Help! Roaming VPN Clients

Help! Roaming VPN Clients
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.vpn  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Help! Roaming VPN Clients Max 02-18-2005
Posted by Max on February 18, 2005, 10:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options


I have a small sales force that roams the country and needs to establish
frequent VPN connections.

My problem is connecting my clients from many unknown WiFi hot spots around
the country.

If I know the IP addresses at both ends I can establish a VPN connection
with our FVS318 using the Prosafe VPN clients. Problem is, my roaming client
IPs are always changing.

So how can I configure my netgear router end (w/static IP) to accept the
Prosafe clients from any hot spot around the country?

Thanks,

Max




Network Magic Graduation 20% off animated banner
Posted by David on February 20, 2005, 5:46 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


Max,

This is not a problem at all. I don't have a windows client in front
of me at the moment but I can tell you that you can configure an ip
address in the client settings. On your server simply create a client
connection policy that specifies a single address which may be
accessed. In the client settings (wish I could be more specific right
now) you can set an optional IP address for the client to use in its
connection. I do this for my users on wintel platforms. It works like
a charm and serveral clients can connect with the same settings
simultaneously (depending on the router you have). Hope this helps.
You will just have to look around. Check out the documentation on the
router's reference cd for sample setups.

David



Posted by Max on February 21, 2005, 11:15 pm
If you were  Registered and logged in, you could reply and use other advanced thread options



> accessed. In the client settings (wish I could be more specific right
> now) you can set an optional IP address for the client to use in its
> connection. I do this for my users on wintel platforms. It works like
> a charm and serveral clients can connect with the same settings
> simultaneously (depending on the router you have). Hope this helps.
> You will just have to look around. Check out the documentation on the
> router's reference cd for sample setups.

I think I understand what you're saying. AKA a virtual IP. Right?

Except the ProSafe client (as far as I can tell) doesn't allow for virtual
IP.

IPSec requires that a local IP be specified behind a NAT router. If a
virtual IP *does* work as you say, then I must have purchased the
wrong client for the job. Perhaps I'll try the Greenbow client...

Thanks for your help.

-Max







Posted by David on February 22, 2005, 6:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options


Max,

I am infront of the client now. Let me be a bit more specific for
you.

Sample Config on Router:

Connection Name          MaxClient
Local IPSec Identifier          Firewall
Remote IPSec Identifier          RemotePC
Tunnel can be accessed from          any local address
Local LAN start IP Address         ...
Local LAN finish IP Address         ...
Local LAN IP Subnetmask         ...
Tunnel can access          10.0.5.2
Remote LAN start IP Address         ...
Remote LAN finish IP Address ...
Remote LAN IP Subnetmask         ...
Remote WAN IP or FQDN          0.0.0.0
Secure Association
Perfect Forward Secrecy          Enabled
Encryption Protocol          3DES
Key Group          Diffie-hellman Group2
PreShared Key          somethingobscure
Key Life         Seconds 3600
IKE Life Time         Seconds 28800
NETBIOS Enable yes

--------------------------------------------------------------------

ProSAFE VPN Client Sample

Connection Security Secure
Remote Party ID and Addressing
ID Type IP Subnet
Subnet 10.0.1.0
Mask 255.255.255.0
Protocol All
Connect Using Secure Gateway
Tunnel
ID Type Any Gateway
IP Address
Any ID
"Routers WAN IP"
My Identity
Pre-Shared somethingobscure (match with
router policy)
ID Type Domain Name
MaxClient (match
connection name from router policy)
Virtual Adapter Disabled
!!!!! Internal Network IP Address 10.0.5.2 !!!!!! This is the field
in question!!!!!!!!

Internet Interface
Name Any
IP Addr Any

Security Policy Aggressive Mode
Enable PFS Yes
PFS Key Group Diffie-Hellman Group 2
Enable Replay Detection Yes

Authentication Phase1 Proposal1
Authentication Method Pre-Shared Key
Encrypt Alg Triple DES
Hash Alg MD5
SA Life Unspecified
Key Group Diffie-Hellman Group 2
Key Exchange Phase 2 Proposal 1
SA Life Unspecified
compression none
ESP
Encrypt Alg Triple Des
Hash Alg MD5
Encapsulation Tunnel
Authentication Protocol no

Option > Global Policy Settings:
Retransmit Interval 45
Number of retries 3
Send status notifications to peer hosts yes
allow to specifu Internal Network Address yes
!!!!!!!!
enable ipsec logging yes
smart card removal clears keys no

These settings are nearly word for word from my working Netgear Prosafe
VPN clients
Hope this helps you, Max....

David



Posted by Max on February 22, 2005, 3:08 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


Hi David. I keyed in your example. Here is the log:

2-22: 14:34:03.578
2-22: 14:34:03.578 My Connections\FVS318 - Attempting to resolve Hostname
(MaxClient)
2-22: 14:34:05.828 My Connections\FVS318 - Unable to resolve Hostname to
address (MaxClient)
2-22: 14:34:05.828 My Connections\FVS318 - Peer address determination
failed.
2-22: 14:34:05.828 My Connections\FVS318 - Error initiating connection.

I double and triple checked everything you listed....everything is as you
specified (or 99.9% anyway).

However, I am a bit confused with your example. Shouldn't I be using FQDN to
resolve the public IP? Your example had "0.0.0.0" for the WAN IP (just when
I thought I understood what was going on. ;o))

Remember, my remote clients will usually be behind many different NAT
routers that use DHCP. Netgear's Wizard said that I MUST USE the IP address
of the local PC behind the router (e.g.: in my recent test above this
happened to be 192.168.1.4 not "10.0.5.2" as in your example).

Thanks David, I appreciate your time and effort to try and help me. But
either I missed something in the .1% of your example, or I have not done a
good job of explaining my problem.

-Max





Similar ThreadsPosted
Too many VPN Clients February 2, 2006, 10:55 am
different VPN clients on one laptop March 31, 2008, 10:42 am
Cisco & Sonic VPN clients on same PC May 22, 2005, 8:58 am
managing multiple VPN clients on my XP PC August 24, 2007, 8:50 am
stonegate vpn _compatible_ clients? May 5, 2008, 6:29 am
VPN clients catches ALL network traffic... February 28, 2005, 9:21 pm
VPN clients with 2 ADSL lines and one networrk April 1, 2005, 4:41 pm
program to manage multiple VPN clients April 7, 2006, 2:09 pm
Cisco VPN on a PIX525 (no gateway for clients) June 7, 2006, 8:50 am
openvpn problem with w2000 clients April 12, 2008, 8:33 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map