Downloads   Registration   Customer Service    Service Offerings    Discussion Forums    Support Home    NETGEAR Home    
Setting Up VPN Between Different Versions of FVS318 Router

Setting Up VPN Between Different Versions of FVS318 Router

If you are setting up VPN between two of the same versions of the FVS318, then use the instructions in the manual.

If setting up VPN between an FVS318v3 and either a FVS318v1 or FVS318v2, then follow these instructions.

  • FVS318v1 serial numbers start with FVS8. These instructions were written for firmware version 2.4.
  • FVS318v2 serial numbers start with FVS1. These instructions were written for firmware version 2.4.
  • FVS318v3 serial numbers start with FVS9. These instructions were written for firmware version 3.0.20.

In this example, static WAP IP addresses are used on both routers.

In our scenario, we use static WAN IP addresses on both the FVS318v3 and the FVS318v1/v2.

Setting up the FVS318v3

On the FVS318v3, click on IKE Policies on the left menu panel under VPN.

Click on the Add button to add a new IKE policy. The IKE Policy Configuration page will display.

a) Under General, enter a descriptive name for Policy Name. Select Both Directions for Direction/Type. Select Main Mode for Exchange Mode.

b) Under Local, select WAN IP Address for Local Identity Type.

c) Under Remote, select Remote WAN IP for Remote Identity Type.

d) Under IKE SA Parameters, select 3DES for Encryption Algorithm. Select SHA-1 for Authentication Algorithm. Select Pre-shared Key for Authentication Method and enter a character string as key. The same key has to be entered when configuring the FVS318v1/v2. Select Group 2 (1024 Bit) for Diffie-Hellman (DH) Group. Leave SA Life Time at 28800 (secs).

e) Click Apply.

Click on VPN Policies on the left menu panel under VPN.

Click on the Add Auto Policy button to add a new VPN policy. The VPN Policy Configuration page will display.

a) Under General, enter a descriptive name for Policy Name. Select the IKE policy created in the previous step for IKE Policy. Select IP Address as Address Type and enter the WAN IP address of the FVS318v1/v2 as Address Data for Remote VPN Endpoint. Enter 86400 (seconds) and 4194303 (Kbytes) as SA Life Time. Check the box to enable IPSec PFS and select Group 2 (1024 Bit) as PFS Key Group.

b) Under Traffic Selector, select Subnet address as Local IP and enter the LAN subnet address and subnet mask of the FVS318v3 as Start IP address and Subnet Mask.

Select Subnet address as Remote IP and enter the LAN subnet address and subnet mask of the FVS318v1/v2 as Start IP address and Subnet Mask.

c) Under ESP Configuration, check both boxes to Enable Encryption and Enable Authentication. Select 3DES as Encryption Algorithm and SHA-1 as Authentication Algorithm.

d) Check box to enable NETBIOS Enable.

e) Click Apply.

Setting up the FVS318v1 or v2

On the FVS318v1/v2, click on VPN Settings on the left menu panel.

Select one of the unused slots and click Edit. The VPN Settings page will display.

a) For Connection Name, enter a descriptive name.

b) For Local IPSec Identifier, enter the WAN IP address of the FVS318v1/v2.

c) For Remote IPSec Identifier, enter the WAN IP address of the FVS318v3.

d) Select a subnet of local address for Tunnel can be accessed from. Enter the FVS318v1/v2’s LAN IP subnet and subnet mask for Local LAN start IP Address and Local LAN IP Subnetmask.

e) Select a subnet of remote address for Tunnel can access. Enter the FVS318v3’s LAN IP subnet and subnet mask for Remote LAN start IP Address and Remote LAN IP Subnetmask.

f) Enter the FVS318v3’s WAN IP address for Remote WAN IP or FQDN.

g) Select Main Mode for Secure Association.

h) Select Enabled for Perfect Forward Secrecy.

i) Select 3DES for Encryption Protocol.

j) Enter the same pre-shared key used when setting up the FVS318v3 for PreShared Key.

Leave 28800 Seconds as Key Life.

Leave 86400 Seconds as IKE Life Time.

k) Click the box for NETBIOS Enable.

l) Click Apply.

Testing the VPN

To test the VPN, from a system behind the FVS318v3, ping a system behind the FVS318v1/v2. Ping is a diagnostics tool for checking network connectivity available on Microsoft Windows systems and other operating systems. On Microsoft Windows systems, open the command prompt and type “ping <ip address>”. In our example, type “ping 192.168.3.1”. If the VPN tunnel is up, ping should receive replies. The first few ICMP may drop since it may take a few packets to establish the VPN tunnel. However, once the VPN tunnel is established, ping should receive replies consistently.

You can also check VPN status in the VPN status window.

(Note that the FVS318's VPN status does not change to 'active' until traffic has actually been sent across the VPN connection.)

From the FVS318v3, click on VPN Status on the left menu panel. The VPN Status/Log page will display. Click on the VPN Status button to show the VPN status window. The IPSec Connection Status window should show the VPN policy to be established on both Phrase 1 and Phrase 2.

From the FVS318v1/v2, click on Router Status on the left menu panel. On the Router Status page, click on the Show VPN Status button. The Router VPN Status window will display. The VPN Policy should show the VPN Policy to be established on both Phrase 1 (P1) and Phrase 2 (P2).

Troubleshooting

1) If VPN is not established, first make sure you have general network connectivity between the routers. Enable both routers to response to ping on Internet WAN port (FVS318v3 in the Rules menu, FVS318v1/v2 in the Ports menu), make sure you can ping the WAN IP address of the FVS318v3 from the FVS318v1 and vise versa. If the router has dynamic IP, make sure the IP being specified in the VPN policy is the same IP currently assigned to the route’s WAN Interface (from the Router Status menu). If you are using FQDN in the VPN policy, make sure the FQDN does resolve to the correct IP address.

Double check VPN settings on both routers and make sure they match. Some parameters to check are the pre-shared key (it is case sensitive), remote and local identifier, encryption and authentication algorithms, exchange mode (main or aggressive mode) and if PFS is enabled on one side, it must be enabled on the other side.

2) If VPN is shown established but you cannot access resource over VPN tunnel, first make sure the source you try to access is accessible from the router where the resource is located. Trying pinging the resource from the Diagnostics page of the router where the resource is located. If you are using name, try accessing it by IP address. Make sure the resource doesn’t have firewall software or IP filter installed. If all fails, try disabling PFS on the VPN policies (must be done on both routers).

3) If you cannot ping the FVS318v3’s LAN interface IP from the LAN of the FVS318v1/v2 over VPN, that is normal. Instead use an IP address belongs to a system on the LAN of the FVS318v3 for testing.

4) If you need to contact Netgear Technical Support for assistant, it is always helpful if you can provide the configuration files of the routers. From the Backup Settings menu, you can backup the router’s configuration into a file. When we try to review the configuration file, we will need the same password on the router when the file is created. So make sure the router has a password you can tell us when you back up the configuration. If you have DHCP disabled in the router, you also need to provide us the LAN IP address of the router.

Doc: N101479.asp June 7, 2005

  
   


Support Knowledgebase
Manuals
Sales and Company Information
                © 1998-2006 NETGEAR | Contact Us | Configure Your Network | Home