Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NetGear FVS318 VPN to remote W2K client using IPSEC 16

Status
Not open for further replies.

Darrenzo

Technical User
May 29, 2003
35
GB
Hi folks,
I have set up an established a VPN tunnel using IPsec policy (set up in the mmc) from a remote Windows 2000 client to my main Office VPN router (Netgear FVS318). I can ping the router and the main server on the main office LAN (after I added a static route into the router), I can also bring up the default web page on the server.
My problem is that I cannot access the any of the shares on the server or browse the network or anything like that.
I am concered that this may be due to the fact I am not "signing into" a VPN server, merely passing through the router, is there another step involved?
I have added a HOST and LMHOST entry on the local remote PC, the server's netbios name resolves ok, but I still cannot map to or browse the domain.
Should I add the remote computer name into the domain? I have tried to join the domain from the remote PC but it cannot find the domain I am trying to join.
I have found several posts on this site concerning this very problem. But none of them is very detailed.

Any help would be greatly appreciated
 
Hey all,

I'm new to this forum. I found this forum through some google searches when as you all have found had difficulties setting up the VPN connection with the Netgear FVS318. I thought I'd contribute back here since many of you had provided enough information for me to finally get my VPN working with Win XP Home. First I want to let you all know that I used the information from the FVS318_W2K document many of you all have and a online article written on With both these sources I was able to get the VPN established.

In my setup I'm using the FVS318 for personnal home use. I'm a tech geek so I wanted an option to further secure my wireless setup. I thought that VPN would be the way to go. I called Netgear's presales department to get some info. As many of you have found out, Netgear kind of mislead many of us on how easy it would be to run Win2k/XP with this router. Actually, I'm a bit upset that they would promote its use with Win2k/XP but not provide adequate instructions to get it working. Instead we are held hostage to their premium support. I'm alos a bit upset that they had pulled the instructions from their website. Anyways, it's water under the bridge.

So here's the deal. The instructions should get you going. I was able to verify the configuration by looking at the logs of the router. The only difficulty I had was a piece that the article on Tomshardware identified. You may have to update your route table to get the IP functionality working. All along, I had the tunnel established but couldn't ping anything on the other side from my wireless laptop. Strangely I could ping the FVS318 internal IP address. Once I updated the route table, I was able to get it working. But there is a catch. I had to change the network address from 192.168.0.x to 192.168.1.x. For some reason my XP client was not routing anything to my gateway (in this instance my wireless NIC)...despite having the right route entry.

There is one thing I have yet to resolve...name resolution. I have setup to have the VPN to allow NetBIOS traffic, but I'm unable to browse the network on the other side of the router. No biggy. I'm able to do everything by IP address. If I can't figure out the name resolution issue, I'll just update my host table on the laptop.

So I hope I've provided enough information for those of you still struggling to get you setup working. Just thought I give back to the forum since you all got me on the right path to getting my situation resolved. One thing you should be aware of...transfering large files across the VPN was ridiculously slow. I don't know if things would speed up if I eliminated WEP on my wireless but I'll play with it later.
 
hey govcon

That info sounds like it will be really helpful to me at least. I have been struggling with this for ages and cant ping the routers net address from the client. Im sure this will be the problem. I'll give it a go when i get home tonight after work :)

Thanks
 
So the more I work with this the more I think that the Aggressive mode is my problem connecting to the FVL328. Does anyone out there with a 318 that is successfully connecting with WinXP know if the 318 is using Main mode or Aggressive mode for remote connections? And does anyone know if there is a way to make WinXP do aggressive mode?
 
Darrenzo

I am trying to follow the instructions from Netgear to configure my Windows XP system to connect to a Netgear FVS318. The instructions seem to be lacking a vital part in the XP/2000 configuration namely the explanation of details needed for a "WIN2K to FVS318 ipsec policy". They detail the FVS318 to WIN2K policy.

I am operating behind a firewall with a Nat'd address

Can you help ??
 
PaulHep,

The WIN2K -> FVS318 setup is detailed from step 34 onwards in the document(goto this web site for a copy of the updated instructions:
Unless I am misunderstanding what your question is? :)

Regards

Darrenzo

P.S.
This must be some kind of record for responses on a TekTips post surely? Just goes to show what a complete nightmare the FVS318 is!!

Are you watching this NetGear??
 
Hi all,
really "enjoyed" the info from this thread. I am having a problem with multiple vpn tunnels. Using 4 fvs318's. 3 are remote office(client sites - one with static ip & 2 w/dynamic ip's) and one is at main office with static ip.
The 1st site (static ip)never has a problem connnecting.

