Netgear vpn error validating proxy ids
The other option I was wondering is maybe it was a security setting on the domain that wouldn't allow the pc's to finish the phase 2. I will probably join the domain and then see if the same thing happens to the laptop.
If it does, then I know it is definitely in the domain settings being applied to the pc.
The FVS328 has can run 60 VPN tunnels simultaneously and if you have a FVS 318 in each locaiton you can establish tunnels with the hardware rather than use remote clients software.
I find remote clients good for laptops on the go, but for smalll offices I prefer established hardware tunnels.
If you have the firewall disabled, there is no need to check further or in group policy as it would allow all connections by default. The errors in the logs you mentioned earlier; I assume that was on the client machine ? If so no just on the computer s to which you are connecting. --Rob ps: -no other VPN clients installed on the problematic PC's is there? Here is the log at the main location: [2007-03-16 ][==== IKE PHASE 1(from 74.1) START (responder) ====] [2007-03-16 ]**** RECEIVED FIRST MESSAGE OF AGGR MODE **** [2007-03-16 ] PAYLOADS: HASH, NOTIFY, NOTIFY [2007-03-16 ]**** AGGR MODE COMPLETED **** [2007-03-16 ][==== IKE PHASE 1 ESTABLISHED====] [2007-03-16 ][==== IKE PHASE 2(from 74.1) START (responder) ====] [2007-03-16 ]**** RECEIVED FIRST MESSAGE OF QUICK MODE **** [2007-03-16 ]**** FOUND IDs, EXTRACE ID INFO **** [2007-03-16 ] PAYLOADS: HASH [2007-03-16 ]**** QUICK MODE COMPLETED **** [2007-03-16 ][==== IKE PHASE 2 ESTABLISHED====] [2007-03-16 ]DISCARDING RETRANSMITTED PACKET... Not sure if this has anything to do with the licenses. Under my connections, is there more than 1 (Ignore one called "other connections" if present) What i'm referring to is actually under the VPN status and then a button on the log page called again Vpn Status which opens up IPSEC Connection status. FYI, we finially decided to go with the Watchguard Core 750E with a Watchguard WG50750 on the other end. I will award if there are no objections from the moderator.
If so, checking the FVS328's own VPN logs, while you try to connect, might be more informative. -there should be a service called "xxxxxx IKE service" in the services management console, of the client PC. I can see the other location connecting and transmitting. This lists 5 connections all using the same policy. The reason being that they will open up at least two other offices in the next 3 to 6 months. Sorry mdpsolutions, wasn't asking for points, just commenting it was a good decision, and we should have considered it initially.
If so you still see the options chosen, but cannot change them.
Should you need to change you would need to do so in GP.
I know Watch Guard tracks outgoing connections and once you reach the limit no new PC can connect to the Internet. " Conceivable there could be a policy in place blocking your subnet, but couldn't stop the phase 2 connection. The Windows firewalls do other have the ability to allow connections from only the LAN, defined subnets, or all traffic.
Here is the setup: I have a Netgear FVS328 in the main office.
I have had vpn capability setup with that office for quite some time from multiple computers using netgear's Prosave VPN client software. I had to take 4 of the PCs to the new location, but still have them able to log onto the domain in order to access documents on the server which is located in the main office. When I take them to the new site, install the client software, and try to connect, it says successfully connected. (All 4 pc's are the same.) The odd thing is if I plug my laptop into the same port, I connect fine and ping fine. So I believe that it is in the computers and I am leaning in a direction but do not want to sway thought. I do get one error on the log when I log into the "PC" and not the domain.
If not familiar with the process right click on the prosafe icon and choose "security policy editor". You can export the existing first if you want to back it up. Old site 172.16.3.0 New site 192.168.5.0 Exported the known working Policy from my laptop (which will connect via the same exact wall jack) to all pc's. Belonging to or not belonging to the domain shouldn't make a difference except possible name resolution issues, which is why I had asked about pinging by IP.
Already made sure that it is selecting the internal network card on each pc. No other computers that are not registered to the domain have the problem in 4 other locations. MDP Bizarre :-) I assume the reason you can connect and not ping is it looks like the phase 2 handshaking is not completing. Does the FVS328 have any way of checking if you have enough user licenses for the clients?
i.e could both sites be using something like 192.168.0.x ? Also if the old site uses the same subnet and is still connected it won't work as the Netgear will not know to which site to send the reply to. Did you manually create the policy on the 4 new PC's ? Have you tried exporting the policy from the working laptop, and importing to the new PC?