NetGear FVS318 VPN to remote W2K client using IPSEC 16

[Darrenzo]

Hi folks,
I have set up an established a VPN tunnel using IPsec policy (set up in the mmc) from a remote Windows 2000 client to my main Office VPN router (Netgear FVS318). I can ping the router and the main server on the main office LAN (after I added a static route into the router), I can also bring up the default web page on the server.
My problem is that I cannot access the any of the shares on the server or browse the network or anything like that.
I am concered that this may be due to the fact I am not "signing into" a VPN server, merely passing through the router, is there another step involved?
I have added a HOST and LMHOST entry on the local remote PC, the server's netbios name resolves ok, but I still cannot map to or browse the domain.
Should I add the remote computer name into the domain? I have tried to join the domain from the remote PC but it cannot find the domain I am trying to join.
I have found several posts on this site concerning this very problem. But none of them is very detailed.

Any help would be greatly appreciated

 

[DezUk]

Im still no further forward with my vpn setup. This is my VPN logs so far.

Wed, 08/20/2003 10:24:33 - FVS318 IPsec:Receive Packet address:0x1806edc from 82.41.170.0
Wed, 08/20/2003 10:24:33 - FVS318 IKE:[Obvious] RX << XCHG_INFO : 82.41.170.0
Wed, 08/20/2003 10:24:35 - FVS318 IPsec:event after this is EVENT_RETRANSMIT in 6 seconds
Wed, 08/20/2003 10:24:35 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 5229aa00 &quot;Obvious&quot; #4
Wed, 08/20/2003 10:24:35 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 20 seconds


In my VPN Satus Window i have the following....

[P1 - M - Estab]
[P2 - None]

So it looks like there is a connection established. But when this connection is established i loose the internet connection on the remote PC.

Any ideas ?

 

[shaferbus]

DezUK, did you ever change the subnet on one of your local intranets? I remember you had them both set to 192.168.0.0 at one time...
Also, you didn't mention if you tried pinging the FVS318's LOCAL IP address. The reason I ask is that (if I understand correctly) you WILL lose your internet connection at the client if you successfully establish a tunnel - because your bandwidth gets turned over to the tunnel. I believe you can access the internet through the tunnel via the FVS318 at the other end, but you have to name it's local IP as one of your gateways. Sorry if I'm stating the obvious, but I wasn't sure from your post where you were at.

As for my status, I've finally plowed enough off my desk to get back to VPN. Sent an email support request to Netgear and got the usual automated &quot;read the FAQ&quot; response, which gave me 17 HOURS (?) to respond if I wanted to escalate it. I responded immediately.
After about TWO WEEKS (!) I gave up and called NetGear's &quot;Perma-Hold&quot; phone support. Walked them through my settings, and they were clueless - &quot;try v1.4&quot; they said. Then I FINALLY (after 3 weeks) got a response to my email support request... &quot;try v1.4&quot; they said. So I tried v1.4. The v1.4 firmware got me as far as you are DezUK... I'm finally getting through &quot;Phase 1&quot;, but getting an error on &quot;Phase 2&quot;.

Here's the relevant FVS318 log entries:
Wed, 08/20/2003 21:36:33 - FVS318 IPsec:cannot respond to IPsec SA request because no connection is known for 192.168.16.0/255.255.255.0-24.97.69.###=====24.95.137.###-19
Wed, 08/20/2003 21:37:19 - FVS318 IPsec:Receive Packet address:0x1807194 from 24.95.137.###
Wed, 08/20/2003 21:37:19 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Hash Payload has an unknown value: 93

(FVS318 WAN=24.97.69.###, LAN=192.168.16.0)
(Client WAN=24.95.137.###, LAN=192.168.0.0)

Does any of that mean anything to anyone???

Tim

 

[K10S]

Hello, new to this thread, spent several hours trying to make this work, gave up in the end, bought a 3Com 3CR856-95, took it out the box, set it up in 15 minutes, added the NEW NETWORK CONNECTION in XP and it worked straight away. Could not be happier, still have the Netgear, but will be talking it back. Hope you find a solution to this thread, as it drove mad, best of luck.

 

[SpotLizard]

I'm kind of late to the party on this one, but it's a very interesting thread for me as I recently purchased an FMV318 and fully expect to undergo the same pain as everyone else.

