[vpn-help] new user, fairly baffled

Alexis La Goutte alexis.lagoutte at gmail.com
Wed Mar 9 02:27:22 CST 2011


Hi,

The DG834 don't support the Aggressive Mode, there is only expected for VPN
Site at Site
Change the router is the better solution !

Regards,

On Mon, Mar 7, 2011 at 9:14 PM, Howard Spindel <howard at sci1.com> wrote:

> Fabio,
>
> Don't know why I'd need Dynamic DNS for the laptop.  The router doesn't
> have to find the laptop - the laptop finds the router.
>
> I did look at the tutorial for the Netgear connection, but the DG834G is
> very different from the tutorial and hard to map.  The DG834G has many fewer
> settings allowed than the tutorial's ProSafe router.
>
> I tried the specific suggestions you had, and it made no difference that I
> can see.  Still not getting through Phase 1.
>
> Really need a cookbook approach tailored to the DG834G here.
>
> Thanks,
> Howard
>
>
>
> At 11:31 AM 3/7/2011, Fabio Cigoj wrote:
>
>> Howard,
>>
>> If you have a fixed IP address on the router that's ok, but you still
>> need a dynamic DNS service for the laptop.
>> I am a bit confused about the router as the Netgear website states it's
>> a VPn passthrough in one place and that it can support up to 5 endpoints
>> somewhere else.
>> Worth giving it a try anyway...provided your router supports Mode Config
>> for policy generation. One of the things I am sure of is that Shrew
>> talks to Netgear only if Mode Config is used.
>> If that is not the case then a new router is in order.
>> Did you take a look to the tutorial published on Shrew's website for
>> connections with Netgear hardware ? It is written for another router,
>> but shouldn't be too difficult to figure it out.
>> Bear in mind that some things need to be followed exactly, one is
>> example is the authentication: pre shared key only does not work; it
>> needs to be PSK + XAuth.
>> Another thing is that the exchange mode must be set to aggressive. I
>> tried main and it didn't work.
>> Local gateway on the router is the local WAN IP, while for the remote I
>> used a the FQDN assigned to the laptop.
>> Make sure the address range to assign to the clients is on a different
>> subnet than your LAN.
>> DH group must be 2
>> Encryption algorithm must be 3DES and integrity algorithm must be SHA-1
>>
>> Wouldn't know what more to add without a clear view of router and client
>> configuration, but I think you have some more things to try now.
>>
>> Cheers
>>
>> Fabio
>>
>>
>> On 07/03/11 20:03, Howard Spindel wrote:
>> > Fabio,
>> >
>> > I shouldn't need a Dynamic DNS service as I have a static IP for my
>> > Netgear router.
>> >
>> > So, how would I make this work with the DG834, and what additional
>> > software do I need?  The Netgear config panels don't talk about it being
>> > a VPN pass-through - they make it sound like a VPN endpoint.
>> >
>> > If I'm going to have to buy a different router to make this work, what
>> > router do folks like?  (I need it with a DSL modem built-in too).
>> >
>> > Thanks,
>> > Howard
>> >
>> > At 05:05 AM 3/7/2011, Fabio Cigoj wrote:
>> >> Howard,
>> >>
>> >> The DG834 is a VPN-passthough in first place, not a VPN-endpoint,
>> >> which would force you set up a VPN server.
>> >> From my gatherings, collected from qualified people like the author of
>> >> Shrew, it seems that Netgear uses quite an old VPN stack, but there
>> >> are better and worse routers.
>> >> I use a 338, which, far from being perfect for my needs is a
>> >> VPN-endpoint, I managed to make work in much a similar config as the
>> >> one you need.
>> >> The trick is to register with a (free) dynamic DNS service both your
>> >> router and your laptop, so every time you connect to internet the name
>> >> of your machines has the correct IP address assigned. At that point
>> >> you can use the FQDN (fully qualified domain name) in the VPN config.
>> >> It looks complicated, but it is(n't)
>> >>
>> >> Cheers
>> >>
>> >> Fabio
>> >>
>> >> On Mon, Mar 7, 2011 at 1:31 PM, Howard Spindel <howard at sci1.com
>> >> <mailto:howard at sci1.com>> wrote:
>> >>
>> >>     In all likelihood, the laptop would no be directly connected  to
>> >>     the internet. I would be at the mercy of whomever was providing a
>> >>     hot spot.
>> >>
>> >>     Is there no way to get that to work?
>> >>
>> >>
>> >>>         Hi,
>> >>>
>> >>>         You laptop is directly connected to Internet ? (no NAT).
>> >>>         Because the NETGEAR DG834 support only the MAIN Mode... (and
>> >>>         the VPN is buggy...)
>> >>>
>> >>>         Regards,
>> >>>
>> >>>         On Mon, Mar 7, 2011 at 11:32 AM, Howard Spindel
>> >>>         <howard at sci1.com <mailto:howard at sci1.com>> wrote:
>> >>>
>> >>>             I'm trying to setup a VPN that will allow me to connect
>> >>>             in to my home network (with a Netgear DG834Gv4 facing the
>> >>>             internet) from a Windows 7 laptop.
>> >>>             Can anyone provide a cookbook for setting the Netgear VPN
>> >>>             settings and ShrewSoft VPN client that would enable the
>> >>>             two to connect?  I've been tearing my hair trying all
>> >>>             sorts of combinations, but can't get anything to work.
>> >>>             The VPN trace on the Win 7 laptop shows three attempts to
>> >>>             send phase1 packets before it hits "resend limit exceeded
>> >>>             for phase1 exchange" and aborts.
>> >>>             I am a computer programmer with 30 years experience and
>> >>>             lots of networking experience, but I can't figure this
>> >>>             one out!
>> >>>             Thanks,
>> >>>             Howard
>> >>>             Netgear policy page looks like this right now:
>> >>>             Remote VPN Endpoint: Dynamic IP address
>> >>>             Local LAN: IP address is set to my local subnet
>> >>>             Remote LAN: IP address is set to "Single PC - no subnet"
>> >>>             IKE direction: responder only (only choice allowed)
>> >>>             Exchange mode: Main mode (only choice allowed)
>> >>>             DH group: auto
>> >>>             Local ID type: WAN IP address
>> >>>             Remote ID type: FQDN
>> >>>             Encryption algorithm: 3DES
>> >>>             Authentication algorithm: auto
>> >>>             Using a pre-shared key for authentication
>> >>>
>> >>>
>> >>>             _______________________________________________
>> >>>             vpn-help mailing list
>> >>>             vpn-help at lists.shrew.net <mailto:vpn-help at lists.shrew.net
>> >
>>
>> >>>             http://lists.shrew.net/mailman/listinfo/vpn-help
>> >>
>> >>
>> >>
>> >>     _______________________________________________
>> >>     vpn-help mailing list
>> >>     vpn-help at lists.shrew.net <mailto:vpn-help at lists.shrew.net>
>>
>> >>     http://lists.shrew.net/mailman/listinfo/vpn-help
>> >>
>> >
>> >
>> >
>> > _______________________________________________
>> > vpn-help mailing list
>> > vpn-help at lists.shrew.net
>> > http://lists.shrew.net/mailman/listinfo/vpn-help
>>
>
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110309/a38ca991/attachment-0001.html>


More information about the vpn-help mailing list