NetGear FVS318 VPN to remote W2K client using IPSEC 16

[Darrenzo]

Hi folks,
I have set up an established a VPN tunnel using IPsec policy (set up in the mmc) from a remote Windows 2000 client to my main Office VPN router (Netgear FVS318). I can ping the router and the main server on the main office LAN (after I added a static route into the router), I can also bring up the default web page on the server.
My problem is that I cannot access the any of the shares on the server or browse the network or anything like that.
I am concered that this may be due to the fact I am not "signing into" a VPN server, merely passing through the router, is there another step involved?
I have added a HOST and LMHOST entry on the local remote PC, the server's netbios name resolves ok, but I still cannot map to or browse the domain.
Should I add the remote computer name into the domain? I have tried to join the domain from the remote PC but it cannot find the domain I am trying to join.
I have found several posts on this site concerning this very problem. But none of them is very detailed.

Any help would be greatly appreciated

 

[wdoc156]

Raptorz,
Haven't tried remote client behind a NAT device but if the NAT device supports IPSec passthru it should work. Gotta try this type of config with an app that I am massaging to work with IPSec VPN client software interfaces at work and will post what I find regarding this.

ALLTOOLS, et al.
It appears that the Windoze VPN client does require a static IP at each end. I haven't really investigated too much but that does work in 2K and XP.
The SoftRem9.zip should have a setup.exe to install it and it should place an 'S' icon in the system tray that can be right clicked to perform all of SoftRemote's functions.
When using the FVS318 and v14 firmware, the DynDNS function works properly and can be used with SoftRemote v9 when the FVS318 is configured to use DHCP for the WAN address. If your WAN IPAddress can change USE A DYNAMIC DNS SERVICE! or you will hate the FVS even more for VPN use.
If you have set a IPSec policy in Win2k/XP then unassign it before using SoftRemote or it will likely break SoftRemote.
My readme file says:
"Operating system Minimum RAM
Microsoft® ...Windows XP Home and Professional 64 MB; 128 MB recommended" which alludes to XP compatibility.
Seems to work with it OK.

 

[ALLTOOLS]

I have executed the setup.exe file and it appears to load files but the only item listed in the meunu is a link to the help file and no S icon in the tool bar

 

[ourITguy]

ALLTOOLS- Sounds odd.Try uninstalling current,download fresh zip file(should be 5.03MB compressed)and try again.

 

[fvl328user]

Billor
I've Just got a fvl328 setup the Firewall no problem I've just got a e-mail from netgear after 4 days wait thought this was good as last time I e-mailed them still waiting
anyway what I was wondering could you e-mail me your configuration screen for the vpn/ikes settings as I'm wanting to set this up for a couple of remote users and depots which I support I was hoping to use the xp vpn client/98 vpn clients on these pc's but if all else fails. to use the softremote vpn software which your using could you also send me the setting for this vpn client.
thanks

 

[Ontario]

A long and winding road - I have made FVS318 working with DDNS and SoftRemote (v.9 or 10 both ok). Whilst accessing XP resources is no problem, attempts to locate NT4-Server/Win98/WinME and resources are not possible.
Exactly speaking, pinging these machines and VNC remote control them are no problem, whereas searching them by private IP addresses was returned with "no results to display", of course map drive is not possible.
What could I have done wrong?

 

[saphireneil]

I have a Win2k Workstation with SoftRemote. If I connect to the internet via a dialup modem my VPN comes up OK... However, I have broadband connection via a Dlink DSL-604+. When I connect to the Internet via this the VPN does not come up! Any ideas?

 

[Worthog]

Hey guys,
Possibly a slightly different problem.
Using the soft-remote client posted here and running it on a win2k PC I can get a VPN connection to the FVS318, at least that's what the client tells me!
According to Netgears info I should then at least be able to ping the internal IP of the firewall from the remote client, no joy there however.
The only obvious issue I can see relates to the virtual adapter setting in the client, if I set it to "required" it can't establish a VPN connection, if I put it on "preferred" I get a connection but then can't ping, whether these issues are related I can't be sure, but the soft-remote client log mentions it cannot find a virtual adapter.
I hate this router with a passion but unfortunately I'm stuck with it. I recently ran the 1.4 firmware upgrade on the firewall, still no luck.
Any solution would make my day.

 

[Ontario]

Worthog
I am using WinXP Pro with SoftRemote and connect to FVS318 via DSL High Speed. I can only connect with Virtual Adapter disabled. Per their explanation, Virtual Adapter is for IDSN dial-up.
I don't know your connection media but believe you have a reason to use Virtual Adapter.