To begin with, the NetGear documentation is about as much use as an ashtray on a motorcycle when it comes to configuring the client-side connection.

I chose to download the SoftRemote LT client and configure that. I haven't had a chance to test it from outside my network yet (it won't work from the inside out and back in again).

I have seen some of the log files posted and thought this document might help to demystify the ISAKMP/Oakley key exchange process:

http://www.ipadventures.com/docs/IKE.pdf

From what I saw, it looks like many of you are getting the tunnel established but the connection fails when the 2 hosts cannot negtiate an SA ?

If this is the case, you might want to verify that the level of encryption set on the firewall (DES, 3DES etc.) matches that of the IPSEC policy/VPN Client setting on the remote machine. The FMV318 allows for Perfect Forward Secrecy to be set at the firewall. This should also be set at the client end too.

In a pre-shared key scenario, the firewall and remote client must be able to exchange the key. If they cannot negotiate a secure way of doing this the connection will fail. Windows 2000/XP are very particular about encryption and authenication protocols.

Don't know if this might also be helpful but it's food for thought:

Windows group policies are applied in a very strict order - Local, Site, Domain, OU. If your remote client resides in a Domain your local IPSEC policy may get overridden by a higher order (Domain or OU) policy. Check with your Sys Admin to see if there are any policies that might do this.

In the case of XP the built-in firewall may cause problems and should be turned off until this can be ruled out.

When configuring firewalls/vpn in the past I have always started out with no encryption at either end then crank it up until I find the maximum level at which both can communicate.

Hope this helps and I really appreciate the info everyone has posted here. I will be drawing heavily on it when I come to try and get this thing working.

Regards.

 

[NBAbueg]

Hello folks! I'm also frustrated with this VPN crap. The NETGEAR docs doesnt seem to work if you follow it word for. I've called support, and they are actually able to resolve some of the problems. They are able to &quot;remote administer&quot; the routers (if you enable this feature in the router). I've got so frustrated that I asked the tech support to configure the routers on both ends (office & home) himself, which he did. I looked at the configs and it is a little different from their instructions.

I am now able to ping and establish a VPN tunnel from home to office. A problem still exists though - I am not able map to a shared network drive. As of now we're able to use the VPN tunnel by connecting using Remote Desktop.

Does anyone know why we are not able to map to a shared drive? WIll appreciate any suggestions. Thanks!

 

[DezUk]

Hey NBAbueg...

Sounds like you go quite far by calling Netgear. I still stuck at the Phase 2 stage, it just says &quot;None&quot;. Any chance you could post some screenshots of your VPN settings at both ends as it may help a lot of people on this board.

Thanks

 

[NBAbueg]

The VPN setting instructions for the FSV318 says to use &quot;DES&quot; encryption on LAN_A, and &quot;no encryption&quot; on LAN_B. Try using &quot;DES&quot; encryption on LAN_B also.

Also, make your key at least 16 characters. Since all routers default to the 192.168.0.X IP, make sure you change the subnet IP to something different - NETGEAR suggest 192.168.3.1.

To establish connection, ping -t 192.168.0.1 - it could take a few minutes and a few &quot;no reply&quot; from the router. If you see a reply - you have a VPN connection. Hope this helps!

 

[shaferbus]

hmmm... now I'm confused. None of the instructions I've seen specify a different encryption type between the two ends of the connection. The &quot;new&quot; v1.4 instructions use a LAN A/LAN B scenario, but that's between two FV model routers - is that what you're working with NBAbueg?

You bring up an important point with the ping operation - none of the instructions I've seen acknowledge that it takes time to establish this connection! I wonder how many Netgear users there are who are actually setting things up right, but get a timeout from their initial ping and figure it failed!

I've been experimenting with the SafeNet client, but haven't had any more success than I did with the XP client LOL. Guess I'll call NetGear again.

 

[shaferbus]

Woo-Hoo!
I FINALLY connected using SafeNet remote client! I found a copy of SafeNet SoftRemote v9.2 and have been trying to use that to circumvent the XP client and it's drawbacks.

I gave it ONE MORE TRY using the new NetGear v1.4 instructions. All this time I was assuming that since I KNEW what my remote IP address was, I should enter that in the Remote WAN IP box in the FVS318 VPN setup. Silly me! Changed it to 0.0.0.0 as per the instructions, and VOILA! If you've been specifying your remote IP, try it this way and see what happens.

