NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

mvaar's avatar
mvaar
Aspirant
Sep 11, 2015

FVS336Gv2 full tunnel no internet

I have upgraded the firmware to latest (4.3.3-5) and I am using the latest vpnclient lite version 6.x. Running windows 10 pro 64 bit.   I set up the gateway as enumerated in the manual and I can co...
Security
mvaar's avatar
mvaar
Aspirant
Sep 14, 2015

I followed the instructions in this manual - http://www.downloads.netgear.com/files/GDC/VPNG01L/VPNClient_UM_27May2015.pdf

 

Remember, I have a fvs336gv2 with firmware 4.3.3-5, not a fvs318.

Yes, it is a client to gateway VPN.

I followed the gateway setup exactly as described in appendix A, manually configuring a gateway, with the addition of (edge) xauth.

 

I assigned client IP address of 192.168.7.10, while connecting (tunneling) to the remote subnet 192.168.120.0/255.255.255.0 . The endpoint is 192.168.120.1. It is one of the VLANs I set up on the router. 

 

On the router, all outbound traffic is allowed so I saw no reason to add any firewall rule ( as some have indicated elsewhere that to make full tunnel possible you need to add firewall rules or even routes). I am a little hazy on these concepts though, I admit.

 

So with split tunneling, everything works. I can see the remote subnet and I can ping to the internet- all traffic except to the 192.168.120.0 is going from my local gateway - 192.168.70.1 .

 

With full tunnel, I can see everything in the 192.168.120.0 as expected but I cannot even ping IP addresses on the internet.

mvaar's avatar
mvaar
Aspirant
Sep 14, 2015

also, I see this line in the vpn log -

 

[FVS336Gv2] [IKE] INFO: No policy found, generating the policy : 192.168.7.10/32[0] 192.168.120.0/24[0] proto=any dir=in

 

I do have a vpn policy but it is declared for fqdn and not the ip address 192.168.7.10. Could this be causing the problem ?

    • mvaar's avatar
      mvaar
      Aspirant
      Sep 15, 2015

      yes, I also tried using mode config. Same result, with the difference that my (local) virtual IP is from the pool defined in the mode config. I still get the INFO message that policy doesn't exist and creates on the fly. It seems that the policy only has parameters for in and not out, according to that log message.

       

      Also, it recognizes that the client is behind NAT but treats the peer as my <client public IP>- is that OK ? In other words are the tunnel endpoints as expected ?

       

      I do not like the idea of SSL VPN to expose my full network. SSL VPN is only protected by one user/pwd combination from the whole internet. I think that it is good in certain scenarios and if I can configure the access to a fine grained level inside my private network.

       

      Thanks for responding to my posts.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More