VPN setup question for XP.

Hi:

I'm attempting to set up a VPN for about 6 remote users connected
through a Netgear FVS318. I've set up the VPN filters according to the
information on this Netgear Support Page (using www.tinyurl.com, so it
doesn't wrap):

http://tinyurl.com/oyh36

, but I'm not sure how to use the filters set up as part of a completed
VPN connection. It appears they've left that critical part out of the
directions. (I do have a router on my end. It's a Belkin N1. The WAN
set on the Belking isn't the internet IP though. It's something that
starts with 192.168 so it's local, and the connection uses a Windows
gateway. Maybe that's complicating things.)

Clearly I can't use the VPN wizard to do it, because I've tried that, so
there must me some manual rigmarole. The filters assume static
addresses, and I generally have dynamic, but wanted to at least see if I
can establish a network before dealing with that nicety. The IP
addresses don't change, whether they're local or wide. BTW, I have set
up a succussful Remote Desktop connection passing through this router,
so it is possible to set up a two-way connection.

The following log file is the sequence the router runs through about
half a dozen times before giving up on the VPN, when I attempt to use a
generic VPN connection set up by Microsoft's wizard. (Yes, I did
specify an IPSec shared key). It basically gets stuck to the Oakley
Transform, though I don't know what "invalid value 14" means.

-----start log here-----
Sat, 08/19/2006 13:07:32 - FVS318 IPsec:Receive Packet address:0x1397554
from ***.***.***.***
Sat, 08/19/2006 13:07:32 - FVS318 IKE:Peer Initialized IKE Main Mode
Sat, 08/19/2006 13:07:32 - FVS318 IKE:[VPNCON2] RX << MM_I1 :
***.***.***.***
Sat, 08/19/2006 13:07:32 - FVS318 IPsec:New State index:0, sno:13
Sat, 08/19/2006 13:07:32 - FVS318 IPsec:responding to Main Mode
Sat, 08/19/2006 13:07:32 - FVS318 IPsec:loglog[3] invalid value 14 for
attribute OAKLEY_GROUP_DESCRIPTION in Oakley Transform
-----end log here-----

So is there any way to set up a VPN going from an XP box to this router?
Do I need proprietary software? Would ISA work?

Freewheeling wrote:
> Hi:
>
> I'm attempting to set up a VPN for about 6 remote users connected
> through a Netgear FVS318.

I'll assume XP throughout.

Do you mean the FVS318 configured as the VPN device, talking to your
local network using XP vpn server capabilities locally,
or are you just using the FVS318 as a router/firewall for this
connection, and using the built-in vpn capabilities of XP as client and
server on each side?

The former may not work, the latter certainly will. In any case...

You have setup a target box on the lan for VPN, yes? This will be
needed, since you're not running another FVS318 or equivalent on your
end (in that case, they could just 'talk' directly to each other by
setting up the apporopriate VPN parameters.)

If not, go to network connections on the target, select the 'create a
new connection' task,
next;setup advanced...;accept incoming...;allow vpn...;edit users as
needed;edit networking s/w if needed; finish

You should now have an 'incoming connections' icon in your network
connections.

You'll need to set the router on your end to send vpn traffic to the
target. Not sure if the g/w system will get in the way, I've never used
vpn on xp that way - is there a reason you don't just connect the
router directly to the ISP modem?

Both sides need to be using the same vpn method, e.g., ppp, l2tp...

Since manufacturers interpret the VPN specs differently in some cases,
this may not fly if you're trying to let the FVS318 act as the client,
ymmv.

Good luck
R

heycarnut wrote:
<...
Please also note, the XP vpn capabilities only allow one connection to
the target at a time. If you need simultaneous connections, you'll need
to use some other VPN server.
Or, just put another FSV318 on your side.

R

heycarnut wrote:
> Freewheeling wrote:
>> Hi:
>>
>> I'm attempting to set up a VPN for about 6 remote users connected
>> through a Netgear FVS318.
>
> I'll assume XP throughout.
>
> Do you mean the FVS318 configured as the VPN device, talking to your
> local network using XP vpn server capabilities locally,
> or are you just using the FVS318 as a router/firewall for this
> connection, and using the built-in vpn capabilities of XP as client and
> server on each side?