 

[Worthog]

Ontario.
Firstly I tried connecting using internet dial-up and creating a tunnel through to the firewall. With virtual adapter disabled I got a VPN connection but could not ping through it.
Now I'm attempting to simulate the situation in-house, on our LAN with the same result, get a connection but can't ping the internal firewall interface.
I only wondered if the virtual adapter issue was in some way related to my ping issue, but it seams not.

 

[Ontario]

Worthog
If you can establish vpn, you should be able to connect to the admin page of FVS318. Hope you have tested that.
If you are not far away, I suggest you check the admin page of FVS318 to find out which attached devices are available and their respective IP addresses. And you should be able seeing VPN status that you have indeed connected through.
Also in the SoftRemote client settings, you have to ensure the correct subnet IP group and mask are identical to the remote Lan.
If you are connecting behind a Lan, also please ensure private IP address subnets must be different.
Are you using Zone Alarm? Try disable it for testing purposes.
FSV318 setup is really frustrating. However, having gone through those tricky settings, I am farily happy with it because the connection is most time smooth.
Hope this helps you.

 

[Ontario]

Worthlog
I forgot to contribute my thinking about Virtual Adapter.
I am not that sure, but I think while you set it as preferred, you are confusing SoftRemote to look for the "ISDN or so" connection to send out the Ping's, wherein the VPN tunnel is actual built via the Internet connection.
Please don't hold me for this comment as I am not expert on VPN.

 

[Worthog]

Ontario.
Did some testing with an winXP pro PC, installed soft remote, which installed the virtual adapter under networking, this wasn't happening with my win2k setup. Setting virtual adapter to "required" now gives me a proper connection.
First safe remote tells me it's connected, then I get an extra network connection appear in the taskbar (the virtual adapter)I can now connect through happily.
The catch is this testing is on a LAN, I'll have to see how it works with dial-up, and win2k. I'm also looking at the netscreen VPN client as an alternative, seeing as softremote's pricing is criminal for multiple users

 

[Ontario]

Worthog
Thanks so much of the update.
I wish you can also go through well with dial up.
If you have any success with netscreen, please do let me know.
Good luck.

 

[Ontario]

Worthog
For curiously, I just setup SoftRemote on W2k Pro and imported same policy from WXP Pro. I used PPPoE to dial up to Internet and establsihed VPN (So it is Remote Client to Lan). It worked very well, same like WXP.
This is for your information.

 

[Worthog]

Ontario (and others)
Yep I've now got SoftRemote working on win2k and XP, for some reason the virtual adapter wasn't istalled under network settings the first time but now it's sweet.
I then got hold of the Netscreen VPN client (which you can't get a trial version of) it's pretty much identical to Softremote. All the same settings, same layout, basically re-badged software. The good thing is it's around 95 US dollars for 10 licenses, cheaper than 1 Softremote license I believe. It works with win2k and XP and you can use the Softremote setup doc posted further up this thread with identical settings.
Thanks for all your help

 

[fvl328user]

Billor,or anyone
I know this is for a fvs318 (going to get a couple of these in next couple of weeks to setup a box to box vpn)
Sorry forgot to give you my e-mail andrew.Chatten@btinternet.com
can you give your settings on your fvl328 and the softremote client
I've had play with softremote and got a connection tried pinging the ip address range in the fvl328 and softremote virtual adaptor was setup. Low and behold got replies back saying these ips were there tried my lotus notes connection then a novell client and then a net use * \\194.10.10.1\c$
it came back can't be found . Last night I thought right I can ping this and that lets try ping ip's which should not be avaible low and behold there's an ip address which does not exist coming back with a reply ????
Any thoughts ???
I tried this from an xp machine behind a firewall on a adsl modem from home. then tried it from a dialup from my pc here at work same result.

 

[Zcript3r]

I found this on another forum, and thought that it may help some folks on this site. It has helped me get throug a couple of issues.

1) Connect to the Internet and send traffic towards your company's network (for example, ping a server or check email). Use the log viewer on your VPN client or box to see how far you're getting.

2) If you see nothing at all in the log when sending traffic, your client/box is not trying to bring up the tunnel. You probably have an installation problem -- call tech support.

3) If you see log messages like "Initiating IKE Phase 1" followed by "Re-transmitting", requests sent by your VPN client/box to your corporate gateway aren't getting through:

3a) Double-check your client/box configuration to make sure it specifies the right "Identities" for you and your gateway. Identities are often an e-mail address for you, an IP address for your gateway -- but this varies, so use the settings appropriate for your company's VPN.

