<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18975">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>For NetGear and ModeConfig add two subnets</FONT></DIV>
<DIV><FONT size=2>Your LAN and ModeConfig subnet:</FONT></DIV>
<DIV>10.1.1.0/24</DIV>
<DIV>10.1.2.0/24</DIV>
<DIV> </DIV>
<DIV><FONT size=2>On my FVX538 this allow to get access to local LAN / DMZ
network.</FONT></DIV>
<DIV><FONT size=2>Also set Phase 1 and Phase 2 to the same you have set on your
FVX338.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Regards</FONT></DIV>
<DIV><FONT size=2> Michal Wegrzyn</FONT></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt arial; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=david.borges@skitter.tv href="mailto:david.borges@skitter.tv">David
Borges</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=mgrooms@shrew.net
href="mailto:mgrooms@shrew.net">Matthew Grooms</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=vpn-help@lists.shrew.net
href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, January 11, 2011 8:19
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [vpn-help] FVS338 tunnel
established but can't ping remote IP's/SSH/DNS etc.</DIV>
<DIV><BR></DIV>Matthew,<BR><BR>Phase 2 now looks like this:<BR><BR>Transform
Algorith: auto<BR>Transform Key Length: auto<BR>HMAC Algorithm: auto<BR>PFS
Exchange: Group 2<BR>Compression: disabled<BR><BR>Here is the vpn log
output:<BR><BR>2011 Jan 11 14:15:04 [FVS338] [IKE] Remote configuration for
identifier<BR>"skitter_client" found_<BR>2011 Jan 11 14:15:04 [FVS338] [IKE]
Received request for new phase 1<BR>negotiation:
4.26.57.73[500]<=>76.97.216.191[500]_<BR>2011 Jan 11 14:15:04 [FVS338]
[IKE] Beginning Aggressive mode._<BR>2011 Jan 11 14:15:04 [FVS338] [IKE]
Received Vendor ID:<BR>draft-ietf-ipsra-isakmp-xauth-06.txt_<BR>2011 Jan 11
14:15:04 [FVS338] [IKE] Received unknown Vendor
ID_<BR>
- Last output repeated twice -<BR>2011 Jan 11 14:15:04 [FVS338] [IKE] Received
Vendor ID:<BR>draft-ietf-ipsec-nat-t-ike-02__<BR>2011 Jan 11 14:15:04 [FVS338]
[IKE] Received unknown Vendor
ID_<BR>
- Last output repeated 2 times -<BR>2011 Jan 11 14:15:04 [FVS338] [IKE]
Received Vendor ID: DPD_<BR>2011 Jan 11 14:15:04 [FVS338] [IKE] DPD is
Enabled_<BR>2011 Jan 11 14:15:04 [FVS338] [IKE] Received unknown Vendor
ID_<BR>
- Last output repeated 2 times -<BR>2011 Jan 11 14:15:04 [FVS338] [IKE]
Received Vendor ID: CISCO-UNITY_<BR>2011 Jan 11 14:15:04 [FVS338] [IKE] For
76.97.216.191[500], Selected<BR>NAT-T version:
draft-ietf-ipsec-nat-t-ike-02_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] Setting
DPD Vendor ID_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] Floating ports for NAT-T
with peer<BR>76.97.216.191[4500]_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] NAT-D
payload does not match for<BR>4.26.57.73[4500]_<BR>2011 Jan 11 14:15:06
[FVS338] [IKE] NAT-D payload does not match
for<BR>76.97.216.191[4500]_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] NAT
detected: Local is behind a NAT<BR>device. and alsoPeer is behind a NAT
device_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] Sending Xauth request
to<BR>76.97.216.191[4500]_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] ISAKMP-SA
established for<BR>4.26.57.73[4500]-76.97.216.191[4500]
with<BR>spi:4646d0e40d5cd138:4ac0ef8a139b655b_<BR>2011 Jan 11 14:15:06
[FVS338] [IKE] purging spi=157580622._<BR>2011 Jan 11 14:15:06 [FVS338] [IKE]
Received attribute type<BR>"ISAKMP_CFG_REPLY" from
76.97.216.191[4500]_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] Login succeeded
for user "dborges"_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] Received attribute
type<BR>"ISAKMP_CFG_REQUEST" from 76.97.216.191[4500]_<BR>2011 Jan 11 14:15:06
[FVS338] [IKE] 10.1.2.150 IP address is assigned to<BR>remote peer
76.97.216.191[4500]_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] Ignored attribute
5_<BR>2011 Jan 11 14:15:06 [FVS338] [IKE] Cannot open "/etc/motd"_<BR>2011 Jan
11 14:15:07 [FVS338] [IKE] Responding to new phase 2<BR>negotiation:
4.26.57.73[0]<=>76.97.216.191[0]_<BR>2011 Jan 11 14:15:07 [FVS338] [IKE]
Using IPsec SA configuration:<BR>10.1.1.0/24<->10.1.2.0/24_<BR>2011 Jan
11 14:15:07 [FVS338] [IKE] No policy found: 10.1.2.150/32[0]<BR>10.1.1.0/24[0]
proto=any dir=in_<BR>2011 Jan 11 14:15:07 [FVS338] [IKE] Failed to get
proposal for<BR>responder._<BR><BR>Ive been trying to get this working for a
month now no luck. Thanks for<BR>your help :)<BR><BR>Dave<BR><BR>On Tue,
2011-01-11 at 13:10 -0600, Matthew Grooms wrote:<BR>> On 1/11/2011 12:59
PM, David Borges wrote:<BR>> > Kevin,<BR>> ><BR>> > I told
shrew to use 10.1.1.0/24. In the FVS338 here is the ModeConfig<BR>>
><BR>> > Client Pool:<BR>> > Record Name: Pool<BR>> >
First IP Pool: 10.1.2.150 - 10.1.2.160<BR>> > Section IP Pool: 0.0.0.0 -
0.0.0.0<BR>> > Third IP Pool: 0.0.0.0 - 0.0.0.0<BR>> > Primary
WINS Server: 0.0.0.0<BR>> > Secondary WINS Server: 0.0.0.0<BR>> >
Primary DNS Server: 8.8.8.8<BR>> > Secondary DNS Server: 8.8.4.4<BR>>
> Traffic Tunnel Security Level:<BR>> > PFS Key Group: Group 2 (1024
bit)<BR>> > SA Lifetime: 3600<BR>> > SA Lifebyte: 0<BR>> >
Encryption Algorithm: 3DES<BR>> > Integrity Algorithm: SHA-1<BR>>
> Local IP Address: 10.1.1.0<BR>> > Local Subnet Mask:
255.255.255.0<BR>> ><BR>> ><BR>> > My internal network is
10.1.1.0/24. Am I missing something?<BR>> ><BR>> <BR>> Have
you tried setting your PFS group in the client to group 2 under the <BR>>
phase2 tab?<BR>> <BR>> -Matthew<BR><BR>-- <BR>David Borges<BR>Director
of Network Administration<BR>3720 Davinci Court, Suite 200<BR>Norcross GA,
30092<BR><A
href="http://www.skitter.tv">www.skitter.tv</A><BR><BR><BR><BR><BR><BR>_______________________________________________<BR>vpn-help
mailing list<BR><A
href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</A><BR><A
href="http://lists.shrew.net/mailman/listinfo/vpn-help">http://lists.shrew.net/mailman/listinfo/vpn-help</A></BLOCKQUOTE></BODY></HTML>