Well, it may not be the set choice but at the moment I was just going to
tunnel to the router and see if the network server picked up the new
connection. Not that I know what I'm doing, mind you.
>
> The former may not work, the latter certainly will. In any case...
>
I think the company uses the Win2000 server, or maybe Win2003.

> You have setup a target box on the lan for VPN, yes? This will be
> needed, since you're not running another FVS318 or equivalent on your
> end (in that case, they could just 'talk' directly to each other by
> setting up the apporopriate VPN parameters.)
>
> If not, go to network connections on the target, select the 'create a
> new connection' task,
> next;setup advanced...;accept incoming...;allow vpn...;edit users as
> needed;edit networking s/w if needed; finish
>
> You should now have an 'incoming connections' icon in your network
> connections.

If I want to set this up for multiple users I should probably do this on
the server, right?

>
> You'll need to set the router on your end to send vpn traffic to the
> target. Not sure if the g/w system will get in the way, I've never used
> vpn on xp that way - is there a reason you don't just connect the
> router directly to the ISP modem?

I thought it was. On both ends.
>
> Both sides need to be using the same vpn method, e.g., ppp, l2tp...

Alright.

>
> Since manufacturers interpret the VPN specs differently in some cases,
> this may not fly if you're trying to let the FVS318 act as the client,
> ymmv.

There's supposedly a software client for the Netgear stuff. I should
probably try that. Since most of the users' home systems will differ
quite a bit that might be the only way to go. Trouble is, the disk with
the client software seems to have been misplaced. Ugh.

>
> Good luck
> R
>

heycarnut wrote:
> heycarnut wrote:
> <...
> Please also note, the XP vpn capabilities only allow one connection to
> the target at a time. If you need simultaneous connections, you'll need
> to use some other VPN server.
> Or, just put another FSV318 on your side.
>
> R
>
I think the FSV318 can handle up to 8 simultaneous connections, which is
enough for our small staff. On the other side I can't imagine that
they'll need more than 1 connection per employee.

Freewheeling wrote:
> I think the FSV318 can handle up to 8 simultaneous connections, which is
> enough for our small staff. On the other side I can't imagine that
> they'll need more than 1 connection per employee.

I meant that if you use the xp vpn built-in, it will only handle *one*
connection at a time. That means only one vpn user at a time. They
could rig up a system on their end to g/w all of them through one vpn
connection, but frankly, for the ~$100.00 the router costs, you'll save
*alot* of headache and configuration just putting another one on your
end, and get 8 full compatible vpn connections simultaneously between
the nets.

R

heycarnut wrote:
> Freewheeling wrote:
>> I think the FSV318 can handle up to 8 simultaneous connections, which is
>> enough for our small staff. On the other side I can't imagine that
>> they'll need more than 1 connection per employee.
>
> I meant that if you use the xp vpn built-in, it will only handle *one*
> connection at a time. That means only one vpn user at a time. They
> could rig up a system on their end to g/w all of them through one vpn
> connection, but frankly, for the ~$100.00 the router costs, you'll save
> *alot* of headache and configuration just putting another one on your
> end, and get 8 full compatible vpn connections simultaneously between
> the nets.

I must be missing something. Wouldn't that be $800 for 8 additional
routers, or are you talking about something else? Would it be less
expenive to let the users use their own equipment and just spend $50 for
Netgear's client software? I'm strongly leaning in that direction,
leaving Windows VPN stuff out of the picture. People from home would
have access to the shared drives, or they could Remote Desktop directly
to their own boxes at work.

Is there something I missed? Maybe this is silly, for some reason not
obvious to me? Anyway, I guess your observation sort of rules out using
Windowns solutions. Thanks.

>
> R
>

Freewheeling wrote:
>...
I assumed the 8 users were in one remote office, but it appears you
meant they were dispersed. Yes, the cheapest, and likely easiest
solution in that case is to use the netgear vpn client s/w on each of
the remote user machines.

Good luck,

r