NETGEAR FVS336Gv3 Router Manual PDF (Setup & Configuration Guide)

Page 71 / 203 Scroll up to view Page 66 - 70

Chapter 5:

Virtual Private Networking Using IPsec

|

71

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

The following diagrams and table show how the WAN mode selection relates to VPN

configuration.

Figure 5-4

The following table summarizes the WAN addressing requirements (FQDN or IP address) for

your VPN tunnel in either dual WAN mode.

Table 5-5.

IP Addressing for VPNs in Dual WAN Port Systems

Configuration and WAN IP address

Rollover Mode

1

1 All tunnels must be re-established after a rollover using the new WAN IP address.

Load Balancing Mode

VPN Road Warrior

(client-to-gateway)

Fixed

FQDN required

FQDN Allowed (optional)

Dynamic

FQDN required

VPN

Gateway-to-Gateway

Fixed

FQDN required

FQDN Allowed (optional)

Dynamic

FQDN required

VPN Telecommuter

(client-to-gateway

through a NAT router)

Fixed

FQDN required

FQDN Allowed (optional)

Dynamic

FQDN required

Rest of

Firewall

Functions

Firewall

WAN Port

Functions

Firewall

Rollover

Control

Firewall

WAN 1 Port

WAN 2 Port

Internet

Same FQDN required for both WAN ports

WAN Auto-Rollover: FQDN Required for VPN

Rest of

Firewall

Functions

Firewall

WAN Port

Functions

Load

Balancing

Control

Firewall

WAN 1 Port

WAN 2 Port

Internet

FQDN required for dynamic IP addresses

WAN Load Balancing: FQDN Optional for VPN

FQDN optional for static IP addresses

Page 72 / 203

72

|

Chapter 5:

Virtual Private Networking Using IPsec

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

Using the VPN Wizard for Client and Gateway

Configurations

You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies.

The following section provides wizard and NETGEARVPN Client configuration procedures

for the following scenarios:

•

Using the wizard to configure a VPN tunnel between 2 VPN gateways

•

Using the wizard to configure a VPN tunnel between a VPN gateway and a VPN client

Configuring a VPN tunnel connection requires that all settings and parameters on both sides

of the VPN tunnel match or mirror each other precisely, which can be a daunting task. The

VPN Wizard efficiently guides you through the setup procedure with a series of questions that

will determine the IPsec keys and VPN policies it sets up. The VPN Wizard will also set the

parameters for the network connection: Security Association, traffic selectors, authentication

algorithm, and encryption. The parameters used by the VPN wizard are based on the

recommendations of the VPN Consortium (VPNC), an organization that promotes

multi-vendor VPN interoperability.

Creating Gateway to Gateway VPN Tunnels with the Wizard

Figure 5-5

Gateway-to-Gateway Example

To set up a gateway VPN tunnel using the VPN Wizard:

1.

Select VPN > IPsec VPN from the menu.

Page 73 / 203

Chapter 5:

Virtual Private Networking Using IPsec

|

73

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

2.

Click the

VPN Wizard

tab.

To view the wizard default settings, click the

VPN Wizard Default Values

link. You can

modify these settings after completing the wizard.

3.

Select

Gateway

as your connection type.

4.

Create a

Connection Name

. Enter a descriptive name for the connection. This name

used to help you manage the VPN settings; is not supplied to the remote VPN endpoint.

5.

Enter a

Pre-shared Key

. The key must be entered both here and on the remote VPN

gateway, or the remote VPN client. This key must be a minimum of 8 characters and

should not exceed 49 characters.

6.

Choose which WAN port to use as the VPN tunnel end point.

Note:

If you are using a dual WAN rollover configuration, after completing

the wizard, you must manually update the VPN policy to enable VPN

rollover. This allows the VPN tunnel to roll over when the WAN Mode

is set to Auto Rollover. The wizard will not set up the VPN policy with

rollover enabled.

7.

Enter the

Remote and Local WAN IP

Addresses or Internet Names

of the gateways

which will connect.

•

Both the remote WAN address and your local WAN address are required.

Page 74 / 203

74

|

Chapter 5:

Virtual Private Networking Using IPsec

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

Tip:

To assure tunnels stay active, after completing the wizard, edit the VPN

policy to enable keepalive which periodically sends ping packets to the

host on the peer side of the network to keep the tunnel alive.

•

The remote WAN IP address must be a public address or the Internet name of the

remote gateway. The

Internet name

is the Fully Qualified Domain Name (FQDN) as

registered in a Dynamic DNS service. Both local and remote endpoints should be

defined as either FQDN or IP addresses. A combination of IP address and FQDN is

not allowed.

Tip:

For DHCP WAN configurations, first, set up the tunnel with IP addresses.

Once you validate the connection, use the wizard to create new policies

using FQDN for the WAN addresses.

8.

Enter the local LAN IP and Subnet Mask of the remote gateway in the

Remote LAN IP

Address and Subnet Mask

fields.

Note:

The Remote LAN IP address

must

be in a different subnet than the

Local LAN IP address. For example, if the local subnet is

192.168.1.x, then the remote subnet could be 192.168.10.x. but

could not

be 192.168.1.x. If this information is incorrect, the tunnel

will fail to connect.

9.

Click

Apply

to save your settings. The VPN Policies screen shows that the policy is

enabled.

10.

If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to

configure the second VPN firewall to connect to the one you just configured.

Page 75 / 203

Chapter 5:

Virtual Private Networking Using IPsec

|

75

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

After both firewalls are configured, go to

VPN > IPsec VPN > Connection Status

to display

the status of your VPN connections.

The tunnel will automatically establish when both the local and target gateway policies are

appropriately configured and enabled,

Note:

When using FQDN, if the dynamic DNS service is slow to update

their servers when your DHCP WAN address changes, the VPN

tunnel will fail because the FQDN does not resolve to your new

address. If you have the option to configure the update interval, set it

to an appropriately short time.

Creating a Client to Gateway VPN Tunnel

Figure 5-6

Client to Gateway VPN Tunnel

Follow these steps to configure the a VPN client tunnel:

•

Configure the client policies on the gateway.

•

Configure the VPN client to connect to the gateway.

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share