Wow, another one of those jobs which seems impossible until it works and then it seems easy! It is also another reminder that the internet is too full of old outdated information, poor answers to questions and anecdotal answers "This random thing solved it for me..."

Anyway, I am attempting to set up an IPSEC VPN on my Netgear FVS318N, a wireless VPN router which is pretty cool featurewise. I have the additional pain that it is behind another DSL router since the Netgear does not support VDSL so first I had to setup the port forwarding from one to the other and followed this: https://www.shrew.net/support/Howto_Netgear to setup an IPSEC VPN.

On the suggestion of a colleague, I could test the work setup from work by using my phone as a mobile hotspot!

The first problem was that on Windows 10, there is a problem with DNE and something or other that makes the VPN client (Shrewsoft) not connect. Instead, it times out and shows disconnected from key daemon. I followed the instructions here: http://www.ruudborst.nl/shrewsoft-vpn-filter-blocks-traffic-on-windows-10/ to run a CISCO cleaner and DNE setup. The CISCO one works for Shrewsoft and I think this only applies to Windows 10 but some people reported problems on Windows 8.

I then connected the VPN and it showed tunnel established but I couldn't seem to ping any of the internal hosts on my company network. What is really confusing is that none of the guides seem to explain what IP addresses need to match the internal network and which ones need to be completely different so here goes:

Mode Config
First Pool = A UNIQUE range of IP addresses that should NOT match the internal network. These will be the VPN client IP addresses.
WINS/DNS Server = This should MATCH your actual DNS/WINS Server (at least I think so!) they don't appear to be virtual IP addresses.
Local IP Address = Should MATCH the range of the INTERNAL network - usually 3 numbers followed by a zero
Local Subnet Mask = Should MATCH the subnet mask of the INTERNAL network, usually 255.255.255.0

Client Setup
Policy Tab = You must have a topology entry that will route your INTERNAL network IP addresses through the VPN tunnel rather than attempting to send them through your default gateway which is likely to be your main internet connection. In other words, this entry must match the Local IP Address/Subnet specified in the Mode Config setup. If you have multiple internal LANS (vlans) then you can add multiple entries here to route all of them to the VPN router through the tunnel.

Now it works!