If you try SafeNet (or use any other client) MAKE SURE you name your connection on the remote client with EXACTLY the same thing you entered in the Remote IPSEC ID on the FVS318.

I know this doesn't help those of you trying to connect with the Win2K or XP client - sorry

Good Luck!

 

[ourITguy]

Way to go Tim!
I've been working on other projects for awhile so I haven't been contributing lately-glad to see you made it through.Finally had to buy another 318 and go with a box-to box connection .Couldn't justify the time I was spending vs. the expense of the router.But your success raises another question-I have a client on dial-up whos going to need to connect to the fvs318 I set up in his office and I've been trying to decide between trying the SoftRemote or Netscreen.Thoughts?
Jack
ljacksc@netscape.net

 

[shaferbus]

Well, SoftRemote DOES work. You MUST have firmware v1.4, which kind of torques me - obviously when I bought this thing a year ago I did NOT buy a VPN router, just one that might be someday LOL

You have to follow the NetGear v1.4 instructions setting up the SoftRemote connection, even when it goes against logic and reason. It would have been far easier if the instructions had said things like &quot;even if you know the remote IP Address, use 0.0.0.0 instead because our router gets confused&quot;. Must have been written by drones, for drones LOL.

Apparently the Netscreen client works as well, but I couldn't see buying 10 licenses, which is their minimum. If you have a bunch of road warriors, then Netscreen might be just the thing. If it's just you, download the SoftRemote demo that rundownbytechnology posted above and save your money. Or, as Darren suggested, get XP Pro, because that will make your life easier in other non-VPN ways. If you're going to spend money, that's a good place for it.

One thing you might want to be aware of, because it involves how capable your user is. When I end my VPN session, softremote continues to try to apply it's security policy to the default connection (i.e.-my cable modem). Since that's not encrypted, nothing gets through. I have to manually disable the softremote security policy before I have regular internet access. You re-enable it when you're ready to connect via VPN. It's two mouse-clicks and no big deal, but you know how some users are...
If your user is telecommuting and doesn't use that machine for personal stuff, then it's not really an issue, but if he connects to more than one network (internet included!), you'll have to make the call as to whether he/she has a sufficient understanding to make it work. (Maybe my users are more technically challenged than yours LOL)
Good Luck!

 

[dlex]

Are there any vpn clients with configutation guides available for the Netgear FVS318? beyond this, are they reasonably priced?

Thanks...

 

[mmaleit]

I'm working on trying to get my Netgear FVL328 to accept a connection from windows XP. I can get it working with SoftRemote... now I want to know if there is any way to get it working for free?

I followed the directions above (and from several other sources) to get the IPSec policy setup, but it still doesn't work. I think this is because the FVL328 requires that you use aggressive mode. Does anyone know how to put windows XP IPSec into aggressive mode?

I also noticed that it took setting the 'Virtual Adapter' setting to 'Perferred' to get the connection to work from SoftRemote. Does anybody know what that setting changes? What is it that makes it magically work when that is enabled?

Any help would be appreciated. Thanks in advance.

Mark

 

[rbelt]

I've got a comment and a question. First, to the comments that the netscreen vpn client is only sold in a minimum volume of 10, realize that you get 10 client licenses for $85! That's still way cheaper than the safenet client @ $150... even if you only use one client.

The question is on the link that rundownbytechnology posted... as far as I can see, that's the full safenetLT client and isn't a demo or for free product... please correct me if I’m wrong cause I’d like to use it if it is truly free domain.

thanks

//RB

 

[rbelt]

Has anyone heard of or have info on getting the cisco VPN client (3.6.3 or any) working with the fvs318?

