Downloads   Registration   Customer Service    Service Offerings    Discussion Forums    Support Home    NETGEAR Home    
Setting up VPN between Netgear VPN router and Window 2000

Configuring VPN with a NETGEAR VPN Router and a Computer Running Windows 2000

In this example, the Windows 2000 workstation is behind a NAT router that uses a private IP. The NETGEAR VPN router and the NAT router have static WAN IPs. The Window 2000 workstation also has a static private IP. The NAT router must support VPN passthrough.

If you leave the NAT router out of this configuration, see the special instructions at the end of this document.

Configuring the FVS318 or FVS318 Router (For FVS328, FVL328, FWAG114 and FWG114P, skip the next paragraph)

  1. Create a VPN policy. For Remote IPSec identifier, enter the WAN IP address of the NAT router. Perfect Forward Secrecy is Disabled.

Configuration for FVS328, FVL328, FWAG114 and FWG114P

  1. Create an IKE policy.

  1. Create a VPN policy. For IKE policy, choose the policy created in Step 1. For remote VPN endpoint, choose IP address and enter the WAN IP address of the NAT router. In the Traffic Selector section, for remote IP, choose Single address and enter the IP address of the Window 2000 computer.

Configuring the Windows 2000 Computer

The IPSec policy is configured in the MMC.

  1. Start the MMC using  Start >Run >secpol.msc.
  1. Right click on IP Security Policy on Local Machine and choose Create IP Security Policy.
  2. Go through the IP Security Policy Wizard. Click Next and type policy name. Click Next.
  1. Deselect Active to default response rule. Click Next. Leave Edit Policy checked. Click Finish.

  1. Click Add, type a descriptive name for the IP Filter list such as Win2K to NETGEAR IP Filter List” and click Add.

  1. Choose A specific IP subnet as source address and enter the Windows 2000 system’s IP as IP Address and 255.255.255.0 as subnet mask. Choose A specific IP Subnet as Destination address and enter the private subnet behind the Netgear router in IP address and subnet mask. Uncheck the box for Mirrored.

  1. Click OK, then Close.
  1. Click Filter Action > Add.
  1. Click General and enter a name for the Filter Action.
  1. Click Security Methods. Check Negotiate security. Leave all the check boxes unchecked. Click Edit.
  1. Choose Custom and click setting. Check ESP and choose MD5 and 3DES for integrity and encryption algorithm. Check the box for Generate a new key every and enter 3600 seconds. Click OK until you are back to Edit Rule Properties.

  1. Click Tunnel Setting and enter the WAN IP address of the NETGEAR router as “The tunnel dendpoint is specified by this IP Address”.

  1. Click Authentication Methods and click Edit. Click Use this string to protect the key exchange (Preshared key) and enter the preshared key. Click OK and then Close to get back to the security policy window.

  1. Click Add to create another security rule. This rule is for the opposite direction of the data flow. Enter a descriptive name for this new IP Filter List such as “Netgear to Win2K IP Filter list” and click Add.

  1. Choose A specific IP Subnet as source address and enter the LAN IP network as the IP address and subnet mask. Choose A specific IP Address as Destination address and enter the Windows 2000 computer’s IP as IP address and subnet mask. Leave the Mirrored box unchecked and click OK and Close.

  1. Click Filter Action and choose the Filter Action you created in Step 8.

  1. Click Tunnel Setting and enter the Windows 2000 computer’s IP as “The tunnel endpoint is specified by this IP address”.

  1. Click Authentication Methods, click Edit and enter the same preshared key you used in Step 13. Click OK and OK.

  1. Click General > Advanced.

  1. Uncheck Master Perfect Forward Secrecy and click Methods.

  1. Click Edit.

  1. Choose MD5 as intergrity algorithm, 3DES as encryption algorithm and Medium (2) as Diffie-Hellman Group. Click OK > OK > OK > Close until you get back to the Local Security Setting.

  1. Right click on the local security policy you just created and choose Assign to assign the security policy.  The configuration is finished.

For Configuration with VPN terminating on a Window 2000 server with Two Interfaces serving as a router.

Follow the above instructions, except:

  1. In Step 17, when defining the tunnel, use the WAN IP of the Window 2000 server.
  2. In Steps 6 and 15, instead of using a single IP address and the IP of the Window2000 system, choose “a specific IP subnet” and enter the network and subnet instead of single IP. In our example, we will use 100.1.1.0 as IP address and 255.255.255.0 as subnet mask.

Make sure your Windows 2000 server is configured to function as a router.

Refer to Microsoft or your documentation on how to set this up. Microsoft KB article 299810 describes setting up a Window 2000 server.

Doc: N101485.asp June 23, 2005

  
   


Support Knowledgebase
Manuals
Sales and Company Information
                © 1998-2006 NETGEAR | Contact Us | Configure Your Network | Home