My problem is connecting my clients from many unknown WiFi hot spots around
the country.

If I know the IP addresses at both ends I can establish a VPN connection
with our FVS318 using the Prosafe VPN clients. Problem is, my roaming client
IPs are always changing.

So how can I configure my netgear router end (w/static IP) to accept the
Prosafe clients from any hot spot around the country?

Thanks,

Max

This is not a problem at all.  I don't have a windows client in front
of me at the moment but I can tell you that you can configure an ip
address in the client settings.   On your server simply create a client
connection policy that specifies a single address which may be
accessed.  In the client settings (wish I could be more specific right
now) you can set an optional IP address for the client to use in its
connection.  I do this for my users on wintel platforms.  It works like
a charm and serveral clients can connect with the same settings
simultaneously (depending on the router you have).  Hope this helps.
You will just have to look around.  Check out the documentation on the
router's reference cd for sample setups.

David

Except the ProSafe client (as far as I can tell) doesn't allow for virtual
IP.

IPSec requires that a local IP be specified behind a NAT router. If a
virtual IP *does* work as you say, then I must have purchased the
wrong client for the job. Perhaps I'll try the Greenbow client...

Thanks for your help.

-Max

I am infront  of the client now.  Let me be a bit more specific for
you.

Sample Config on Router:

 Connection Name                                      MaxClient
Local IPSec Identifier                        Firewall
Remote IPSec Identifier                               RemotePC
Tunnel can be accessed from                   any local address
   Local LAN start IP Address   ...
   Local LAN finish IP Address  ...
   Local LAN IP Subnetmask      ...
Tunnel can access                                     10.0.5.2
   Remote LAN start IP Address  ...
   Remote LAN finish IP Address ...
   Remote LAN IP Subnetmask     ...
Remote WAN IP or FQDN                         0.0.0.0
Secure Association
Perfect Forward Secrecy                              Enabled
Encryption Protocol                                  3DES
Key Group                                            Diffie-hellman Group2
PreShared Key                                        somethingobscure
Key Life        Seconds                                3600
IKE Life Time   Seconds                        28800
NETBIOS Enable                                     yes

--------------------------------------------------------------------

ProSAFE VPN Client Sample

Connection Security                               Secure
Remote Party ID and Addressing
     ID Type                                             IP Subnet
     Subnet                                              10.0.1.0
     Mask                                                255.255.255.0
     Protocol                                           All
     Connect Using                                 Secure Gateway
Tunnel
     ID Type                                Any               Gateway
IP Address
                                                 Any ID
"Routers WAN IP"
My Identity
     Pre-Shared                         somethingobscure (match with
router policy)
     ID Type                               Domain Name
                                               MaxClient (match
connection name from router policy)
     Virtual Adapter                  Disabled
!!!!! Internal Network IP Address    10.0.5.2  !!!!!! This is the field
in question!!!!!!!!

Internet Interface
    Name                                   Any
    IP Addr                                 Any

Security Policy                         Aggressive Mode
     Enable PFS                         Yes
     PFS Key Group                   Diffie-Hellman Group 2
     Enable Replay Detection    Yes

Authentication Phase1 Proposal1
     Authentication Method     Pre-Shared Key
     Encrypt Alg                       Triple DES
     Hash Alg                          MD5
     SA Life                              Unspecified
     Key Group                        Diffie-Hellman Group 2
Key Exchange Phase 2 Proposal 1
     SA Life                              Unspecified
     compression                    none
ESP
     Encrypt Alg                     Triple Des
     Hash Alg                          MD5
     Encapsulation                 Tunnel
Authentication Protocol         no

Option > Global Policy Settings:
Retransmit Interval                                                45
Number of retries                                                  3
Send status notifications to peer hosts                   yes
allow to specifu Internal Network Address              yes
!!!!!!!!
enable ipsec logging                                              yes
smart card removal clears keys                              no

These settings are nearly word for word from my working Netgear Prosafe
VPN clients
Hope this helps you, Max....

David

 2-22: 14:34:03.578
 2-22: 14:34:03.578 My Connections\FVS318 - Attempting to resolve Hostname
(MaxClient)
 2-22: 14:34:05.828 My Connections\FVS318 - Unable to resolve Hostname to
address (MaxClient)
 2-22: 14:34:05.828 My Connections\FVS318 - Peer address determination
failed.
 2-22: 14:34:05.828 My Connections\FVS318 - Error initiating connection.

I double and triple checked everything you listed....everything is as you
specified (or 99.9% anyway).

However, I am a bit confused with your example. Shouldn't I be using FQDN to
resolve the public IP? Your example had "0.0.0.0" for the WAN IP (just when
I thought I understood what was going on. ;o))

Remember, my remote clients will usually be behind many different NAT
routers that use DHCP. Netgear's Wizard said that I MUST USE the IP address
of the local PC behind the router (e.g.: in my recent test above this
happened to be 192.168.1.4 not "10.0.5.2" as in your example).

Thanks David, I appreciate your time and effort to try and help me. But
either I missed something in the .1% of your example, or I have not done a
good job of explaining my problem.

-Max

 2-22: 15:35:45.127
 2-22: 15:35:45.127 My Connections\FVS318 - Initiating IKE Phase 1 (IP
ADDR=63.24.102.7)
 2-22: 15:35:45.331 My Connections\FVS318 - SENDING>>>> ISAKMP OAK AG (SA,
KE, NON, ID, VID 5x)
 2-22: 15:35:55.331 My Connections\FVS318 - message not received!
Retransmitting!
 2-22: 15:35:55.331 My Connections\FVS318 - SENDING>>>> ISAKMP OAK AG
(Retransmission)
 2-22: 15:36:05.331 My Connections\FVS318 - message not received!
Retransmitting!
 2-22: 15:36:05.331 My Connections\FVS318 - SENDING>>>> ISAKMP OAK AG
(Retransmission)
 2-22: 15:36:15.331 My Connections\FVS318 - message not received!
Retransmitting!
 2-22: 15:36:15.331 My Connections\FVS318 - SENDING>>>> ISAKMP OAK AG
(Retransmission)

-Max

I just deleted everything and started over.... I guess I just missed
something somewhere.

Thanks a bunch dude! I owe ya a virtual beer :o)

-Max (a Happy Camper!)

Glad to help out.  It took me awhile to get it working myself.
Hopefully it helps someone else too.  I will enjoy my virtual Guiness..

:{)>     David

I am trying to establish a VPN tunnel using the Netgear FVS318 and
Netgear VPN Client. It works perfectly if i use dialup or connect my
laptop to my DSL modem (bypassing my NAT router).
If i try to go thru my NAT router phase 2 of the IKE exchange times out
- no response - i think my NAT router is blocking the response, but i
can't figure out why or how to troubleshoot this.
Can you shed some light?

 mark