafenet.jpg

and for good measure, a screenshot of the router settings I set up for the XP client is at

http://home.stny.rr.com/ranch/reference/fvs318forxp.jpg

If anyone has any suggestions, I'd be glad to hear them

Thanks

 

[djtech2k]

I am having these same problems with the Netgear FVM318. I have even bought and configured the Safenet SoftRemote, but it will still not work. I think it is a bad setting, but I have no idea which is bad. The Netgear docs are terrible! I called their support and it is worse!

 

[djtech2k]

Here is actually an entire log entry on my FVM318:

IPsec:Receive Packet address:0x179623c from 12.145.57.217
IPsec:main_inI3_outR3()
IKE:[VPNFORDJ] RX << MM_I3 : 12.145.57.217
IPsececoded Peer's ID is ID_IPV4_ADDR:10.10.57.217 and 0.0.0.0 in st
IPsec:refine host connection fail!

 

[shaferbus]

djtech2k - that's the same place mine always fails.

I've tried the xp client, safenet, and SSH sentinel clients, and always end up with that &quot;refine host connection fail!&quot; in exactly the same place. That leads me to believe, as you said, that the problem is at the router.

of course, I'm assuming that isn't your WHOLE log - just the point where things seem to break down.

I guess I'm missing something too, because there just aren't that many settings available on the FVS318, and between the NetGear instructions, Darrens, Safenets, and Sentinels I'm pretty sure I understand the ones that are there - yet I keep getting &quot;refine host connection fail!&quot;

Does anyone have a translation from Netgear to English on this error?

 

[ColinSmith1]

I had all the problems above with the 318, in the end the client purchased more 318's for 318 to 318 vpn, however one the other day would not connect at all.

In the 318 make the name of the router correspond with the vpn connection name.

This is all I change and i worked.

 

[comprint]

I found a microsoft article(240262) that states:
To implement the pre-shared key authentication method for use with a l2tp/ipsec connection: You must add the ProhibitIPSec registry value to both Windows 2000-based endpoint computers. I tried this and get a connection to my Netgear FVL328 that fails to find a matching policy. I can make a connection when both tunnel endpoint IP's are know without any problems, however if the client has a dynamic IP this method will not work. I hope this helps...

 

[WebHog]

I'm having the same problem setting up a client (XP Pro) to gateway (FVS318) VPN. I just called netgear for premium support, and they told me since I might have a dynamic IP, or be behind a router or Firewall on the remote end that I should buy a VPN client. However, they told me to buy the Netscreen-Remote VPN client. The tech told me it's the same thing as the SafeNet client, but a lot cheaper. Anybody else have similar info, or experience with the Netscreen client?

 

[WebHog]

As a follow up to my previous post about the Netscreen-Remote client, I have purchased and installed the Netscreen-Remote Client v.8, and it works great! It is based on the SoftRemote client from SafeNet, and looking at the documentation from Netgear, it is THE EXACT SAME CLIENT except for one 'virtual adapter' field. It costs me $85 for a 10-user license, so it is much cheaper than the $149 per license SafeRemote. Hope this helps.

 

[starryeyes2800]

I too am having difficulties establishing a VPN connection between both my office LAN and my home LAN running winxp. I have gotten as far as &quot;Negotiating IP Security&quot; but I can't establish the connection. I have tried the gpupdate command, but unfortunately it has not worked. This has been a week long project and is soooo frustrating! I know you guys feel my pain If anyone has overcome this, or has any suggestions, please let me know starryeyes2800@hotmail.com. Thanks!!

 

[moondawgie]

Hello one and all. I found this post today and have been trying to configure my FVS318 and XP computer. I have seen the very helpful document posted by Darrenzo and schaferbus. Very helpful, BUT, the last 2 pages of the document confuse me. I don't think the description of the VPN client_W2K ip settings is correct. If the W2K client is indeed connected to a router, then the w2k client and the lan port of the router need to be on the same subnet. In the description, they are not. Could we get an updated descripton of the &quot;remote IP network&quot; including all of the lan/wan addresses (with names changed to protect the innocent?)

I also recommend upgrading your router firmware to version 1.4, as the VPN settings are much,much more descriptive.

I've gotten as far as the &quot;negotiating ... &quot; and am stuck.

Thanks for all your help! :^)

Ryan Vande Water

 

[shaferbus]

I'll have to check back over my notes Ryan, but if I remember correctly the client is in fact required to be on a different subnet. (This is of course assuming that the client is behind a router, not a standalone).
Not sure why that is, but I believe it's a Netgear requirement.

I'd check it for you right now, but I'm on Perma-Hold with Netgear tech support!

WebHog - I'm glad you had success with Netscreen! Sure wish they offered something smaller than a 10-client version though!

Good luck all (and ME!)

 

[starryeyes2800]

Well, I was finally able to establish a VPN connection to the FVS318 using Window XP Pro. I took my computer off my office domain (the router does not seem to like connecting two domains) and put myself in a workgroup. I then used a dialup connection, for the purpose of avoiding my server, the firewall, and our hub. So I established a direct connection to the internet and configured the VPN settings on the router for a SINGLE USER, not a REMOTE LAN. Within Windows XP, I set up an IPSEC policy as shown in that document that many of you now have, only when specifing the source and destination addresses I selected &quot;MY IP ADDRESS&quot; for the destination Inbound, and the source Outbound; everything else is the same. Once I changed all that, I pinged the router received 4 &quot;Negotiating IP Security..&quot; and then received replies. It's not a perfect setup by any means.. but its a pretty good starting off point. I hope this helps.

Stef
CCNA MCP