Re: Netgear FVS318 VPN connection

["Peter Dow" <maillist@xxxxxxxxxxxxxxx>]

Hi Keith,

Thanks for the comments.  What I have is what you described. Both routers
perform NAT; the NetGear is the VPN server as well, and the LinkSys will
pass IPsec traffic.  I guess the big question is how to translate all this
into an IP Security Policy for Win2K.  At first glance, one would think that
the routers are the tunnel endpoints, but the LinkSys isn't a VPN router,
although it will pass through the VPN traffic.  So it sounds like the W2K PC
should be the tunnel endpoint, but it doesn't have a routable address.  Can
you explain how the security policy's source, destination, and tunnel
endpoints figure into your diagram?

Peter Dow
Dow Software Services, Inc.
909 793-9050 voice
909 793-4480 fax
909 522-3214 cell



<Keith>
> If you are using non-routable addresses, ie in the range of 192.168.x.x or
> 10.x.x.x you may not be able to set up the VPN in the manner that you are
> attempting.  At least one of the endpoints will need a routable internet
> address.  The other client should then be able to initiate the connection
> if all other intermediary devices are configured correctly to allow the
> traffic.
>
> Here's a quick example:
>
> PC with non-routable IP address like 192.168.0.50
> to
> Router with valid routable IP address
> to
> Router with valid routable IP address
> to
> Server with non-routable IP address like 192.168.10.25
>
> The routers on your network perimeter and on the internet will not be able
> to handle traffic directly from or to the non-routable addresses, they
will
> use NAT to communicate.  The problem then becomes, how does the router on
> the destination end determine which machine receives incoming traffic?
You
> need address redirection, usually only provided on firewalls and higher
end
> routers.
</Keith>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.521 / Virus Database: 319 - Release Date: 9/26/2003