|
Question : VPN Question
|
|
Hi All,
Ive seen posts on this board with issues similar to this before, but Ive yet been able to resolve this issue myself. So here goes
Im trying to create a VPN connection from our remote office network using Netgears ProSafe VPN client software behind a Netgear FR314 Firewall router with NAT, to our main office network behind a Netgear ProSafe FVL328 VPN Firewall router with NAT.
The computer setup for both locations are as follows:
The remote office is a Windows 2000 peer-to-peer network (workgroup name XYZ) with private IP addresses in the range of 192.168.0.2 to 192.168.0.5. This router has the IP address of 192.168.0.1 and is set to act as a DHCP server. These computers access the internet through a DSL connection with a dynamically assigned public IP address. The software firewall on the connecting computer is disabled during the VPN connection.
The main office is also a Windows 2000 peer-to-peer network (workgroup name XYZ) with private IP addresses in the range of 192.168.0.2 to 192.168.0.8. This router has the IP address of 192.168.0.1 and is set to act as a DHCP server. These computers access the internet through a DSL connection with a static public IP address. The server in the main office is simply a Windows 2000 Professional workstation (with a reserved IP address of 192.168.0.2) being used as a dedicated file server. There is no software firewall installed.
UDP ports 500, 1701, 1723 and 4500 and IP protocol 50 have been opened on the FVL328 router (at the main office) and forwarded to the server. I have selected the checkbox in the Rules section of the FVL328 labeled Enable VPN Passthrough (IPSec, PPTP, L2TP). (Is this redundant?)
Attempting to establish a VPN tunnel using the recommended settings for the client and router in Netgears manual, the ProSafe client software reports a successful connection to the main office (FVL328) router. However, the log viewer reports these error messages:
2-09: 00:19:18.187 My Connections\FVL328 - SENDING>>>> ISAKMP OAK QM *(Retransmission)
2-09: 00:19:25.453 My Connections\FVL328 - RECEIVED<<< ISAKMP OAK QM *(HASH, SA, NON, ID 2x, KE)
2-09: 00:19:25.453 Cannot match Policy Entry for received Phase 2 IDs:
2-09: 00:19:25.453 local host=IP ADDR=192.168.0.3, prot = 0 dst_port = 0
2-09: 00:19:25.453 remote host=IP SUBNET/MASK=192.168.0.0/255.255.255.0, prot = 0 src_port = 0
2-09: 00:19:25.546 My Connections\FVL328 - SENDING>>>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO)
2-09: 00:19:25.546 My Connections\FVL328 (IP ADDR=XXX.XXX.XXX.XXX) - Error validating Proxy ID
The result is Im unable to browse (or ping) the server in our main office.
If I change the client settings to require the virtual adapter and an internal ip address of 192.168.0.5 (rather than 0.0.0.0), I receive these messages while using the ping t command to the server at the main office:
2-09: 00:58:09.921 My Connections\FVL328 - RECEIVED<<< ISAKMP OAK QM *(Retransmission)
2-09: 00:58:09.921 My Connections\FVL328 - SENDING>>>> ISAKMP OAK QM *(Retransmission)
2-09: 00:59:20.484 My Connections\FVL328 - Deleting IPSec SA (OUTBOUND SPI = B7CAFAB7 INBOUND SPI = 49FAC1A)
2-09: 00:59:20.484 My Connections\FVL328 - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
2-09: 00:59:20.484 My Connections\FVL328 - Filter entry 3: SECURE 192.168.000.005&255.255.255.255 192.168.000.001&255.255.255.000 XXX.XXX.XXX.XXX removed.
2-09: 00:59:26.484 My Connections\FVL328 - Deleting IPSec SA (OUTBOUND SPI = B3A5C4B5 INBOUND SPI = 9CC9D87C)
2-09: 00:59:26.484 My Connections\FVL328 - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
2-09: 00:59:26.484 My Connections\FVL328 - Filter entry 4: SECURE 192.168.000.005&255.255.255.255 192.168.000.001&255.255.255.000 XXX.XXX.XXX.XXX removed.
The result is the same however, and Im unable to browse or ping the network. Is this setup viable and Im just missing something or do I need to rethink my network topology?
Thanks in advance
adaris
|
Answer : VPN Question
|
|
Oh, I forgot "forklift upgrade to some REAL network gear ... Cisco, Nortel, Checkpoint, etc." ;)
|
|
|
|
|
