NetGear FVS318 VPN to remote W2K client using IPSEC 16

[Darrenzo]

Hi folks,
I have set up an established a VPN tunnel using IPsec policy (set up in the mmc) from a remote Windows 2000 client to my main Office VPN router (Netgear FVS318). I can ping the router and the main server on the main office LAN (after I added a static route into the router), I can also bring up the default web page on the server.
My problem is that I cannot access the any of the shares on the server or browse the network or anything like that.
I am concered that this may be due to the fact I am not "signing into" a VPN server, merely passing through the router, is there another step involved?
I have added a HOST and LMHOST entry on the local remote PC, the server's netbios name resolves ok, but I still cannot map to or browse the domain.
Should I add the remote computer name into the domain? I have tried to join the domain from the remote PC but it cannot find the domain I am trying to join.
I have found several posts on this site concerning this very problem. But none of them is very detailed.

Any help would be greatly appreciated

 

[MattWray]

Try adding your remote machine to a workgroup with the same name as your Domain. Create an account on the remote machine that has the same user and pass as your Domain account. See if that works....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

http://www.total-tec.com

 

[Darrenzo]

Thanks for the info Mattwray!! I can now gain access the network shares I need.

However, I am hoping someone out there will be able to answer this:- The VPN 'tunnel' seems to only work intermittantly.Sometimes you can connect straight away and it pings ok, other times it does'nt work. When you try a ping on the router's LAN port you get messages saying 'negotiating IP Security' but no responses and no access to the remote network. With the aid of someone at the other end (ie. the remote network) they can see from the FVS318's admin screen that the tunnel is being activated and staying 'up' after a ping is attempted from the client end.

Whats even more confusing is that, without altering any settings at the router or the client, it can suddenly start working after a period of time.

Can anyone shed any light on this, is there some sort of time out or setting I am unaware of??

 

[MattWray]

I had a similar problem when connecting XP to a Linksys. It would take several tries to make a connection. For me, it had to do with the interval once I assigned the IPSec policy to refresh. Try running the SECEDIT /REFRESHPOLICY command...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

http://www.total-tec.com

 

[Darrenzo]

Tried the SECEDIT /REFRESHPOLICY suggestion, did'nt make any differance (i.e 15 - 20mins of no connectivity then bingo - you try a ping and up it comes).
I have some further info. In the System log I am getting the following error when I try a ping from the remote PC to the routers Lan port and it fails:-


Event Type: Error
Event Source: IPSEC
Event Category: None
Event ID: 4289
Date: 2003-06-05
Time: 10:45:38 AM
User: N/A
Computer: MyComputer
Description:
The IPSec driver failed the oakley negotiation with 10.0.0.1 since no filter exists to protect packets to that destination. Please check the configuration on this machine to ensure at least one filter matches the destination.


10.0.01 is the Router's Lan port.
What is the oakley negotiation??
I am using integrity algorithm - MD5 and Encryption algorithm - 3DES. Also using a preshared key (7 alphanumeric characters long).
I have tried playing around with the Key Life setting at the router to see if that affects how long it takes for me to connect, but it does'nt change the delay in getting connected.

Can anyone help?

 

[Darrenzo]

UPDATE

I can get the VPN working fine with Windows XP using Matt's suggestion (secedit /refreshpolicy, only its been renamed 'gpupdate' in XP)- thanks for that Matt!

Unless anyone has any ideas about why Windows 2000 takes so long to connect properly, I will just install XP on the remote PC.

 

[ColinSmith1]

Can any one please provide me detail info on how to connection win xp to an FVS 318. I have tried netgears doc an it sucks. Please help I am desperate.

 

[Darrenzo]

Colin, I have managed to set up a FSV318 VPN from a remote win xp client. I followed the document provided by Netgear (I admit at first I found it confusing, the example is'nt very good, but it does work).
Thanks to MattWrays advice I got it connected, however I need to refresh the policy before it actually connects (using gpupdate).
I can send you my updated version of the NetGear instructions if you are still stuck.

