|
| Netgear FVM318 with Prosafe VPN client for remote user setup notes:
Topology at office - Netopia Cayman 3500 Series DSL Router connected
to Netgear FVM318 - Netopia is forwarding all traffic to the netgear.
Netopia is pulling static IP from SBC and routing to FVM318 using
10.0.0.0 private subnet. The netgear is routing to the LAN using the
192.168.1.0 subnet. Netopia Cayman is set to 10.0.0.1 on LAN Port and
FVM318 is set to 10.0.0.5 on WAN port to achieve this ( You could also
use Cayman as a bridge and allow FVM318 to pull IP address from ISP ).
Topology for remote users - The configuration that follows has been
confirmed to work for users behind home NAT router or directly
connected to DSL or cable modem. In theory it should also work for
users connecting from hotel or remote dial up connections. In our
case home users are connected either via Netgear RM814 v2 Cable/DSL
routers with 802.11b wireless or directly connected to their cable/dsl
modems. The same VPN policy settings work for both types of
connections we use.
FVM318 Router and VPN Settings configuration - For initial setup go
to default router address by entering http://192.168.0.1 and entering
username admin and password for the password at logon prompt.
In our case we changed office router WAN address to 10.0.0.5 static to
communicate with Cayman on the basic settings page and set the gateway
to 10.0.0.1 which is the Cayman LAN address. Then we also set the DNS
servers to the ISP's DNS servers.
Then we went to LAN IP setup page and changed the LAN to use
192.168.1.1 Address (Note that users with home LAN's cannot use the
192.168.1.0 subnet so we have 1 user with 192.168.2.0, another with
192.168.3.0 and so on). After changing LAN IP you will need to either
manually set new IP on same subnet e.g. 192.168.1.2 in our case or
just do an ipconfig /release followed by an ipconfig /renew on a
windows machine if DHCP is enabled.
If you are using DHCP from the router then you may have to change
those settings for the new LAN configuration as well on the LAN IP
Setup page. We also upgraded router firmware to version 1.2 available
from Netgear support section of their website.
In our case, we also setup a free Dynamic DNS address with
www.dyndns.org and updated routers Dynamic DNS settings to match.
On the VPN Settings page we added connection with following settings:
Connection name: SYSXPERTS to OFFICE ( Can be any descriptive name
you chose )
local IPSEC identifier: office.dyndns.biz ( The dynamic dns address
or local IP address of router)
Remote IPSEC identifier: vpnclient1 ( Any name but not used in more
than 1 VPN policy and must match client configuration which will be
done after router config exactly - case sensitive )
Tunnel can be accessed from: Any local address (If you don't see this
field you have older version of firmware and should upgrade)
Tunnel can access: A single remote address (If you don't see this
field you have older version of firmware and should upgrade)
Remote LAN start IP address: 192.168.100.1 (must be unique for each
user and to all networks in use. e.g. 192.168.3.1 would not work in
our case because one of our users home LAN's is using that subnet)
Remote WAN IP or FQDN: leave blank (0.0.0.0 also qualifies as blank)
Secure Association: Aggressive Mode
Perfect Forward Secrecy: Enabled
Encryption Protocol: 3DES
Key Group: Diffie-Hellman Group 2
Preshared Key: any combination of characters, numbers, and symbols
e.g. officevpn!#$12
Key Life: 28800
IKE Life: 86400 (If you cannot change this to a value greater than
86400 then you have old firmware and need to upgrade)
Check the NETBIOS enable checkbox
Apply these settings and reboot the router for good measure.
Prosafe VPN client settings:
Click the add new connection button in upper left of the Security
Policy Editor screen.
Name the new connection to match name on router e.g. SYSXPERTS to
Office in our case.
Connection Security: Secure
Remote Party Identity and Addressing:
ID Type: IP Subnet
Subnet: 192.168.1.0 in our case
Mask: 255.255.255.0
Protocol: All
Connect using Secure Gateway Tunnel
ID Type: Domain Name with the Fully Qualified Dynamic DNS name e.g.
vpnoffice.dyndns.biz
ID Type: Gateway Hostname with Fully Qualified Dynamic DNS name e.g.
vpnoffice.dyndns.biz
Go to Security Policy and select following settings:
Aggressive Mode
Enable PFS
Diffie-Hellman Group 2
Enable replay detection
Go to My Identity and set following:
Select Certificate: None
ID Type: Domain Name (value must match Remote IPSEC Identifier as set
on router exactly e.g. vpnclient1 in our case)
Virtual Adapter: disabled
Internal Network IP: Must match IP set on router for Remote LAN start
IP address: which is 192.168.100.1 in our case
Internet Interface: Any
Click preshared key button and set exactly same as it was set on
router e.g. officevpn!#$12.
Expand Security Policy then expand Authentication and verify following
settings:
Authentication Method: Preshared Key
Triple DES
SHA-1
Unspecified
Diffie-Hellman Group2
Expand Key Exchange and select policy 1:
Unspecified
None
Triple DES
SHA-1
Tunnel
Save setting then deactive and reactivate policy.
Connect and try to ping VPN LAN Router 192.168.1.1 in our case.
We found that first connection sometimes does not work and we worked
around by using router diagnostics to ping the 192.168.100.1 address
and once connected we created a script on server behind Office router
to ping remote users as a keepalive.
|
|