//RB

 

[shaferbus]

mmaleit - I think the &quot;virtual adapter&quot; is necessary because your real NIC or modem isn't really directly connected to the FVS318 - it's connecting you to the internet. Remember, you can use IPSec for communication security within a LAN - it's not just for VPN. In that case I think you would choose your hardware NIC as the adapter. I'm no expert, so if someone has a better understanding, please post and set us straight.

dlex - alas, if there were a cheap and easy client that worked with the FVS318, this thread wouldn't be a mile long. The problem is that NetGear only supports SoftRemote, which costs as much as just buying another FVS318 for the other end!

rbelt - the SoftNet client that rundownbytechnology posted is version 9 of SoftRemote LT. That was available for free download of one copy for PERSONAL USE from SoftNet. When they released v10, they stopped doing that, but that doesn't change the license conditions on v9! If you're using it for business, then you have to buy a license and might as well get the current version or NetScreen (which I'll admit is indeed a better buy, but I think we all expected to be able to use the native Win2k and XP clients. If you read through the thread you'll see that NetGear certainly used to give the impression that you could do just that. Personally that's what sold me on the FVS318 - the fact that it was allegedly a VPN solution that didn't require more investment!)

good luck connecting!

 

[Its2cool]

WOW - this is a great thread. Packed with a bunch of great info. I should have read it before I started my own thread. I won't bore you with the details by repeating the question but if any of you have any expierence setting up a vpn connection using the Cisco VPN client v4.0 to a Netgear FVS318 (v1.4) I would really appreciate you checking out the &quot;Cisco VPN Client v4.0 to Netgear FVS318 v1.4&quot; thread.

Thanks......

 

[rbelt]

nice to hear about the safenet client... although I think most of my applications will be business oriented so I'll probably just buy the netscreen client.

I agree that netgear makes it sound like w2k and xp can quickly connect to the fvs318 natively -- and to that point, I was able to do this first time without much of an issue (I was following the doc they sent me) -- I'm sure it's the same doc that everyone else has but if someone has a public place that I can post it, I would. It's about 1MB zipped (25MB unzipped).

On a side note, after getting the windows client to connect, I quickly decided that this wasn't a desireable setup anyhow, especially for remote users. What I like about having a separate client is that the user (or me) can start and stop the connection manually which, in my opinion, is much safer and more secure than having a windows machine auto-connect on boot, especially a laptop on the go... The only real situation I can see for having a w2k or xp station auto-connect might be if you had a remote office and were using ICS but there again, I would opt for installing another fvs318 for many reasons, security being the prominent (always separate your firewall from windows!).

Let me know if there's a place to post the doc I have --

//RB

 

[shaferbus]

rbelt, if you've got a doc from NetGear that's different than what's been mentioned in the thread, I'll be glad to post it.

However, we've all got FVS318_W2K.doc from NetGear if that's the one you mean. If you got it working from this doc &quot;without much of an issue&quot;, you've sure kicked my butt LOL. Did you get it working on Win2k AND XP? One of the things I found lacking from FVS318_W2K.DOC was instructions for setting up the connectoid in Network Connections in Win2k. I set everything up according to the document, but when it came to setting up the connectoid, I was on my own (and obviously unsuccessful).

About native vs. third party clients... Maybe I don't understand, but can't you choose between your VPN connection with the native client and whatever other connection you might have (i.e. internet or LAN)? In my misadventures with the XP client, I ended up with an additional connectoid in Network Connections which I could enable or disable at will. I agree you wouldn't want to auto-connect unless you were connecting office sites (for which another router would be the obvious answer), but I was under the impression that you could choose when to activate it.

 

[rbelt]

the doc has the same title and describes how to set up the IPSec policies needed to connect to the fvs318... It's important to understand the last page and substitute your settings accordingly. I can't remember if I used it on xp or w2k but I think it was the latter.

As to the w2k/xp native setup, there is no built in client for you to enable or disable per se, rather the connection is established by setting up IPSec policies which basically creates a rule on your machine that says 'whenever anything wants to go to the network defined as &quot;interesting&quot; (e.g. on the other side of the fvs318) then use these ipsec rules and connect'. You definitely shouldn't end up with additional stuff in your network connections folder... unless there is another method of connecting that I'm not aware of...

e.g. Lets say you have a network behind the fvs318 of 10.10.10.0/24 and your personal station is on a remote network out bedind a NAT device somewhere on the internet with whatever address (192.168.1.12/24). If the ipsec rules are set up properly, then if you try to map a drive to \\10.10.10.10\share, your machine will automatically setup the vpn tunnel and attempt to connect.

Personally, I don't like this and think $85 for 10 client licenses or purchasing another fvs318 for $130 isn't bad -- I will say setting up a fvs318 to fvs318 connection is a easy if you pay attention to the settings.

//RB