Multiple mode-configs on FVS318G

[Medgen]

Hi,

I added two mode-configs on my FVS318G. Both have different names and different subnets they will assign (10.1.0.0/24 and 10.2.0.0/24).

When I create an IKE policy I choose "yes" for "use mode-config record" and select the first mode-config. But if I click to the "view selected" button, I see the config of the second mode-config I have created. If I choose the second mode-config and click to the button, it also shows me the values for the second one.

The problem is, that not only the values for the second mode-config are displayed - they are also used and the clients only get IPs from this range, regardless which mode-config the IKE policy is linked to.

I'm running firmware 3.0.7-34.

I have two same devices and have this problem on both. So I'm wondering if this is a bug or if it's not possible to have multiple mode-configs?

Regards

[jmizoguchi]

if you hard reset the router & manually configure the router when you flash to this firmware version and both does the same then put trouble ticket in with support at my.netgear.com

[Medgen]

Router was already reset. The firware was the one that was shipped with the devices. It already had the newest. So it wasn't updated by me.

Last night I had a 2.5h remote session with a supporter form NetGear, but I'm not sure, if he understand my issue. He always ignored that everything is fine with one mode-config and if you add a second one, all policies use the second mode-config. He always told me, I don't need mode-configs for client-to-site connectsions and tried to create a IKE and VPN policy instead. But he wasn't able to open a tunnel to his setup for the whole time (with Netgear client and Shrew), while my mode-config setup works fine (at least if I have just one). :-(

So maybe somebody with Netgear experiences and who owns a FS318G, too, can shortly reproduce this and tell me if this is an expected behavior or not. Or if there is a different method than http://www.shrew.net/support/wiki/HowtoNetgear to setup a client-to-site configuration.

The way to reproduce:
- Create two mode configs with different IP-ranges (you can leave all other settings on default for this test)
- Click to the "add new IKE policy" button -> "use mode-config": select "yes" -> select the first (!) mode-config entry you've created in the combobox and click to "view selected". -> You see the settings of the second (!) and not of the selected first mode-config!

And the problem is, that it's not just a display error. If I have two mode-configs, there's no change any more to make the box use the first one until you delete the second.

Here some screenshots:
http://img690.imageshack.us/img690/227/modeconfigs.png
http://img705.imageshack.us/img705/5...nchoosedmo.png
http://img31.imageshack.us/img31/596...nchoosedmo.png


Thanks.

[adit]

The router doesn't make the choice of which Mode-Config to use, the VPN policy on the remote does.

Have you tried connecting to both remotely.

[Medgen]

Quote:

Originally Posted by adit

The router doesn't make the choice of which Mode-Config to use, the VPN policy on the remote does.

But why do I have to choose one of the mode configs in the routers policy if the client on the remote site does the choice?

And where in my vpn client (e. g. Shrew) I can set up, which mode-config it should use? And how can I prevent that the user doesn't change this to a differnet mode config and get assigned IPs from other subnets (with other permissions)?

Quote:

Originally Posted by adit

Have you tried connecting to both remotely.

If I have one mode-config, it works fine, and I get an IP from the configured range out of this mode-config. If I add a second mode-config - but in the policy the first is still choosen - then I get an IP assinged out of the pool of the second mode-config.

[jmizoguchi]

Quote:

But why do I have to choose one of the mode configs in the routers policy if the client on the remote site does the choice?

And where in my vpn client (e. g. Shrew) I can set up, which mode-config it should use? And how can I prevent that the user doesn't change this to a differnet mode config and get assigned IPs from other subnets (with other permissions)?

you don't' choose modconfig policy on client at all

under IKE policy on FVS you need to tell which modeconfig to use.
make sure FQDN is setup separate on both IKE policy.

[adit]

Quote:

Originally Posted by Medgen

But why do I have to choose one of the mode configs in the routers policy if the client on the remote site does the choice?

Because you will need 2 IKE policies since you have 2 mode config policies, and you can only assign 1 MC policy to each IKE policy.