Hi Henry,<br><br>I'm no sure but the Pool Address don't the same with LAN (use a other Pool ) <br><br>Regards,<br><br><div class="gmail_quote">On Thu, Mar 8, 2012 at 1:34 PM, Henry <span dir="ltr"><<a href="mailto:henrysoo@gmail.com">henrysoo@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi guys,<br>
<br>
I just set up Netgear FVS318G as gateway-to-client with Shrew VPN<br>
Client. My problem is, the VPN tunnel connection established, but the<br>
PING does not work when ping the local devices reside on the LAN side<br>
of FVS318G. I cannot see any LAN resource as no traffic passing<br>
through the VPN Tunnel.<br>
<br>
My configurations are:<br>
<br>
My PC (LAN IP: 192.168.2.10) with Shrew VPN client Installed --> The<br>
Internet --> BiPAC 7700N [(LAN IP: <a href="http://10.1.1.1/24" target="_blank">10.1.1.1/24</a>, DMZ set to FVS318G<br>
(WAN IP: 10.1.1.2, LAN IP: <a href="http://192.168.1.1/24" target="_blank">192.168.1.1/24</a>, First Pool: starting<br>
192.168.1.190 Ending IP: 192.168.1.199)]<br>
<br>
The Shrew VPN client configuration was set up by using the guide<br>
<a href="http://www.shrew.net/support/wiki/HowtoNetgear" target="_blank">www.shrew.net/support/wiki/HowtoNetgear</a>. Under Topology Entry, Type:<br>
Include, Address 192.168.1.0, Netmask: 255.255.255.0 were configured.<br>
<br>
I know the BiPAC 7700N does not allow VPN. But as I set the FVS318G in<br>
DMZ (the DMZ works as I could vpn to FVS318G by Shrew VPN client),<br>
would that be possible the BiPAC 7700N drop the VPN traffic still? I<br>
also changed different IP Schemes in First Pool under Mode Config.But<br>
it did the same, the VPN Tunnel established, but cannot ping the VPN<br>
gateway and cannot access local resources behind the gateway.<br>
<br>
Do you guys have any ideas? I would much appreciate for any input.<br>
<br>
Kind regards,<br>
Henry<br>
<br>
<br>
The FVS318G VPN logs are as below:<br>
<br>
2012 Mar 8 11:56:54 [FVS318g] [IKE] IPsec-SA established[UDP encap<br>
4500->55126]: ESP/Tunnel 10.1.1.2->14.200.16.xxx with<br>
spi=2454962505(0x9253c149)_<br>
2012 Mar 8 11:56:54 [FVS318g] [IKE] IPsec-SA established[UDP encap<br>
55126->4500]: ESP/Tunnel 14.200.16.xxx->10.1.1.2 with<br>
spi=240506340(0xe55d5e4)_<br>
2012 Mar 8 11:56:53 [FVS318g] [IKE] Adjusting peer's encmode<br>
61443(61443)->Tunnel(1)_<br>
2012 Mar 8 11:56:51 [FVS318g] [IKE] No policy found, generating the<br>
policy : <a href="http://192.168.1.191/32[0]" target="_blank">192.168.1.191/32[0]</a> <a href="http://192.168.1.0/24[0]" target="_blank">192.168.1.0/24[0]</a> proto=any dir=in_<br>
2012 Mar 8 11:56:51 [FVS318g] [IKE] Using IPsec SA configuration:<br>
<a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a><-><a href="http://192.168.1.0/24_" target="_blank">192.168.1.0/24_</a><br>
2012 Mar 8 11:56:51 [FVS318g] [IKE] Responding to new phase 2<br>
negotiation: 10.1.1.2[0]<=>14.200.16.xxx[0]_<br>
2012 Mar 8 11:56:51 [FVS318g] [IKE] 192.168.1.190 IP address is<br>
assigned to remote peer 14.200.16.xxx[55126]_<br>
2012 Mar 8 11:56:51 [FVS318g] [IKE] Cannot open "/etc/motd"_<br>
2012 Mar 8 11:56:51 [FVS318g] [IKE] Received attribute type<br>
"ISAKMP_CFG_REQUEST" from 14.200.16.xxx[55126]_<br>
2012 Mar 8 11:56:51 [FVS318g] [IKE] Login succeeded for user "abc"_<br>
2012 Mar 8 11:56:50 [FVS318g] [IKE] Received attribute type<br>
"ISAKMP_CFG_REPLY" from 14.200.16.xxx[55126]_<br>
2012 Mar 8 11:56:50 [FVS318g] [IKE] purging spi=162673254._<br>
2012 Mar 8 11:56:50 [FVS318g] [IKE] ISAKMP-SA established for<br>
10.1.1.2[4500]-14.200.16.xxx[55126] with<br>
spi:6cced634bc69f38f:1838b1314f37cdd1_<br>
2012 Mar 8 11:56:50 [FVS318g] [IKE] Sending Xauth request to<br>
14.200.16.xxx[55126]_<br>
2012 Mar 8 11:56:50 [FVS318g] [IKE] NAT detected: Local is behind a<br>
NAT device. and alsoPeer is behind a NAT device_<br>
2012 Mar 8 11:56:50 [FVS318g] [IKE] NAT-D payload does not match for<br>
14.200.16.xxx[55126]_<br>
2012 Mar 8 11:56:50 [FVS318g] [IKE] NAT-D payload does not match for<br>
10.1.1.2[4500]_<br>
2012 Mar 8 11:56:50 [FVS318g] [IKE] Floating ports for NAT-T with<br>
peer 14.200.16.xxx[55126]_<br>
2012 Mar 8 11:56:50 [FVS318g] [IKE] Setting DPD Vendor ID_<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] For 14.200.16.xxx[55028],<br>
Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Received Vendor ID: CISCO-UNITY_<br>
- Last output repeated 2 times -<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Received unknown Vendor ID_<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] DPD is Enabled_<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Received Vendor ID: DPD_<br>
- Last output repeated 2 times -<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Received unknown Vendor ID_<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Received Vendor ID:<br>
draft-ietf-ipsec-nat-t-ike-02__<br>
- Last output repeated twice -<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Received unknown Vendor ID_<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Received Vendor ID:<br>
draft-ietf-ipsra-isakmp-xauth-06.txt_<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Beginning Aggressive mode._<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Received request for new phase 1<br>
negotiation: 10.1.1.2[500]<=>14.200.16.xxx[55028]_<br>
2012 Mar 8 11:56:49 [FVS318g] [IKE] Remote configuration for<br>
identifier "<a href="http://client.domain.com" target="_blank">client.domain.com</a>" found_<br>
_______________________________________________<br>
vpn-help mailing list<br>
<a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br>
<a href="http://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">http://lists.shrew.net/mailman/listinfo/vpn-help</a><br>
</blockquote></div><br>