The 2 sites with dynamic ip's will only connect if their connection is at the bottom of the list in the VPN Settings screen of the main office router. If I have "site2" at the botom of the list and remote site3 tries to connect - I get a failure on site2's connection. It will not try the site3 connection. All the names are unique, all are set for main mode, 3des, remote site is a lan.

any ideas?
ed
 
I now have VPN successfully working using soft remote client but there are a few small things i still need cleared up. When i create the VPN accounts on the router i have the set the IPSEC Identifiers to 0.0.0.0 to get it to work. It also doesnt matter what i set the Connection Name to because when i connct it will always connect to the name of the last connection created but will connect to anew connection with .tmp after it. For example if the last account created was "VPN" then whenever i connect it will connect to "VPN.tmp1" then "VPN.tmp2" and so on, i canbt get it to connect to individual VPN accounts.

The last thing is once im connected using soft remote i cant access drive shares straight away, i have to ping an ip of a computer at the VPN end until i get a reply before i can access the drive shares. On other computers ive tried i can access the drive shares immediately. Any ideas ?


Long post i know but i would really appreciate if anyone could help :)

Cheers
 
edatcccc,

This is the first time responding on this site, so bear with me!

If I'm understanding your post, you have two FVS318's that are dynamic addresses, that you want to connect to one of the static ip routers. The problem should go away if, on the dynamic ip boxes, you use the dynamic dns option.

Setup an account with one of the providers listed. (I use DynDNS.org, free and so far reliable.) The router will update the dynamic address on the internet when it changes, so you can use that name for creating the VPN rather than the 0.0.0.0 address. This will allow FVS318 to differentiate between the two sites.

Hopefully, this make sense!
 
no sorry i forgot to mention that i have only one FVS318 at my office and am using soft remote client on a windows xp boz to connect.
 
Maybe somebody has seen symptoms similar to this

Configured the XP Pro client policies and got a IPSec tunnel going (see logs)

Sat, 09/27/2003 22:36:31 - TAGWY01 IPsec:Receive Packet address:0x1807194 from 67.74.169.228
Sat, 09/27/2003 22:36:31 - TAGWY01 IPsec:New State index:1, sno:4
Sat, 09/27/2003 22:36:31 - TAGWY01 IPsec:quick_inI1_outR1()
Sat, 09/27/2003 22:36:31 - TAGWY01 IKE:[T1_tmp0] RX << QM_I1 : 67.74.169.228
Sat, 09/27/2003 22:36:31 - TAGWY01 IPsec:in get_ipsec_spi() spi=2473d95
Sat, 09/27/2003 22:36:31 - TAGWY01 IKE:[ESP_3DES/AUTH_ALGORITHM_HMAC_MD5/In SPI:2473d95,Out SPI:b33fe93f]
Sat, 09/27/2003 22:36:31 - TAGWY01 IPsec:responding to Quick Mode
Sat, 09/27/2003 22:36:31 - TAGWY01 IPsec:****Install INBOUND SA:

Sat, 09/27/2003 22:36:31 - TAGWY01 IPsec: ESP(3DES-CBC MD5)
Sat, 09/27/2003 22:36:31 - TAGWY01 IKE:[T1_tmp0] TX >> QM_R1 : 67.74.169.228
Sat, 09/27/2003 22:36:31 - TAGWY01 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 econds for #4
Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec:Receive Packet address:0x1807194 from 67.74.169.228
Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec:loglog[3] discarding duplicate packet; already STATE_QUICK_R1
Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec:Receive Packet address:0x1807194 from 67.74.169.228
Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec:loglog[3] discarding duplicate packet; already STATE_QUICK_R1
Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec:Receive Packet address:0x1807194 from 67.74.169.228
Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec:quick_inI2()
Sat, 09/27/2003 22:36:33 - TAGWY01 IKE:[T1_tmp0] RX << QM_I2 : 67.74.169.228
Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec:****Install OUTBOUNDSA:

Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec: ESP(3DES-CBC MD5)
Sat, 09/27/2003 22:36:33 - TAGWY01 IKE:[T1_tmp0] established with 67.74.169.228 successfully
Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec:inserting event EVENT_SA_EXPIRE, timeout in 3780 seconds for #4
Sat, 09/27/2003 22:36:33 - TAGWY01 IPsec:STATE_QUICK_R2: IPsec SA established

End of Log ----------

The config is a FVS318 on cable modem and set for the local network to have full access to the tunnel.
Remote network is set for the IP Address of the client which is dialup to the i-net so it is a real world config.
Of course this is not practical with a remote PC and DHCP but for now it is configured to work.

Pinging the LAN ip of the router works.
Pointing IE at the router from the remote will allow access to the router management functions so the tunnel appears to be working.

Problem:
can't ping anything else (by IP address) on the LAN from the remote PC through the tunnel.
Pinging from the router (accessed through the tunnel) will see all IPs on the LAN.
No domains involved and the workgroup names of all the windows boxes are the same as the remote PC.
even got a couple of unix boxes on the LAN and they don't respond either.

Curious....any ideas?? Likely something really stupid I am missing.
Appreciate any input...thx
 
Sounds like a routing issue.

The network address of the remote LAN cannot be the same as the local LAN, you can't use 192.168.1.0 on both sides.

