|
midrange.com
Peter,
If you are using non-routable addresses, ie in the range of 192.168.x.x or
10.x.x.x you may not be able to set up the VPN in the manner that you are
attempting. At least one of the endpoints will need a routable internet
address. The other client should then be able to initiate the connection
if all other intermediary devices are configured correctly to allow the
traffic.
Here's a quick example:
PC with non-routable IP address like 192.168.0.50
to
Router with valid routable IP address
to
Router with valid routable IP address
to
Server with non-routable IP address like 192.168.10.25
The routers on your network perimeter and on the internet will not be able
to handle traffic directly from or to the non-routable addresses, they will
use NAT to communicate. The problem then becomes, how does the router on
the destination end determine which machine receives incoming traffic? You
need address redirection, usually only provided on firewalls and higher end
routers.
Hope that makes some sense and possibly helps,
Keith Blazek
Information Systems Coordinator
PH: 305-623-8700 ext 308
"Peter Dow"
<maillist@dowsoft
ware.com> To
Sent by: "Midrange Systems Technical
midrange-l-bounce Discussion"
s@xxxxxxxxxxxx <midrange-l@xxxxxxxxxxxx>
cc
09/29/2003 10:26 Subject
AM Re: Netgear FVS318 VPN connection
Please respond to
Midrange Systems
Technical
Discussion
<midrange-l@midra
nge.com>
Hi Vern,
What you say makes sense, except that as I noted, my W2K PC does not have
an
internet IP address, only an internal LAN address. Given that the source &
destination IP addresses also are internal LAN addresses, how does it ever
get to the LinkSys? If you're correct, then if I change the tunnel
endpoint
to be my W2K PC's internal (private) LAN IP address, I'd have to change the
source & destination IP addresses to the LinkSys's external (public)
internet IP address, right?
Peter Dow
Dow Software Services, Inc.
909 793-9050 voice
909 793-4480 fax
909 522-3214 cell
----- Original Message -----
From: "Vern Hamberg" <vhamberg@xxxxxxxxxxxxxxxxxxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Sent: Monday, September 29, 2003 9:18 AM
Subject: Re: Netgear FVS318 VPN connection
> Hi Peter
>
> The endpoints are the NetGear router and your W2K machine, which does
have
> an IP address, perhaps assigned by your LinkSys router. Run the ipconfig
> command from your command prompt to see it. If it's dynamically assigned,
> you will probably need to change it to a static address in your internal
> network, because the IP security policy setup cannot use something like
> "This IP address" - needs to be static. I think this is because W2K wants
> to be the control point (or whatever) for the rest of your network. I
hope
> someone else can say more or correctly, but this is what I've observed,
> without formal training.
>
> Good luck
>
> Vern
>
> At 09:02 AM 9/29/2003 -0700, you wrote:
> >Hi Vern,
> >
> >Thanks! The network guy on the other end has checked the router's log
and
> >there's nothing. He also has it configured to allow ping, at least
until
we
> >get this working. Netgear has very detail instructions with screen
shots
> >and everything, which is where the terminology problems come into play.
The
> >path goes something like this:
> >
> > W2K PC
> > LinkSys
> > Internet
> > Cisco router
> > Netgear
> > iSeries
> >
> >The IP Security policy configuration talks about the source and
destination,
> >and tunnelling endpoints. The source and destination appear to be
internal
> >LAN IP addresses, and the tunnelling endpoints are internet IP
addresses.
> >Which I guess makes sense -- the VPN tunnel ends at the Netgear on one
end,
> >and the LinkSys on the other end. Although actually, I think it ends
with
> >the W2K PC on my end, but that doesn't have an internet IP address.
> >
> >As you say, frustrating. I think I'll go look for the SSH Sentinel
> >software. I take it it uses IPsec?
> >
> >Peter Dow
> >Dow Software Services, Inc.
> >909 793-9050 voice
> >909 793-4480 fax
> >909 522-3214 cell
> >
> >----- Original Message -----
> >From: "Vern Hamberg"
> > > I don't know NetGear - we use a LinkSys VPN router. Usually there's a
log
> > > on the router, probably accessible through a browser.
> > >
> > > Setting up a W2K or XP IP Security policy is one of the worst, most
> > > frustrating exercises I know of. If you don't click on all the right
> > > circles and squares and other arcane weirdness, nothing works. You
might
> > > also go to LinkSys' site and find the downloads for their VPN router
-
> >that
> > > manual has an extensive section on setting this up. When I follow
every
> > > step very carefully, sometimes it works. :-(
> > >
> > > But when I have set one up, getting the 'Negotiating...' statuses is
> >normal
> > > for the first attempt--it's how I establish the connection--then the
next
> > > attempts at connecting (FTP, NetServer, etc.) should work without
comment.
> > > Try a telnet in a command prompt after your ping. Also, see if the
router
> > > is set up not to respond to ping. This will not stop the VPN
connection
> >but
> > > may confuse you when you get no other response.
> > >
> > > If that does not work, you maybe should review your policy setup,
maybe
> > > remove the one you have and start over. But check the log on the
router,
> >if
> > > you can.
> > >
> > > I much prefer a separate client - I use SSH Sentinel - don't know if
you
> > > can find a freely-usable copy anymore - it is quite stable and easy
to
set
> >up.
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.521 / Virus Database: 319 - Release Date: 9/26/2003
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
