Netgear FVS318 and Netgear (ProSafe) VPN Client problem through firewalls

AGGGHGGHGHGH!!!!!

I have a number of Netgear FVS318 units located at multiple sites, and am attempting to use the Netgear VPN clients to connect to these units.

VPN Client is the Netgear SafeNet SoftRemote 10.1.1 Build 10

PROBLEM

If the end user (VPN Client) connects directly to the internet -- not through a firewall of any sort, such as when using dialup or directly connecting to cable or DSL modem, etc., the VPN connection works fine.

But if you try to connect through any sort of firewall, connection fails. Log viewer errors below:

LOG FROM THE VPN CLIENT

(I have masked the Destination IP address in the following log)

7-15: 08:18:39.473 My Connections\\VPNClient - RECEIVED>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT) 7-15: 08:18:39.743 My Connections\\VPNClient - RECEIVED>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x) 7-15: 08:18:50.709 My Connections\\VPNClient - QM re-keying timed out (message id: 3AFFEB9C). Retry count: 1 7-15: 08:18:50.709 My Connections\\VPNClient - SENDING>>>> ISAKMP OAK QM *(Retransmission) 7-15: 08:19:00.713 My Connections\\VPNClient - QM re-keying timed out (message id: 3AFFEB9C). Retry count: 2 7-15: 08:19:00.713 My Connections\\VPNClient - SENDING>>>> ISAKMP OAK QM *(Retransmission) 7-15: 08:19:11.709 My Connections\\VPNClient - QM re-keying timed out (message id: 3AFFEB9C). Retry count: 3 7-15: 08:19:11.709 My Connections\\VPNClient - SENDING>>>> ISAKMP OAK QM *(Retransmission) 7-15: 08:19:21.714 My Connections\\VPNClient - Exceeded 3 re-keying attempts (message id: 3AFFEB9C) 7-15: 08:19:21.714 My Connections\\VPNClient - Disconnecting IKE SA negotiation 7-15: 08:19:21.724 My Connections\\VPNClient - Deleting IKE SA (IP ADDR=12.169.111.11) 7-15: 08:19:21.724 MY COOKIE 87 59 9 ee c4 4d 4e 44 7-15: 08:19:21.724 HIS COOKIE 24 45 32 47 d3 38 dd dc 7-15: 08:19:21.724 My Connections\\VPNClient - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)

LOGS FROM THE NETGEAR

Thur, 07/15/2004 08:16:54 - FVS318 IPsec:New State index:1, sno:57 Thur, 07/15/2004 08:16:54 - FVS318 IKE:[VPNClient_tmp21] RX > MM_R3 :

67.168.11.111 Thur, 07/15/2004 08:21:28 - FVS318 IPsec:inserting event EVENT_SA_EXPIRE, timeout in 28980 seconds for #1 Thur, 07/15/2004 08:21:28 - FVS318 IPsec:STATE_MAIN_R3: sent MR3, ISAKMP SA established Thur, 07/15/2004 08:21:28 - FVS318 IPsec:Receive Packet address:0x1397478 from 67.168.11.111 Thur, 07/15/2004 08:21:28 - FVS318 IPsec:New State index:1, sno:2 Thur, 07/15/2004 08:21:28 - FVS318 IKE:[VPNClient] RX

Netgear support clueless? You mean you actually got a response from Netgear????????
What firmware are you using on the routers? There is a beta version (2.4a IIRC) available which cures many ills. bug in it completely fubars remote LAN ranges if you aren't careful.
Logs suggest that traffic is either being blocked/fooled with at the local router, or not being sent from the host.

Possibilities.... Problem may be that the host router does not know how to find the network you are on (192.168.x.x) and cannot route the packets back.

It sorta seems like the host router is trying to create a tunnel with the internal address, (192.168.x.x) rather than the NAT'd external address.

I think you can add a network route to the netgears - e.g.

192.168.100.0/24 via 67.168.11.111

Bottom line is don't know of an exact fix. E.