NETGEAR FVS124G Configuration Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. FVS124G - ProSafe VPN Firewall 25
  6. Configuration manual
NETGEAR FVS124G Configuration Manual

NETGEAR FVS124G Configuration Manual

Hide thumbs Also See for FVS124G:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual
VPN Configuration Guide
NETGEAR® FVS124G

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR FVS124G

Summary of Contents for NETGEAR FVS124G

  • Page 1 
 VPN Configuration Guide NETGEAR® FVS124G...
  • Page 2 Apple Computer, Inc., registered in the U.S. and other countries. © 2015 equinux USA, Inc. All rights reserved. NETGEAR is a registered trademark of NETGEAR Inc. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of equinux AG or equinux USA, Inc.

  • Page 3: Table Of Contents

    ................My NETGEAR Configuration ......Task 1 – Configure your NETGEAR ....Step 2 – Retrieve your NETGEAR’s LAN and WAN Configuration Step 3 – Create a new VPN Policy ........Task 2 – Configure VPN Tracker ..... Step 1 - Create a New Connection ........

  • Page 4: Introduction

    Please be sure to read those instructions and understand them before starting. NETGEAR Configuration The first part of this document will show you how to configure a VPN tunnel on a NETGEAR VPN router using a basic VPN setup that can accept incoming connections from any IP address.

  • Page 5: Important Prerequisites

    first and second part of this document, and only additional features to your connection once you have the basic setup working. Important Prerequisites Your NETGEAR Device This document applies to the following NETGEAR devices ‣ FVS124G The documentation is based on firmware 1.1.48. Your Mac ‣...

  • Page 6: Scenario

    (Dynamic) DNS host name. In our example setup, we will be using a DNS host name: vpn.example.com. The NETGEAR device has a second network interface which is connected to the internal office network (LAN). In our example, the office network has the IP range 192.168.13.0/24 (which is the same as 192.168.13.0/255.255.255.0). This is the network that will be accessed from the employee’s Mac through the VPN.

  • Page 7: Terminology

    Terminology A VPN connection is often called a “tunnel” (or “VPN tunnel”). Every VPN tunnel is established between two “endpoints”. In our example one endpoint is VPN Tracker and the other endpoint is the VPN gateway. Please note that for each endpoint, the settings on the other endpoint are considered to be “remote”, while its own settings are considered to be “local”.

  • Page 8: My Netgear Configuration

    VPN Tracker. This information is marked with red numbers to make it easier to reference it later. You can print out this form to help keep track of the various configuration settings of your NETGEAR device. ➊ Pre-Shared Key: ➋...

  • Page 9: Task 1 - Configure Your Netgear

    “VPN Settings Explained” for more detailed information about the settings available on your NETGEAR). If you have multiple VPN policies set up on the device, you will have to ensure that there are no unintended side-effects. Please read the chapter “Supporting Multiple Users“ to learn how to set up multiple tunnels without them interfering with each other.
  • Page 10 ‣ Local Identity Type: Select “Fully Qualified Domain Name” ‣ Local Identity Data: Enter the identifier to be used by the device, e.g. “netgear.local”. Make sure to write down the exact identifier ➋ ‣ Remote Identity Type: Select “Fully Qualified Domain Name”...

  • Page 11: Step 2 - Retrieve Your Netgear's Lan And Wan Configuration

    Step 2 – Retrieve your NETGEAR’s LAN and WAN Configuration ‣ Go to Maintenance > Router Status and obtain the following information from the Router Status page: ‣ WAN1 Configuration: ‣ Write down the WAN IP Address ➍ ‣ If you use Dynamic DNS for your device, or if it has a...

  • Page 12: Step 3 - Create A New Vpn Policy

    Step 3 – Create a new VPN Policy ‣ Go to VPN > VPN Policies ‣ Click “Add Auto Policy” ‣ VPN Policy Name: Enter a name for the VPN Policy ➑ You can use the same name you used for the IKE policy. ‣...
  • Page 13 ‣ Local IP: Select “Subnet Address” ‣ Start IP address: Enter the LAN Network Address ➐ you calculated in Step 2 (here:192.168.13.0) ‣ Subnet Mask: Enter the LAN subnet mask ➏ wrote down in Step 2 (here: 255.255.255.0) ‣ Remote IP: Select “Any” ‣...

  • Page 14: Task 2 - Configure Vpn Tracker

    Task 2 – Configure VPN Tracker This section describes how to configure VPN Tracker to connect to your NETGEAR. You will need the configuration information you collected during Task 1. If you are missing any information, please refer back to “Task 1 – Configure your NETGEAR”.

  • Page 15: Step 2 - Configure The Vpn Connection

    Step 2 – Configure the VPN Connection ‣ VPN Gateway: Enter your NETGEAR’s public IP address ➍. If you are using Dynamic DNS, or if the device has a DNS host name, use it instead (in our ➍ example, we are using the host name “vpn.example.com”)

  • Page 16: Task 3 - Test The Vpn Connection

    Task 3 – Test the VPN Connection This section explains how to start and test your VPN connection. It‘s time to go out! You will not be able to test and use your VPN connection from within the internal network that you want to connect to. To test your connection, you will need to connect from a different location.
  • Page 17 When you are prompted for your pre-shared key: ‣ Pre-shared key: Enter the pre-shared key that you configured on the ➊ NETGEAR device ‣ Optionally, check the box “Store in Keychain” to save the password in your ➊ keychain so you are not asked for it again when connecting the next time ‣...

