[Vpn-help] Fwd: Problem Report - NetGear SRXN3205

Charles Buckley ceb at mauto.com
Mon Nov 23 01:57:23 CST 2009 

Different Netgear router versions have different bugs, and their tech
support seem to alibi their way out of them rather than fix them.  I am
currently in an escalation about certain of these bugs for the FVS336G with
Netgear in California after having been run around by local support in
Germany and on the forum.  Now California are ignoring me - if they don't
react soon, I'm going to return the darn thing and put up negative product
evaluations on the French, German and English IT equipment buyers sites.  

 

That being said, I *am* able to connect and ping with Shrew 2.1.5-RC4
running on both Windows XP 32 and 64 bit.  Since the 336 and the 3205 seem
to be similar (apart from the fact that the 336 doesn't have a WAP), my
experience may also be useful for you.  Following is a list of issues I
found in getting things (sort of) working, and what I did to get around
them.  

 

1.	One must not use IP config pull Auto Configuration in Shrewsoft -
Netgear sends a message that Shrew doesn't understand.  I don't know who's
at fault here.  Instead, Auto Configuraiton must be disabled
2.	This means one must not use any Mode Config on the FVS336G.
Instead, one must use a linked IKE and VPN policy.
3.	This means of course one must explicitly specify the remote virtual
IP address in every installation of the Shrewsoft client for each individual
user.   I find this enormously inconvenient - I'd really like the Shrewsoft
client to be able to work with Mode Config.
4.	The manually assigned virtual IP addresses must be on a different
Class C subnet than that used for your LAN.  Netgear say this is part of the
IPSec specification, but I'll be darned if I can find it there.  I think
instead that Netgear have simply built a dead body or two into there
software architecture, and have obliged users to walk around it while
holding their nose ever since.  I don't understand this, as I can't imagine
it would be hard to fix.  This limitation is not a part of the SSL-VPN that
was the reason I bought the 336, for example.  However, in order move on,
you have to play by their unpublished rules.  
5.	Note that even though your virtual IP address is part of a different
subnet, you must specify the local IP traffic selector subnet mask to cover
just your LAN addresses, not that of the subnet on which the virtual IP
addresses of the VPN clients are located as well.  Don't worry, for the most
part, traffic still routes between the two subnets.
6.	By the way, under such a configuration, I use FQDNs for both remote
and local client identification in the IKE policy.   I also simply work with
a shared key for testing so far, but I have tried setting up
username/password authentication as well.  I seem to remember it working. 
7.	Very important: you must set up Remote IP Traffic Selection to be
'any'.  This I find really disappointing, as it means I can't enable
cross-subnet NetBIOS broadcasting on the Netgear router, as that requires
the Remote IP Traffic Selector to be a subnet.   That means that, even
though I can ping everything on the LAN from the VPN client, and the VPN
client from the LAN, I can only SMB-browse Samba shares.  Native Windows
shares don't resolve, even with the passing of a WINS server to the VPN
client.  This is most definitely a Netgear problem - I've been able to
reproduce it with the VPN client they supply.  
8.	Note that where there was a choice between MD5 and SHA-1 encryption
algorithms, I used MD5.  I read this somewhere on the net from someone else
struggling to get his Netgear going, and tried it myself.  I think that
rather the steps outlined above were the deciding factor in getting things
working, but in case there is a problem with SHA-1, I thought I'd mention it
here.

 

Hope this helps you get started, and that we can get some attention paid to
how to solve the problems outlined above.

 

Charles

 

  _____  

From: vpn-help-bounces at lists.shrew.net
[mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of Tom Lahey
Sent: Monday, November 23, 2009 8:05 AM
To: Stuart Hall
Cc: vpn-help at lists.shrew.net
Subject: Re: [Vpn-help] Fwd: Problem Report - NetGear SRXN3205

 

Thanks Stuart,

I have installed 2.1.5-rc 4 and still have the same issue.  
I am able to connect to the Net Gear router. But still can not ping anything
on the remote network (192.168.42.0)

I've tried the router itself (192.168.42.1) or a server on the inside
(192.168.42.5) with no success.

This seems to be a similar issue being experienced by "Jack Allen" on the
list.

