Netgear FVM 318 and Prosafe VPN
« Thread started on: Nov 9th, 2004, 08:46am »
Netgear FVM318 with Prosafe VPN client for remote user setup notes:
Topology at office - Netopia Cayman 3500 Series DSL Router connected to Netgear FVM318 - Netopia is forwarding all traffic to the netgear. Netopia is pulling static IP from SBC and routing to FVM318 using 10.0.0.0 private subnet. The netgear is routing to the LAN using the 192.168.1.0 subnet. Netopia Cayman is set to 10.0.0.1 on LAN Port and FVM318 is set to 10.0.0.5 on WAN port to achieve this ( You could also use Cayman as a bridge and allow FVM318 to pull IP address from ISP ).
Topology for remote users - The configuration that follows has been confirmed to work for users behind home NAT router or directly connected to DSL or cable modem. In theory it should also work for users connecting from hotel or remote dial up connections. In our case home users are connected either via Netgear RM814 v2 Cable/DSL routers with 802.11b wireless or directly connected to their cable/dsl modems. The same VPN policy settings work for both types of connections we use.
FVM318 Router and VPN Settings configuration - For initial setup go to default router address by entering http://192.168.0.1 and entering username admin and password for the password at logon prompt. In our case we changed office router WAN address to 10.0.0.5 static to communicate with Cayman on the basic settings page and set the gateway to 10.0.0.1 which is the Cayman LAN address. Then we also set the DNS servers to the ISP's DNS servers. Then we went to LAN IP setup page and changed the LAN to use 192.168.1.1 Address (Note that users with home LAN's cannot use the 192.168.1.0 subnet so we have 1 user with 192.168.2.0, another with 192.168.3.0 and so on). After changing LAN IP you will need to either manually set new IP on same subnet e.g. 192.168.1.2 in our case or just do an ipconfig /release followed by an ipconfig /renew on a windows machine if DHCP is enabled. If you are using DHCP from the router then you may have to change those settings for the new LAN configuration as well on the LAN IP Setup page. We also upgraded router firmware to version 1.2 available from Netgear support section of their website. In our case, we also setup a free Dynamic DNS address with www.dyndns.org and updated routers Dynamic DNS settings to match.
On the VPN Settings page we added connection with following settings:
Connection name: SYSXPERTS to OFFICE ( Can be any descriptive name you chose ) local IPSEC identifier: office.dyndns.biz ( The dynamic dns address or local IP address of router) Remote IPSEC identifier: vpnclient1 ( Any name but not used in more than 1 VPN policy and must match client configuration which will be done after router config exactly - case sensitive ) Tunnel can be accessed from: Any local address (If you don't see this field you have older version of firmware and should upgrade) Tunnel can access: A single remote address (If you don't see this field you have older version of firmware and should upgrade) Remote LAN start IP address: 192.168.100.1 (must be unique for each user and to all networks in use. e.g. 192.168.3.1 would not work in our case because one of our users home LAN's is using that subnet) Remote WAN IP or FQDN: leave blank (0.0.0.0 also qualifies as blank) Secure Association: Aggressive Mode Perfect Forward Secrecy: Enabled Encryption Protocol: 3DES Key Group: Diffie-Hellman Group 2 Preshared Key: any combination of characters, numbers, and symbols e.g. officevpn!#$12 Key Life: 28800 IKE Life: 86400 (If you cannot change this to a value greater than 86400 then you have old firmware and need to upgrade) Check the NETBIOS enable checkbox Apply these settings and reboot the router for good measure.
Prosafe VPN client settings: Click the add new connection button in upper left of the Security Policy Editor screen. Name the new connection to match name on router e.g. SYSXPERTS to Office in our case. Connection Security: Secure Remote Party Identity and Addressing: ID Type: IP Subnet Subnet: 192.168.1.0 in our case Mask: 255.255.255.0 Protocol: All Connect using Secure Gateway Tunnel ID Type: Domain Name with the Fully Qualified Dynamic DNS name e.g. vpnoffice.dyndns.biz ID Type: Gateway Hostname with Fully Qualified Dynamic DNS name e.g. vpnoffice.dyndns.biz
Go to Security Policy and select following settings: Aggressive Mode Enable PFS Diffie-Hellman Group 2 Enable replay detection
Go to My Identity and set following: Select Certificate: None ID Type: Domain Name (value must match Remote IPSEC Identifier as set on router exactly e.g. vpnclient1 in our case) Virtual Adapter: disabled Internal Network IP: Must match IP set on router for Remote LAN start IP address: which is 192.168.100.1 in our case Internet Interface: Any Click preshared key button and set exactly same as it was set on router e.g. officevpn!#$12.
Expand Security Policy then expand Authentication and verify following settings: Authentication Method: Preshared Key Triple DES SHA-1 Unspecified Diffie-Hellman Group2
Expand Key Exchange and select policy 1: Unspecified None Triple DES SHA-1 Tunnel
Save setting then deactive and reactivate policy.
Connect and try to ping VPN LAN Router 192.168.1.1 in our case. We found that first connection sometimes does not work and we worked around by using router diagnostics to ping the 192.168.100.1 address and once connected we created a script on server behind Office router to ping remote users as a keepalive.
Author
Logged