Let me know

Darren

 

[shaferbus]

Darren

You got connected??? If you're going to emil those updated instructions to Colin, could you copy me at imn_ngineer@hotmail.com ? I'd sure appreciate it.

Thanks

Tim

 

[ToddEBryant]

> Can any one please provide me detail info on how to connect
> win xp to an FVS 318. I have tried netgears doc and
> it sucks. Please help I am desperate.

I'm with Colin.

If anyone knows how to get Windows XP native VPN services to connect to a Netgear FVS318 VPN router please let me know. The Netgear docs are scary.

-Todd

 

[Darrenzo]

Send me an email darren.duthart@lycos.co.uk and I'll send you the info.

Cheers

Darren

 

[boltwebster]

I'm having trouble setting up a Windows XP Pro machine to a FVS318. I tried following verbatim the Netgear instructions and have had no luck. Any help would be appreciated.

Thanks,

Matt
nw_mp@yahoo.com

 

[shaferbus]

Thanks for the info Darren!
I've taken one swing at it, and haven't connected yet, but your notes have made the process much clearer, and I'm sure it's just a matter of tuning. Hell, just the diagram on the first page cleared things up a lot! Damn Netgear used 192.168.x.x IP's for the WAN addresses in their instructions, which was responsible for a large part the confusion...

I see in the FVS318 VPN help screen that it says the "Local IPSec Identifier" and "Remote IPSEC Identifier" must match (in reverse) the client's, and I'm still a little confused about that, as they are called "FVS318 to W2K" and "W2K to FVS318" in the instructions. It gets hard to keep straight what's going which way on each end LOL. When and IF I get it figured out I'll add some notes to yours to try to clarify what I had a hard time with and pass it along. (I'm obviously a newbie to VPN, so if you have any further wisdom I'll appreciate it)

I just noticed that Netgear has published a new manual for the FVS318 this week on their support site. Any reference to ANY Windows client is now gone from their site, so I hope everyone downloaded the W2K instructions already (such as they are - Darren's annotated version is better). In the new manual they have much more info on VPN setup, but only using SafeNet or another Netgear router - they are no longer even paying lip service to those RARE Windows OS's!

Thanks Darren and Matt!

Tim

 

[ElMoco]

Please include me (lago_sol@hotmail.com) on any improvements to the manual. I'm having a hard time as well.

Thanks.

 

[Omnicef]

It seems that I am not the only one with vpn woes. I am looking for the modified netgear instructions that are less confusing. If somebody could send me a copy I would greatly appreciate it. Thanks!

anthony@novadomain.com

Thnks in advance to all users out there who continually answer all of our questions. Although I try to answer some questions, I usually am asking.

 

[ZUZI]

HELLO
I think netgear pulled out win2k and xp to fvs318 guides from their website
it is now only available when you pay them 28.95 for their premium support , then they will e-mail it to you

i tried to setup a win2k to fvs318 but the guy at netgear convinced me to but softremote since i dont have a ststic ip for the client ,which menas i need to keep changing settings avery time
i dont know if this is the case or he just didnt wnat to help me with it , does anybody know for sure if win2k or xp will work with fvs318 even using a static ip on the client end
i have win2k document as well as softremote ,if anybody needs it e-mail me at kas3arak@aol.com
i need the updated document for xp if somebody can e-mail it to me

thanks a lot
joe

 

[shaferbus]

Hi Joe

If you get the latest firmware upgrade for the FVS318, it adds the option of using a domain name instead of an IP address for the client. Then all you need to do is register with one of the dynamic DNS services (like DynDNS.org as the Netgear manual mentions). You should download one of the dynamic DNS clients that are available, so the DynDNS site will get updated every time you get assigned an new IP from your ISP.

Of course, If you bought SoftRemote and it works, then you're set. I've downloaded SSH Sentinal 1.3.2, but haven't had any luck with that either LOL. I had to back-burner my XP-to-FVS318 project for a week or so, so I haven't got the whole answer yet.