Once connected I get Windows shows.....

Ethernet adapter Local Area Connection* 16:

  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
  Physical Address. . . . . . . . . : AA-AA-AA-AA-AA-00
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . :
fe80::bc3f:b1ef:4f2a:a5c6%33(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.42.100(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . :
  DNS Servers . . . . . . . . . . . : 192.168.42.5
  Primary WINS Server . . . . . . . : 192.168.42.5
  NetBIOS over Tcpip. . . . . . . . : Enabled

And has a route.....
C:\Users\tlahey>route print
===========================================================================
Interface List
33 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter
14 ...00 24 33 89 c6 2c ...... Bluetooth Device (Personal Area Network)
12 ...00 22 fb 69 78 b6 ...... Intel(R) WiFi Link 5100 AGN
10 ...00 1d ba 68 87 6b ...... Intel(R) 82567LM Gigabit Network Connection
 1 ........................... Software Loopback Interface 1
20 ...00 00 00 00 00 00 00 e0  isatap.{5A2CE871-92DB-4CBC-AC84-7A89C675168F}
35 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #3
17 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #2
22 ...02 00 54 55 4e 01 ...... Microsoft Tun Miniport Adapter
36 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.10     25
       127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
       127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
 127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     169.254.0.0      255.255.0.0         On-link    192.168.42.100    306
 169.254.255.255  255.255.255.255         On-link    192.168.42.100    286
     192.168.0.0    255.255.255.0         On-link      192.168.0.10    281
    192.168.0.10  255.255.255.255         On-link      192.168.0.10    281
   192.168.0.255  255.255.255.255         On-link      192.168.0.10    281
    192.168.42.0    255.255.255.0         On-link    192.168.42.100     31
  192.168.42.100  255.255.255.255         On-link    192.168.42.100    286
  192.168.42.255  255.255.255.255         On-link    192.168.42.100    286
       224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
       224.0.0.0        240.0.0.0         On-link      192.168.0.10    281
       224.0.0.0        240.0.0.0         On-link    192.168.42.100    286
 255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
 255.255.255.255  255.255.255.255         On-link      192.168.0.10    281
 255.255.255.255  255.255.255.255         On-link    192.168.42.100    286
===========================================================================
Persistent Routes:
 None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
22     18 ::/0                     On-link
 1    306 ::1/128                  On-link
22     18 2001::/32                On-link
22    266 2001:0:d5c7:a2d6:24e3:19e9:3f57:fff5/128
                                   On-link
33    286 fe80::/64                On-link
22    266 fe80::/64                On-link
22    266 fe80::24e3:19e9:3f57:fff5/128
                                   On-link
33    286 fe80::bc3f:b1ef:4f2a:a5c6/128
                                   On-link
 1    306 ff00::/8                 On-link
22    266 ff00::/8                 On-link
33    286 ff00::/8                 On-link
===========================================================================
Persistent Routes:
 None






2009/11/22 Stuart Hall <stuart at xxxx.org>:
> Hi Tom,
>
> I suspect the first suggestion will be to move to the latest RC
> version as there have been a lot of improvements in this. Current
> latest version is 2.1.5-rc-4.
>
> Perhaps you could try this and let us know how you get on.
>
> Regards,
>
> Stuart H.
>
> On Sat, Nov 21, 2009 at 9:03 AM, Tom Lahey <tel at xxxx.com> wrote:
>> Using ShrewSoft: 2.1.4
>> Router: Netgear SRXN3205
>> Firmware:3.0.3-18
>> Client OS: Window Vista Business SP 1 64-bit
>>
>>
>> Problem:
>> I have configured the VPN Client using the instructions provided on the
website.
>> I am able to extablish a connection, however no traffic is routing
>> from my client to the remote network.
>> I am testing by connecting and then trying to ping a known server
>> 192.168.42.5 (I am able to ping this server from the local network)
>> I get "Request timed out"
>>
>> Debug attached.
>> Screen Shots of Netgear Config Attached.
>>
>>
>> Your assistance is appreciated!
>>
>> Tom
>>
>> --

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20091123/506f3faf/attachment-0002.html>

More information about the vpn-help mailing list