| VPN between FVS318 and WinXP? I've got a Netgear FVS318 and I'm trying to set up VPN on it. Is it possible to use the built in Windows XP VPN client or do I have to use the Netgear ProSafe client? If I can use the built in client, how do I configure it?
Thanks!
Dave |
|
|
|
| Check this link out: »www.netgear.com/docs/technotes/M···ndex.htm
I have to warn you though, the built in IPSec snap-in is very counter-intuitive and is not NAT-friendly.
Save yourself the time and just get the Netgear client, it's worth it. |
|
| Thanks...guess I will just get the client. I'm surprised you can't just use the built in Windows VPN client (the one you access by going to Network Connections and creating a new VPN connection). |
|
OZOPremium
join:2003-01-17
kudos:2 | reply to gfunkdave
Check this document - FVS318_W2K.doc. It may help you to make that connection.
--
Keep it simple, it'll become complex by itself... |
|
| reply to gfunkdave
said by gfunkdave:
I'm surprised you can't just use the built in Windows VPN client (the one you access by going to Network Connections and creating a new VPN connection).
That's because the FVS318 uses the more secure and open IPSec standard, not PPTP and L2TP (Both Microsoft beasts). |
|
| That makes sense. Trust Microsoft to develop a proprietary system that's not as good as the open source one.
I did get the VPN client and it works...as long as I'm not behind my home wireless router. I thought it was because my private ip address at home is 192.168.0.100, and the private subnet behind the FVS318 is 192.168.0.0, but I changed my home addresses to the 192.168.1.x subnet and it still doesn't work. What does my home private subnet have to be?
To sum up:
FVS318 private IP subnet is 192.168.0.xxx
FVS318 public IP is dynamically assigned but I use dyndns.org for a hostname
My home cable router's public IP is dynamically assigned
My home cable router's private network is on 192.168.1.xxx
The VPN connection fails in Phase 2 unless I plug my laptop directly in to the cable modem, bypassing the router.
Thanks for help,
Dave |
|
| reply to gfunkdave
Further info: It always fails during Phase 2 negotiation. All help is appreciated - I saw there were some people with similar problems out there. I verified my settings against theirs and they match.
Here is the log file:
4-26: 17:13:16.200 Interface lost: 192.168.0.100
4-26: 17:13:16.711 Filter table loaded.
4-26: 17:13:16.721 Interface added: 192.168.1.99/255.255.255.0 on LAN "Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter".
4-26: 17:13:30.721 Filter table loaded.
4-26: 17:13:34.617 Filter table loaded.
4-26: 17:13:41.146
4-26: 17:13:41.146 My Connections\FVS318 - Attempting to resolve Hostname (xxx.dyndns.org)
4-26: 17:13:41.297 My Connections\FVS318 - Initiating IKE Phase 1 (Hostname=xxx.dyndns.org) (IP ADDR=24.12.147.xxx)
4-26: 17:13:41.297 My Connections\FVS318 - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
4-26: 17:13:41.337 My Connections\FVS318 - RECEIVED>>> ISAKMP OAK MM (KE, NON, VID 3x)
4-26: 17:13:45.433 My Connections\FVS318 - RECEIVED>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT)
4-26: 17:13:46.244 My Connections\FVS318 - RECEIVED>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x) |
|
| When you refer to your home router, what model is that? Also, where is the FVS318 located? |
|
| reply to gfunkdave
FVS318 Update Anyone update their FVS318 to the lateset realease? I did and had to revert back to the Version 1.4 becuase port 53 forwarding fails on the updated versions. |
|
| reply to gfunkdave
Re: VPN between FVS318 and WinXP? Did you manage to get this working? What was your end result to get it all running? |
|
| Yeah, needed to change a bunch of settings. Email me for the specifics and I'll send them when I get a chance. |
|
| Hey, thanks for the help. I dont have a full membership here, but my email is wolfiegrr at yahoo dot com
Thanks again! |
|
| reply to gfunkdave
Ok.. I managed to get everything pretty much setup. I loaded the Netgear VPN Client, followed the setup, trouble shooted a little..
I found that I was unable to connect in from behind my NetGear Router.. viewing the logs, I see that I was connecting to the VPN as my internal local IP address.. Once i disconnected my router, and connected directly to the VPN outgoing as my internet IP, I was able to connect fine.
So basically, my main issue now is, how do I connect to the VPN from behind my router? |
|
hueyp
join:2002-01-23
Nashville, TN | reply to gfunkdave
Sounds as if you need to turn on ipsec pass through on the router.
I set this type of configuration up on XP -> FVS318 and SSH Sentinel 1.3.2.2. Was pretty easy to setup. I've also heard that SoftRemote is easy as well. |
|
| Hmm, on the VPN server or my local router?