Try tracert to the reomot IP and see how that looks.
 
wdoc156,

I had the same problem as you. I was able to get a tunnel established based upon the logs. I could ping the WAN port of the router and was able to get the router configuration page. But I couldn't ping anything else on the network behind the FVS318 router. I have a few Windows machines and a Netgear print server. I couldn't even ping the print server. After some research, I found a solution to my problem. I created a persistent route on my remote VPN client and that fixed all my problems.
 
govcon,
Thanks for the reply.
I have reverted to the safenet v9 client and successfully created a tunnel with the same results as the Win2K/WinXPPro config...only being able to ping the router LAN address.
Due to the fact that this is a dialup connection and the IPAddress changes (sometimes drastically) everytime the dialup connect is established, what type of persistent route entry could be made?
I am using a virtual address on the PC dialup client that is unused on the LAN of the FVS318 and it seems to be performing that operation correctly. A ipconfig shows the address on the remote as I expect.
I can ping the router LAN address but nothing else on the LAN and from a LAN PC (or a SPARC/SunOS box) can not ping the remote PC IPAddress.

This thing is more difficult to get going than a Contivity 1700 and creating profiles for the clients...and Netgear is useless for troubleshooting it.

What was your config and the route entry you made?

Thanks.
wdoc156
 
wow!
I finally was able to VPN into my FVL328 using Softremote's VPN Client; needless to say, I had to pay for Netgear's premium support (~$30/case) and suffer Netgear's HORRIBLE Tech Support for 3 weeks.

I will post a step-by-step config as soon as I have everything figured out, it'll save you a few hours and money :)

My next question is: how do I go about having more than one user remotely connect to my VPN at the same time? Do I have to have an IKE and IPSEC policy per remote user? is there any other way around this?

Thank You.
 
DezUk -- the tunnel isn't created until certain traffic it switched through the tunnel -- browsing isn't going to generate the type of traffic needed to bring up the tunnel.

billOr -- yes, you need to creat a policy for each user. If you want a more flexible solution, you will need to find a more capable (and more expensive) product...

//RB
 
You mean an IKE policy? IPSEC policy? or both?

Thank You.
 
DezUK
Saw the same symptom of Phase 2 failing.
Had to set the LocalIdentifier in the FVS to an IP (also used 0.0.0.0 at first) and tried my FQDN (dyndns type) which also worked. It seems that in the Remote Party Identity and addressing config of SoftRemote v9 if you set the type to any it opens an additional setting choice which allows use of a FQDN for the FVS and it allows the phase 2 authentication to succeed. I see the .tmp1, etc also although it seems to not affect the operation. Each tunnel config must have a different name anyway. Haven't had any trouble mapping drives to the Windows boxes but it doesn't browse well. Doesn't seem to make much difference if the respond to pings from WAN is on or off.

govcon,
The problem with pinging the Windows boxes was the software firewall in them was blocking it. Still can't ping the SPARC/SunOS boxes for some reason and can't ping my HP JetDirect card but can ping the Netgear print server on the LAN from the client. All can be pinged from the LAN.
Curious.....

Had to create a static route to ping or connect to the client from the LAN. Apparently the Netgear does not think anybody would want to do that.

bill0r,
Would be very interested to see what you have gotten from Netgear other than a run-around.
My first question to them also produced a response to get out my credit card and it was for a very general question.
Apparently any question but how to spell Netgear falls outside of normal support and is a cost item. [evil]
I have created 4 tunnel configs in the router and connected to them from 4 different machines at different locations simultaneously. The limit is supposed to be 8. Gets kinda slow if you are using 3DES.[thumbsdown]

wdoc156

 
Is there any issue with establishing a VPN tunnel to the FVS318 if the remote computer is NAT'ed behind a firewall?
 
I purchased my %!%#%*!% FVS318 over 4 months ago and have yet to create a VPN. I gave up after investing in an upgrade to XP Pro and still not succeding. I have found this thread though google and found a lot of good info but I am still hitting walls.

I am trying to alow a connection via a dial-up client running XP Pro to a FVS318 on a semi-static IP.

Some of the notes I have read state that I need a static IP at both ends to use the MS VPN client. Is this correct?

I have tried downloading the softremoteLT posted earlier and have had no luck executing it. I appears to load but I can't find any executable. In the readme file it claims it does not work with XP.

Recomendations?
 
ALLTOOLS,
Welcome to the wonderful world of the FVS318!Save yourself some heartache(and cash) and dont call Netgear tech support.Need more info:
What do you mean by semi-static IP?Are you using a FQDN forwarder?
I can tell you the SoftremoteLT from above does work like a charm (with XP) with a little fiddling but,as far as I know,you do need a static IP at the FVS318 you are connecting to.
The VPN client in XP does require you to set IPSEC policy and static IP's on both ends(correct me if I'm wrong on this guys)and there's a good post above that will point you to Tomshardware which has an excellent step-by-step on how to set the policy.
Remember,these are two different approaches-if you're trying to connect via dial-up with the Softremote you dont need or want to mess with the IPSEC policy in XP.
Good luck.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top