3b) Make sure you can ping the corporate VPN gateway (or something nearby). If you have a "UDP ping" tool, verify that UDP port 500 traffic gets to the gateway. If ping or UDP ping are not getting all the way through, ping intermediate hops, starting from your end, to figure out where UDP 500 is being blocked.

4) If you see log messages like "Initiating IKE Phase 1" followed by "Hash Payload is incorrect" and "Discarding IKE SA negotiation", your VPN client/box is failing authentication. Double-check your pre-shared secret or digital certificate to make sure they match the settings required by your company.

5) If you see log messages like "Initiating IKE Phase 1" followed by "No Proposal Chosen" and "Discarding IKE SA negotiation", your VPN client/box and corporate gateway have an IKE policy mismatch. Double-check your client/box security parameters (encryption and authentication algorithms) to make sure they match the settings required by your company.

6) If you see log messages like "Established IKE SA", followed by "No Proposal Chosen" and "Discarding IPsec SA negotiation," this indicates an IPsec policy mismatch - see 5) above.

7) If you see log messages like "Loading IPsec SA" or "IKE Phase 2 Completed," but still aren't able to communicate with your mail or other corporate network server, then your tunnel is up but tunneled packets are possibly being blocked, corrupted, or misrouted:

7a) AH or ESP (protocols 50 or 51) may be blocked by a firewall between you and your corporate gateway.

7b) Network/Port Address Translation (NAT/PAT) may be occurring somewhere in that path.

7c) There may be a problem with routing, preventing response packets from tunneling back to you.
If the corporate VPN gateway isn't seeing incoming packets on your tunnel, you're probably hitting a). If your gateway is discarding incoming packets to your tunnel, you're probably encountering b). Give your local ISP or DSL/cable provider a call to work out these problems. If the VPN gateway is seeing incoming but not outgoing packets through your tunnel, suspect c) and tell your company's network admin.
These log examples are based on SafeNet's IPsec VPN client -- the client OEM'ed by many VPN equipment suppliers. If your company gave you a different IPsec VPN client or box, the actual text in your log will be different, but this flow (IKE/Phase 1 initiation, IKE/Phase 1 SA, IPsec/Phase 2 SA) and the protocol and port numbers they require are probably the same.

 

[mormiston]

Just a few things to add.

Usin the Internal IP in Soft Remote gives you the ability to manage your connections and also to have an IP plan outside of your internal DHCP, which may from time to time change, since it is dynamic

When I was putting the VPN solution together it would connect let me ping the FVS and user the web console, but I could not access anything behind. The problem gave no fault and no real lead. I decided in the end to install on another machine and see what happened, amazingly it worked. In determining what the difference was, I found the machine that was failing had actually created the Virtual Adapter as a connection in 'Network Connections" even though I had disabled it.

After saving the policy, unistalling / reinstalling SR and making sure that the Virtual Adapter did not recreate itself in "Network Connections", it worked fine and I could access anything behind the firewall.

Also I have found in one installation that SR does not play very happily with PC Anywhere, I got a lot of memory errors. After removing PC Anywhere the problem was resolved.

 

[shaferbus]

For those of you trying to connect to the NetGear routers using SafeNet SoftRemote:

MORMISTON has updated his SafeNet-->FVS318 document at

http://home.stny.rr.com/ranch/reference/FVS318SafeNet.pdf

Also, I've added RWASINIAK74's SafeNet-->FVL328 document at

http://home.stny.rr.com/ranch/reference/FVL328SafeNet.pdf

which should be helpful to anyone who has the need to use Agressive Mode for authentication, even on the FVS318.

Good Luck!

 

[mmaleit]

Ok, so I haven't completely given up on forming a VPN connection with a XP box (client) on one end and a FVL328 on the other. In fact, I managed to get this working when using a preshared key. Haven't gotten to the point of having the 'remote access' mode working yet... which brings me to my question. Does anyone know why the IPSec layer in XP fails with the error "Negotiation timed out" when you try to use certificates from a CA rather than a shared key? And if no-one has an answer for that question, then has anyone gotten the certificate based authentication to work with the Netgear router regardless of client? (just trying to figure out if the real problem is the router or the client) I think the problem might be the router since it looks like the router is returning a bogus thumbprint (Peer SHA Thumbprint = '0000000000000000000000000000000000000000' according to the entry in the windows logs).

Thanks in advance for the help.

And by the way... is it just me or are there several posts missing on this thread? Is there a 'secret' way to get to page 2 that I'm missing?

Mark