  • Page 18: Supporting Multiple Users

    Using Mode Config for IP Address Assignment If multiple users connect using the same policy on your NETGEAR at the same time, you must ensure that each of them uses a different Local Address in VPN Tracker by setting an individual Local Address for each of them. The easiest way to ensure this, is to automatically have the NETGEAR assign IP addresses to connecting clients through Mode Config.
  • Page 19 ‣ Record Name: Enter a name that will later allow you to recognize this entry ‣ First IP Pool: Enter an IP range that is not part of your NETGEAR’s LAN. The range must be from the private (RFC1918) IP address space, and it...
  • Page 20 Delete the VPN Policy ‣ The VPN policy must be removed before you can change the IKE policy to use Mode Config ‣ Go to “VPN > VPN Policies” ‣ Select your VPN Policy ‣ Click “Delete” Configure the IKE Policy to use Mode Config ‣...
  • Page 21 Enable Mode Config in VPN Tracker ‣ Check “Mode Config” in the “Network Configuration” section. If you cannot find this setting for your device, make sure you have selected the correct device and firmware revision 
 Advanced Users It is very important to initially set up Mode Config as “automatic” instead of “active” or “passive”. While this may mean a short delay when connecting (if the device actually requires “active”...

  • Page 22: Adding More Vpn Tunnels

    Adding more VPN Tunnels The tunnel you have set up in the first part of this document can be used by multiple users if you use Mode Config (with a sufficiently large IP address pool), or if you manually set an individual Local Address for each user, as described in “The Role of the Local Address in VPN Tracker”.
  • Page 23 If you have difficulties setting up multiple tunnels on a single device, it is a good idea to check the VPN Status (VPN > VPN Status > VPN Status) to see which policies are in use. If necessary, selectively disable policies to see which policies are causing trouble.

  • Page 24: Troubleshooting

    Troubleshooting In most cases, your connection should work fine if you followed the instructions above. If you cannot connect, please read on. VPN Connection Fails to Establish On/Off Slider goes back to “Off” right away If the slider goes back to “Off” right away, please make sure you have entered all the required information. VPN Tracker will highlight fields that are missing information.

  • Page 25: Cannot Access Resources On The Remote Network

    Cannot Access Resources on the Remote Network If the connection slider goes to ON and turns green, but you cannot access resources (servers, email, etc.) in the remote network, please check the following points. Connect by IP address instead of host name If you are not connecting to the resource by IP address (e.g.

  • Page 26: Further Questions

    Check whether the IP address is part of the remote network Please make sure that the IP address of the resource that you are connecting to is actually contained in the remote network(s). Also double-check the network mask that you have configured for the remote network(s) in VPN Tracker. The network mask (e.g.

  • Page 27: Vpn Settings Explained

    VPN Settings Explained This section explains the various settings found on your NETGEAR, and how they relate to VPN Tracker’s settings. We will first go through the IKE policy settings from top to bottom, then through the VPN policy settings. In the end, a few selected VPN Tracker settings that have no matching setting on the NETGEAR, or are found elsewhere, are explained.
  • Page 28 For a VPN policy where the Traffic Selector is set to “Any” for the Remote IP, a special Local Identifier must be used in VPN Tracker. It is constructed from the VPN policy name, a number between 1 and 10, and the Remote Identity Data configured on the NETGEAR (refer to page 16 for an example). IKE SA Parameters Encryption Algorithm: The encryption algorithm must match the encryption algorithm configured in VPN Tracker in...
  • Page 29 (Basic > Authentication). This password is shared among all users. Make sure to choose a strong password here that is long enough and contains a mix of letters and numbers (but be aware that your Mac and your NETGEAR may not use the same character encoding, so try to avoid accented characters).

  • Page 30: Vpn Policy

    VPN Policy The VPN Policy contains the settings for the second phase in the process of establishing a VPN connection. Many of the settings here correspond to settings located in VPN Tracker in the Network section of the Basic tab, or in Advanced >...
  • Page 31 Traffic Selector The Traffic Selection settings determine the endpoints of the VPN tunnel. ‣ The local (=NETGEAR) side of the tunnel should be configured to be a subnet matching the NETGEAR’s LAN (192.168.13.0/255.255.255.0 is the NETGEAR’s LAN in our example) ‣...
  • Page 32 VPN Tracker (Advanced > Phase 2 > Authentication Algorithms). Do not select more authentication algorithms in VPN Tracker than the one selected on the device. NETGEAR uses SHA-1 by default (which corresponds to HMAC SHA-1 in VPN Tracker, MD5 on the NETGEAR corresponds to HMAC MD5 in...

  • Page 33: The Role Of The Local Address In Vpn Tracker

    When connecting to a NETGEAR device, the Local Address must not be part of the remote network (i.e. the NETGEAR’s LAN) and the same Local Address may not be used by two VPN clients at the same time. If there is only a single user of the VPN, this will often automatically be the case if the Local Address field is simply left empty, and VPN...
  • Page 34 Why can’t I use a Local Address from my NETGEAR’s LAN? It may sound a bit unusual to use IP addresses that are not part of the NETGEAR’s LAN. The reason for this is that the NETGEAR cannot act as a so-called “ARP Proxy” for its VPN clients. Computers on the NETGEAR’s LAN therefore must be “tricked”...
  • Page 35 Why do I have to set a fixed Local Address when my NETGEAR is not the default gateway (router) in its LAN? If the NETGEAR is not the default gateway, this means that computers the VPN clients communicate with do not connect to the Internet through the NETGEAR.

Table of Contents