[vpn-help] new user, fairly baffled
Howard Spindel
howard at sci1.com
Mon Mar 7 14:14:32 CST 2011
Fabio,
Don't know why I'd need Dynamic DNS for the laptop. The router
doesn't have to find the laptop - the laptop finds the router.
I did look at the tutorial for the Netgear connection, but the DG834G
is very different from the tutorial and hard to map. The DG834G has
many fewer settings allowed than the tutorial's ProSafe router.
I tried the specific suggestions you had, and it made no difference
that I can see. Still not getting through Phase 1.
Really need a cookbook approach tailored to the DG834G here.
Thanks,
Howard
At 11:31 AM 3/7/2011, Fabio Cigoj wrote:
>Howard,
>
>If you have a fixed IP address on the router that's ok, but you still
>need a dynamic DNS service for the laptop.
>I am a bit confused about the router as the Netgear website states it's
>a VPn passthrough in one place and that it can support up to 5 endpoints
>somewhere else.
>Worth giving it a try anyway...provided your router supports Mode Config
>for policy generation. One of the things I am sure of is that Shrew
>talks to Netgear only if Mode Config is used.
>If that is not the case then a new router is in order.
>Did you take a look to the tutorial published on Shrew's website for
>connections with Netgear hardware ? It is written for another router,
>but shouldn't be too difficult to figure it out.
>Bear in mind that some things need to be followed exactly, one is
>example is the authentication: pre shared key only does not work; it
>needs to be PSK + XAuth.
>Another thing is that the exchange mode must be set to aggressive. I
>tried main and it didn't work.
>Local gateway on the router is the local WAN IP, while for the remote I
>used a the FQDN assigned to the laptop.
>Make sure the address range to assign to the clients is on a different
>subnet than your LAN.
>DH group must be 2
>Encryption algorithm must be 3DES and integrity algorithm must be SHA-1
>
>Wouldn't know what more to add without a clear view of router and client
>configuration, but I think you have some more things to try now.
>
>Cheers
>
>Fabio
>
>On 07/03/11 20:03, Howard Spindel wrote:
> > Fabio,
> >
> > I shouldn't need a Dynamic DNS service as I have a static IP for my
> > Netgear router.
> >
> > So, how would I make this work with the DG834, and what additional
> > software do I need? The Netgear config panels don't talk about it being
> > a VPN pass-through - they make it sound like a VPN endpoint.
> >
> > If I'm going to have to buy a different router to make this work, what
> > router do folks like? (I need it with a DSL modem built-in too).
> >
> > Thanks,
> > Howard
> >
> > At 05:05 AM 3/7/2011, Fabio Cigoj wrote:
> >> Howard,
> >>
> >> The DG834 is a VPN-passthough in first place, not a VPN-endpoint,
> >> which would force you set up a VPN server.
> >> From my gatherings, collected from qualified people like the author of
> >> Shrew, it seems that Netgear uses quite an old VPN stack, but there
> >> are better and worse routers.
> >> I use a 338, which, far from being perfect for my needs is a
> >> VPN-endpoint, I managed to make work in much a similar config as the
> >> one you need.
> >> The trick is to register with a (free) dynamic DNS service both your
> >> router and your laptop, so every time you connect to internet the name
> >> of your machines has the correct IP address assigned. At that point
> >> you can use the FQDN (fully qualified domain name) in the VPN config.
> >> It looks complicated, but it is(n't)
> >>
> >> Cheers
> >>
> >> Fabio
> >>
> >> On Mon, Mar 7, 2011 at 1:31 PM, Howard Spindel <howard at sci1.com
> >> <mailto:howard at sci1.com>> wrote:
> >>
> >> In all likelihood, the laptop would no be directly connected to
> >> the internet. I would be at the mercy of whomever was providing a
> >> hot spot.
> >>
> >> Is there no way to get that to work?
> >>
> >>
> >>> Hi,
> >>>
> >>> You laptop is directly connected to Internet ? (no NAT).
> >>> Because the NETGEAR DG834 support only the MAIN Mode... (and
> >>> the VPN is buggy...)
> >>>
> >>> Regards,
> >>>
> >>> On Mon, Mar 7, 2011 at 11:32 AM, Howard Spindel
> >>> <howard at sci1.com <mailto:howard at sci1.com>> wrote:
> >>>
> >>> I'm trying to setup a VPN that will allow me to connect
> >>> in to my home network (with a Netgear DG834Gv4 facing the
> >>> internet) from a Windows 7 laptop.
> >>> Can anyone provide a cookbook for setting the Netgear VPN
> >>> settings and ShrewSoft VPN client that would enable the
> >>> two to connect? I've been tearing my hair trying all
> >>> sorts of combinations, but can't get anything to work.
> >>> The VPN trace on the Win 7 laptop shows three attempts to
> >>> send phase1 packets before it hits "resend limit exceeded
> >>> for phase1 exchange" and aborts.
> >>> I am a computer programmer with 30 years experience and
> >>> lots of networking experience, but I can't figure this
> >>> one out!
> >>> Thanks,
> >>> Howard
> >>> Netgear policy page looks like this right now:
> >>> Remote VPN Endpoint: Dynamic IP address
> >>> Local LAN: IP address is set to my local subnet
> >>> Remote LAN: IP address is set to "Single PC - no subnet"
> >>> IKE direction: responder only (only choice allowed)
> >>> Exchange mode: Main mode (only choice allowed)
> >>> DH group: auto
> >>> Local ID type: WAN IP address
> >>> Remote ID type: FQDN
> >>> Encryption algorithm: 3DES
> >>> Authentication algorithm: auto
> >>> Using a pre-shared key for authentication
> >>>
> >>>
> >>> _______________________________________________
> >>> vpn-help mailing list
> >>> vpn-help at lists.shrew.net <mailto:vpn-help at lists.shrew.net>
> >>> http://lists.shrew.net/mailman/listinfo/vpn-help
> >>
> >>
> >>
> >> _______________________________________________
> >> vpn-help mailing list
> >> vpn-help at lists.shrew.net <mailto:vpn-help at lists.shrew.net>
> >> http://lists.shrew.net/mailman/listinfo/vpn-help
> >>
> >
> >
> >
> > _______________________________________________
> > vpn-help mailing list
> > vpn-help at lists.shrew.net
> > http://lists.shrew.net/mailman/listinfo/vpn-help
More information about the vpn-help
mailing list