You said that you "have win2k document" - do you mean the annotated document from Darren, or the original (baffling) Netgear document? Darren's instructions are his notes added to the Netgear Win2K-to-FVS318 document (that they have since pulled from their site), so it's not quite the same for XP, and I haven't got it tuned in yet. Once I do, I'll add my notes too. If someone beats me to it, please post!

Tim

 

[ZUZI]

THANKS TIM
I GOT THE ORIGINAL WIN2K DOCUMENT , SO I GUESS IT IS NOT THE LATEST AND GREATEST
I'D LOVE TO HAVE THE CURRENT ONE FOR 2K AND XP SINCE I HAVE A LOT OF CUSTOMERS WANTING TO VPN WITHOUT PAYING $200 FOR A CLIENT SOFTWARE
we'll keep in touch
joe

 

[Omnicef]

I am still having trouble... but the updated docs got me closer! Can anybody translate this for me? This is the VPN Log.

Fri, 07/11/2003 08:01:41 - FVS318 IKEeer Initialized IKE Main Mode
Fri, 07/11/2003 08:01:41 - FVS318 IKE:main_inI1_outR1() connection not found 66.252.132.67[500]-208.57.95.56[500]
Fri, 07/11/2003 08:01:41 - FVS318 IKE:Trying Dynamic IP Searching
Fri, 07/11/2003 08:01:41 - FVS318 IPsec:instantiated "Anthony_tmp0" for 208.57.95.56
Fri, 07/11/2003 08:01:41 - FVS318 IKE:[Anthony_tmp0] RX << MM_I1 : 208.57.95.56
Fri, 07/11/2003 08:01:41 - FVS318 IPsec:New State index:0, sno:1
Fri, 07/11/2003 08:01:41 - FVS318 IKE:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
Fri, 07/11/2003 08:01:41 - FVS318 IKE:[Anthony_tmp0] TX >> MM_R1 : 208.57.95.56
Fri, 07/11/2003 08:01:41 - FVS318 IPsecacket retransmission, timeout in 5 seconds for #1
Fri, 07/11/2003 08:01:41 - FVS318 IPsec:main_inI2_outR2()
Fri, 07/11/2003 08:01:41 - FVS318 IKE:[Anthony_tmp0] RX << MM_I2 : 208.57.95.56
Fri, 07/11/2003 08:01:41 - FVS318 IKE:[Anthony_tmp0] TX >> MM_R2 : 208.57.95.56
Fri, 07/11/2003 08:01:41 - FVS318 IPsecacket retransmission, timeout in 5 seconds for #1
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:loglog[3] discarding duplicate packet; already STATE_MAIN_R2
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:main_inI3_outR3()
Fri, 07/11/2003 08:01:43 - FVS318 IKE:[Anthony_tmp0] RX << MM_I3 : 208.57.95.56
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:acceptable identity type in Phase 1 ID Payload
Fri, 07/11/2003 08:01:43 - FVS318 IPsececoded Peer's ID is ID_IPV4_ADDR:192.168.0.117 and 114.101.109.111 in st
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:refine host connection fail!
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:main_inI3_outR3()
Fri, 07/11/2003 08:01:43 - FVS318 IKE:[Anthony_tmp0] RX << MM_I3 : 208.57.95.56
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:acceptable identity type in Phase 1 ID Payload
Fri, 07/11/2003 08:01:43 - FVS318 IPsececoded Peer's ID is ID_IPV4_ADDR:192.168.0.117 and 114.101.109.111 in st
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:refine host connection fail!
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:main_inI3_outR3()
Fri, 07/11/2003 08:01:43 - FVS318 IKE:[Anthony_tmp0] RX << MM_I3 : 208.57.95.56
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:acceptable identity type in Phase 1 ID Payload
Fri, 07/11/2003 08:01:43 - FVS318 IPsececoded Peer's ID is ID_IPV4_ADDR:192.168.0.117 and 114.101.109.111 in st
