<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS Sans Serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:427238685;
mso-list-type:hybrid;
mso-list-template-ids:-109423490 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I have managed to set up both an SSL and an IPSec-VPN to a new
Netgear FVS336G router, the latter using both the supplied Netgear client (which
only runs on 32 bits) and Shrew 2.1.4. This router is somewhat
disappointing in that, despite marketing claims that it would run ‘anytime,
anywhere,’ in fact, it only works with these two browsers, and only on a
32-bit Windows machine. As my client must be 64 bit, I am forced to
use the IPSec-VPN.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>When an SSL-VPN is set up, I am able to assign the VPN
virtual LAN IP Addresses on the same class C subnet as things actually
connected to the LAN, I can browse back and forth between workstations on the LAN
and VPN with no problem. For example, if I use 192.168.0.[0-100] for fix
IP LAN Addresses, 192.168.0.[100-150] for DHCP LAN IP Addresses, and 192.168.0.[200-220]
for the range of addresses assigned to VPN clients that connect, then I have no
trouble browsing from, say 192.168.0.221 to <a href="file:///\\192.168.0.42\c">\\192.168.0.42\c</a>,
or from 192.168.0.221 to <a href="file:///\\192.168.0.42\c">\\192.168.0.42\c</a>.
I also have no trouble browsing to Samba servers on the same network in
this manner. I can also place the SSL VPN clients in a separate class C
subnet, such as 192.168.1.xxx, but then I must define a routing rule to 192.168.0.xxx.
This solution is not as satisfactory, as I can only SMB browse from the
VPN to the LAN, not the other way around. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>If I switch to an IPSec-VPN, then I am unable to get a
tunnel to set up unless I place the VPNs in a separate class C subnet as
described above. This applies to either the Netgear IPSec VPN Client or
to Shrew 2.1.4. This would not be a problem, as I am able to ping and web
browse to addresses on the LAN from the VPN or vice-versa, except that when the
VPN is so configured, <b><span style='font-weight:bold'>I am only able to
SMB-browse to Samba servers, not to Windows workstations</span></b>.! The
error message comes back as “no such file or directory”. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>What could be going on here? How might I configure
things differently to be able to SMB-browse Windows clients via IPSec-VPN using
the Shrew client?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Charles Buckley<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>By the way, when using Shrew 2.1.4, I have the following
additional problems:<o:p></o:p></span></font></p>
<ol style='margin-top:0in' start=1 type=1>
<li class=MsoNormal style='mso-list:l0 level1 lfo1'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>I am not able to use IKE Config
Pull, as I get the error message as shown below, and the tunnel does
not set up.. The usual support files are in the attached zip. So I
must set the virtual LAN and DNS addresses in the VPN client manually.<o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-list:l0 level1 lfo1'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>In order to get the VPN to work
from the server side, I may not use a Mode Config record on the Netgear
router. Instead, I must implement both an IKE and VPN policy, and in
the VPN policy, there must not be any address restrictions on the remote addresses.
<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>When using the Netgear client, I must only observer the
separate class C subnet rule.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Following is the error message from when Auto-Config is
configured.:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>config loaded for site 'corp.mauto.ch'<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>configuring client settings ...<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>attached to key daemon ...<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>peer configured<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>iskamp proposal configured<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>esp proposal configured<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>client configured<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>local id configured<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>remote id configured<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>pre-shared key configured<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color="#c08000"
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:#C08000'>bringing up tunnel ...<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=maroon
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:maroon'>invalid message from gateway<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=1 color=black
face="MS Sans Serif"><span style='font-size:8.5pt;font-family:"MS Sans Serif";
color:black'>tunnel disabled<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=1 color=black face="MS Sans Serif"><span
style='font-size:8.5pt;font-family:"MS Sans Serif";color:black'>detached from
key daemon ...<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>