[vpn-help] Netgear FVS336G connects, but fails to see behind vpn

mikelupo at aol.com mikelupo at aol.com
Tue Jul 6 10:01:54 CDT 2010



Richard,
The VPN clients connecting should get a different subnet address than that of the secured LAN (behind the VPN firewall). In other words, if the wired clients behind the firewall are getting a 10.10.1.x IP address, then your VPN clients connecting via shrew should get a different Subnet. (10.10.2.x). So change the mode-config in the VPN to give a different IP subnet and I'm pretty sure that will solve part if not all of your communication issues.

Next, make sure all of your clients on the secure LAN don't have firewall/antivirus settings that disallow ping/remote desktop controls. Just because you can ping from secure LAN node to secure LAN node, does not mean that incoming connections from the outside world via VPN are going to be seen as friendly. You may have to configure the windows systems to allow 10.10.2.x subnets as "home" addresses. Especially if you're using Windows 7 flavors. I am still having these sorts of issues on my network with Windows 7 PCs. I iron them out one at a time. Still, there's one machine that's not pingable or remote controllable from shrew'd nodes. So please take what I say with a grain of salt.
Just trying to get you going in the right direction.

Mike





-----Original Message-----
From: Richard Sargent <rsargent at invisibleborders.com>
To: vpn-help at lists.shrew.net
Sent: Mon, Jul 5, 2010 1:37 pm
Subject: [vpn-help] Netgear FVS336G connects, but fails to see behind vpn



I have setup the DHCP on my Netgear FVS336G to use a 10.10.1.0 subnet. I can connect to the VPN, but when I try to ping or use remote desktop to a computer (10.10.1.2) behind the VPN it fails. I can ping the Netgear router itself (10.10.1.1).
 
Any suggestions?
 
I have setup the Netgear FVS336G using the standard settings from the VPN Wizard:
 
I am using the following Shrew Soft configuration:
 
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:30
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:3600
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:client-addr-auto:1
s:network-host:192.168.1.42
s:client-auto-mode:disabled
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:fvs_remote.com
s:ident-server-data:fvs_local.com
b:auth-mutual-psk:cGFzc3dvcmQ=
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:0
s:policy-list-include:10.10.1.0 / 255.255.255.0
 
 
Richard Sargent
WorldPak, Inc.
rsargent at invisibleborders.com
(703) 893-6202 x7103
 


_______________________________________________
pn-help mailing list
pn-help at lists.shrew.net
ttp://lists.shrew.net/mailman/listinfo/vpn-help

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100706/5184815d/attachment-0002.html>


More information about the vpn-help mailing list