Fri, 07/11/2003 08:01:43 - FVS318 IPsec:refine host connection fail!
Fri, 07/11/2003 08:01:45 - FVS318 IPsec:main_inI3_outR3()
Fri, 07/11/2003 08:01:45 - FVS318 IKE:[Anthony_tmp0] RX << MM_I3 : 208.57.95.56
Fri, 07/11/2003 08:01:45 - FVS318 IPsec:acceptable identity type in Phase 1 ID Payload
Fri, 07/11/2003 08:01:45 - FVS318 IPsececoded Peer's ID is ID_IPV4_ADDR:192.168.0.117 and 114.101.109.111 in st
Fri, 07/11/2003 08:01:45 - FVS318 IPsec:refine host connection fail!
Fri, 07/11/2003 08:01:45 - FVS318 IPsecacket retransmission, timeout in 10 seconds for #1
Fri, 07/11/2003 08:01:48 - FVS318 IPsec:main_inI3_outR3()
Fri, 07/11/2003 08:01:48 - FVS318 IKE:[Anthony_tmp0] RX << MM_I3 : 208.57.95.56
Fri, 07/11/2003 08:01:48 - FVS318 IPsec:acceptable identity type in Phase 1 ID Payload
Fri, 07/11/2003 08:01:48 - FVS318 IPsececoded Peer's ID is ID_IPV4_ADDR:192.168.0.117 and 114.101.109.111 in st
Fri, 07/11/2003 08:01:48 - FVS318 IPsec:refine host connection fail!
Fri, 07/11/2003 08:01:52 - FVS318 IPsecacket retransmission, timeout in 20 seconds for #1
Fri, 07/11/2003 08:01:58 - FVS318 IPsec:main_inI3_outR3()
Fri, 07/11/2003 08:01:58 - FVS318 IKE:[Anthony_tmp0] RX << MM_I3 : 208.57.95.56
Fri, 07/11/2003 08:01:58 - FVS318 IPsec:acceptable identity type in Phase 1 ID Payload
Fri, 07/11/2003 08:01:58 - FVS318 IPsececoded Peer's ID is ID_IPV4_ADDR:192.168.0.117 and 114.101.109.111 in st
Fri, 07/11/2003 08:01:58 - FVS318 IPsec:refine host connection fail!
Fri, 07/11/2003 08:02:12 - FVS318 IPsec:max number of retransmissions (2) reached STATE_MAIN_R2
Fri, 07/11/2003 08:02:12 - FVS318 IPsec:[Anthony_tmp0] is removed from the head of conn_list
Fri, 07/11/2003 08:02:12 - FVS318 IPsec:Connection [Anthony_tmp0] is deleted from connection table
Fri, 07/11/2003 08:02:16 - FVS318 IPsec:Main Mode message is part of an unknown exchange
Fri, 07/11/2003 08:02:26 - FVS318 IKE:[???] RX << XCHG_INFO : 208.57.95.56
Fri, 07/11/2003 08:02:26 - FVS318 IPsec:Informational Exchange is for an unknown (expired or deleted?) SA

End of Log ----------


Thnks in advance to all users out there who continually answer all of our questions. Although I try to answer some questions, I usually am asking.

 

[shaferbus]

hmmm... very similar to what my logs say, but not exactly. They also seem to have a slightly different format (mine don't say &quot;FVS318 on every line) What firmware version are you using? I have v1.3 running right now. Most notably, I don't get the line &quot;IPsec:acceptable identity type in Phase 1 ID Payload&quot; in my logs at all.

Other than that, it's very much the same as what I'm getting. From what I've read, there are three transactions that take place between client and endpoint to authenticate the connection, and we both seem to be getting 2 1/2 of them completed. I think I read somewhere that the third (MM_I3/R3) is excrypted differently than the first two (MM_I1/R1 and MM_I2/R2). We're both getting as far as the &quot;RX << MM_I3 &quot; step, but no corresponding &quot;TX >> MM_R3&quot; statement, then we both end up with &quot;refine host connection fail!&quot;

Guess I'll have to do some more research into exactly what these log entries mean. If anyone is more familiar with how IPSec works, we'd love a translation!

Thanks all!