Follow these procedures to configure a VPN tunnel between a NETGEAR ProSafe VPN Client and a FVL328 (or a FVS328) router. This works for either a dial-up or a permanent Internet connection.

• This is tested with FVL328 router firmware 1.5 release 9 and Netgear VPN client software version 10.
• This also tested with FVS328 firmware 1.0 and Netgear VPN client software version 10.
• Earlier versions of these routers' firmware work similarly.

Before starting, collect this information:

• Your routers's WAN IP or the Fully Qualified Domain Name (FQDN) of your router’s WAN IP address. Find this by clicking Maintenance > Router Status. If your router has a dynamic WAN IP address, configure the Dynamic DNS setting under the Advanced menu. Otherwise, the next time your router’s WAN IP address changes, the VPN client won’t be able to connect.
  
• The Local IP address of your LAN. For example, 192.168.0.0 is the factory default address of your LAN for the router. You can find the LAN IP address of your router by clicking Advanced > LAN IP Setup.
  
• Remote IP address. This is the virtual IP address the VPN client gets when it connects to the router. It can be any IP address other than the LAN IP address.

To Configure the Router

1. Log in to the FVL328 (or FVS328) gateway.
2. Set IKE Policies: Click VPN > IKE Policies. Then click Add on the IKE Policies Menu.
   1. Enter any descriptive name for the policy in the Policy Name textbox. It's used to help you manage the IKE polices. For our example, we chose VPNClient.
   2. Select Direction/Type > Remote Access.
   3. Select Exchange Mode > Aggressive Mode.
   4. From the Local Identity Type drop down, you can select WAN IP Address or Fully Qualified Domain Name. If you select Fully Qualified Domain Name, make sure your FQDN does resolve to your WAN IP address.
   5. Also, if you select Fully Qualified Domain Name, enter your FQDN in Local Identity Data.
   6. Select Remote Identity Type > Fully Qualified Domain Name.
   7. Enter any descriptive name in Remote Identity Data.

      The same name must be used when you configure the VPN client software.

   8. Under the IKE SA Parameters, choose an encryption algorithm (in the example 3DES) and an authentication algorithm (in the example MD5).

      You need to select the same algorithms when you configure the VPN client software.

   9. Choose Pre-shared Key for authentication method and enter a key.

      The same key must be used when you configure the VPN client software.

   10. Select Diffie-Hellman (DH) Group > Group2 (1024 Bits).
   11. Enter 180 for SA Life Time.
   12. Click Apply.

 

3. Set VPN Policies: Click VPN Policies under the VPN menu. Then click VPN Policies Menu > Add Auto Policy.

1. Enter any descriptive name for your VPN policy.
2. Choose the IKE policy you created above as the IKE policy.
3. Choose IP Address for the address type of the Remote VPN Endpoint.
4. For Address Data, enter 0.0.0.0.
5. Enter 300 seconds and 0 Kybtes for SA Life Time.
6. Check IPSec PFS and choose Group 2 (1024 Bit) for PFS Key Group.
7. Under Traffic Selector, choose Local IP > Subnet address and enter your LAN’s start IP address and the Subnet mask. That’s the IP and mask of your LAN IP address. You can look it up from the LAN IP Setup menu.
8. Choose Subnet address for Remote IP and enter an IP subnet that’s different than your LAN IP subnet. In the example, we enter 192.168.100.1 as the starting IP and 255.255.255.0 as the subnet mask.
9. Select ESP Configuration > Enable Encryption and choose an encryption algorithm.
10. Select Enable Authentication and choose an authentication algorithm.

    You need to choose the same encryption and authentication algorithms when configuring the VPN client software. We chose 3DES and MD5.

11. Click Apply.

Doc: n101418.asp Sept. 9, 2004