Hub-and-Spoke VPN using NETGEAR VPN Firewalls

This describes how to configure NETGEAR ProSafe VPN Firewalls in a hub-and-spoke VPN system, as might be used in a headquarters with many branch offices. Routers FVS318v2, FVS318v3, FVS338 and FVX538 are used with the firmware shown in the table below. The process applies generally to all NETGEAR VPN routers.

Hub-and-Spoke Example

In this example, three branch offices (the "spokes") connect to a central office (the "hub") over VPN links:

Each branch office makes a VPN connection to the central office. Over these VPN connections, the LAN computers at each branch office can reach the LAN computers at the central office and, through there, can reach the LAN computers at the other branch offices.

In this example, each LAN uses a private IP address in which the first two octets are the same for all four LANs (192.168.x.x). The third octet is different for each LAN. These are the WAN and the LAN addresses:

In each spoke router, you configure a VPN tunnel to the hub with a destination netmask of 255.255.0.0, indicating that all 192.168.x.x addresses can be reached through the tunnel to the hub. At the hub, we will configure separate tunnels to each spoke with destination netmasks of 255.255.255.0. The tunnels from the hub will have source netmasks of 255.255.0.0, indicating that hosts from any 192.168.x.x address can access the tunnel to the spoke.

Note that 192.168.10.x should not be used because this network is reserved for the FVX538's DMZ.

Configuring Branch 1: The FVS318v2 Spoke Router

To configure the tunnel to the hub from the FVS318v2, use the VPN Wizard to create the VPN policy.

1. Go to the VPN Wizard menu and click Next to begin a new VPN policy.
2. For Connection Name, type something descriptive such as toFVX.
3. Enter the Pre-Shared Key to use between this router and the hub router.
4. Select connect to A remote VPN Gateway.
5. Click Next to go to Step 2.
6. Enter the hub router's WAN IP address (or Fully Qualified Domain Name).
7. Click Next to go to Step 3.
8. Enter the hub router's LAN IP address and set the Subnet Mask to 255.255.0.0.
9. Click Next to go to the Summary screen, then click Done to complete the policy.
10. Go to the VPN Settings menu, select the policy you just created, and click Edit to examine the settings. The policy screen below appears, but with your IP addresses:

Configuring Branch 2: The FVS318v3 Spoke Router

To configure the tunnel to the hub from the FVS318v3, you can use the VPN Wizard to create the VPN policy.

1. Go to the VPN Wizard menu and click Next to begin a new VPN policy.
2. For Connection Name, type something descriptive such as toFVX.
3. Enter the Pre-Shared Key to use between this router and the hub.
4. Select to connect to A remote VPN Gateway.
5. Click Next to go to Step 2.
6. Enter the hub router's WAN IP address (or FQDN).
7. Click Next to go to Step 3.
8. Enter the hub router's LAN IP address and set the Subnet Mask to 255.255.0.0.
9. Click Next to go to the Summary screen, then click Done to complete the policy.
10. The VPN Policies screen displays. Select the policy you just created, and click Edit to examine the settings. The policy screen below appears, but with your IP addresses:

    

11. Go to the IKE Polices menu, select the policy you just created.
12. Click Edit to examine the settings. The policy screen below appears, but with your IP addresses:

    

Configuring Branch 3: The FVS338 Spoke Router

To configure the tunnel to the hub from the FVS338, follow the same steps as shown in the preceding section.

Configuring the Central Office: The FVX538 Hub Router

At the hub router, configure a tunnel to each of the three spoke routers. Use the VPN Wizard to create each VPN policy, then edit it with a slight change to each VPN Policy. In the VPN Policy, you must change the Subnet Mask of the Local IP Traffic Selector from 255.255.255.0 to 255.255.0.0. This is an example of creating the tunnel to Branch 2:

1. Go to the VPN Wizard menu and click Next to begin a new VPN policy.
2. For Connection Name use a descriptive name such as toFVS318v3.
3. Enter the Pre-Shared Key to be used between this router and Branch 2.
4. Select to connect to A remote VPN Gateway.
5. Click Next to go to Step 2.
6. Enter the Branch 2 router's WAN IP address (or Fully Qualified Domain Name).
7. Click Next to go to Step 3.
8. Enter the Branch 2 router's LAN IP address and set the Subnet Mask to 255.255.255.0 (not 255.255.0.0).
9. Click Next to go to the Summary screen, then click Done to complete the policy.
10. The VPN Policies screen displays. Select the policy you just created, and click Edit.
11. Under Traffic Selector, Local IP, change the Subnet Mask to 255.255.0.0. The policy screen below appears, but with your IP addresses:

    

12. Go to the IKE Polices menu, select the policy you just created.
13. Click Edit to examine the settings. The IKE policy below appears, but with your IP addresses:

    

14. Repeat this procedure for each of the other two spokes.

Testing the Connection

1. From a PC on the LAN of any branch, test by continuously pinging a PC on the central office's LAN. There should be a response within 30 seconds.
2. From the same branch PC, test by continuously pinging a PC on the LAN of any other branch. There should be a response within 30 seconds.

(Note that the FVS318's VPN status does not change to 'active' until traffic has actually been sent across the VPN connection.)

Auth: M. Shields N101499.asp July 13, 2005