My current setup looks like this:
XP box --> WGT624 Router --> Cable Modem --> ** INTERNET ** --> Cable Modem --> FVS318 --> Server
(Just wanted to illustrate it better incase my response was confusing.. so basically if i remove the WGT and go direct to cable.. I'm golden)
I havent seen any options for turning on IPSec Passthrough.. although my WGT624 does say VPN Passthru right on the box... and I'm also forwarding port 500 and 1723 |
|
| Oh one more thing, I did try talking to NetGear support (they were terrible).. and they basically just told me that `It will not work when you are behind your router because you are going out as an internal IP, and it works when you are directly connected to your cable modem because you are on the external IP`...
I cant see everyone that purchased the fvs318 are all NOT behind any type of router.. that would be crazy. |
|
| Really? You must have gotten a bad one. My guy was great...I'll post the config and reply to your email today. |
|
| reply to gfunkdave
All right, so here are the config details. (It's long...)
This is for accessing VPN from behind a NAT router where the subnet on the NAT router and the subnet on the VPN router are different. In this example, the NAT router's subnet is 192.168.1.xxx and the VPN router's subnet is 192.168.0.xxx.
1. On the router's VPN config web screen:
i. Connection Name: whatever you want
ii. Local IPSec ID: fully qualified domain name of the router's WAN port
iii. Remote IPSec ID: Something unique among all the VPN connections you have
iv. Tunnel can be accessed from a subnet of local address
--> Start IP address: 192.168.0.0
--> Subnet: 255.255.255.0
v. Tunnel can access a single remote address
--> Start IP address: 192.168.100.2
vi. Remote WAN IP or FQDN: leave blank
vii. Secure Association: Aggressive Mode
viii. Perfect Forward Secrecy: Enabled
ix. Encryption protocol: 3DES
x. Key Group: Diffie Hellman Group 2
xi. Preshared Key: Your key
xii. Key Life: 28800
xiii. IKE Life Time: 86400
2. In the Netgear Security Policy Editor
i.Create a new connection and expand its properties in the left pane
ii. Click on the connection name you just created.
iii. Connection security: secure
iv. ID Type: IP Subnet
v. Subnet: 192.168.0.0
vi. Mask: 255.255.255.0
vii. Protocol: all
viii. Check the box, connect using Secure Gateway tunnel
ix. Set ID Type: Domain name. In the box under it, type the FQDN of your VPN router. This should be the same as the local IPSec ID you set on the web config screen in 1ii. above.
x. Set the other dropdown to Gateway Host Name, and use the same FQDN in the box below.
xi. Click My Identity.
xii. Click Pre-shared key and enter your preshared key.
xiii. ID Type: Domain Name. In the box below, type the "remote ip sec identifier" you entered in 1iii above.
xiv. Virtual adapter: disabled
xv. Internal network IP address: 192.168.100.2 (same one you entered in 1v.)
xvi. Click Security Policy and expand it on the left pane.
xvii. Select Phase 1 negotiation mode: Aggressive Mode
xviii. Enable Perfect Forward Secrecy: checked.
xix. PFS Key Group: Diffie Hellman Group 2
xx. Enable replay detection: checked
xxi.Expand Authentication (Phase 1) and click Proposal 1
xxii. Authentication method: pre-shared key
xxiii: Encrypt Alg: Triple DES; Hash Alg: SHA-1; SA Life: Unspecified; Key Group: Diffie Hellman Group 2
xxiv. Expand Key Exchange (Phase 2) and select Proposal 1
xxv. SA Life: Unspecified; Compression: None
xxvi. Check the Encapsulation Protocol box
xxvii. Encrypt Alg: Triple DES; Hash Alg: SHA-1; Encapsulation: Tunnel
xxviii. Authentication protocol should be unselected.
xxix. Save changes and try it. |
|
|
Thanks so much for that post!
I have one problem though:
xi. Click My Identity.
xii. Click Pre-shared key and enter your preshared key.
xiii. ID Type: Domain Name. In the box below, type the "remote ip sec identifier" you entered in 1iii above.
I have to have Select Certificate set to `None` in order to enter a preshared key. When I have it set to None,
ID Type dropdown only has 1 option in it, and that is: IP Address.. and when i click on that, it automatically fills in 192.168.1.100.. and i cannot edit this?
|
|
| ITS WORKING!!
thanks so much for your help and time.. I would be stuck days trying to get this accomplished.
Is there anything I should be aware of when setting up any other connections on the VPN? like set a different Remote LAN IP address Start IP or anything like that?
Or can i just copy the exact config, and just change the Key?
Thanks again!! |
|
