Hub-and-Spoke VPN using NETGEAR's VPN Client

Hub-and-Spoke VPN allows the sites to communicate through to a central hub site. See Hub-and-Spoke VPN for general instructions on configuration that does not use the VPN Client.

This document describes how to configure when one of the "spokes" is the Netgear VPN client. It is tested with the FVX538 router, firmware version 1.6.44, and Netgear ProSafe VPN client, version 10.5.1.

In this configuration, there is a gateway-to-gateway VPN tunnel between FVX538 #1 and FVX538 #2. By establishing a VPN connection to the FVX538#1, the software VPN client gains access to Local Area Network #2 behind FVX538 #2 through FVX538 #1.

This configuration requires advanced IP address planning. The VPN client policy needs to be able to address both Local Area Network #1 and Local Area Network #2 in the same client policy profile, therefore, the two networks must be presentable as one subnet or one address range.

Hub-and-Spoke Example

In this example:

• FVX538 #1 10.1.1.2 (WAN IP), 192.168.1.0, subnet mask 255.255.255.0 (LAN IP)
• FVX538 #2 10.1.2.2 (WAN IP), 192.168.2.0, subnet mask 255.255.255.0 (LAN IP)
• Netgear VPN client N.A (mobile) 192.168.4.100

You can create the IKE and VPN policies by using the VPN wizard and then modify it or by creating the IKE and VPN policies manually.

To Configure FVX538 #1 (The Hub)

1. Create an IKE policy for VPN to FVX538 #2.

   

2. Create a VPN policy using the IKE policy created in Step 1. The local IP subnet is the LAN subnet behind FVX538 #1. The remote IP subnet is the LAN subnet behind FVX 538 #2.

   

3. Create a VPN client policy. First create the IKE policy for the VPN client.

   

4. Create a VPN policy using the IKE policy created in Step 3. The local subnet is “Any”. The remote subnet is the internal IP address to be defined in the VPN client policy profile. In our example, 192.168.4.100.

   

5. Create the VPN policy that will allow the VPN client to access network behind FVX538 #2. In the VPN policy, use the same IKE policy created in step (1). For local network, use the VPN client network defined in Step 4 – 192.168.4.0 subnet mask 255.255.255.0. For remote network, use the network behind FVX538 #2 – 192.168.2.0, subnet mask 255.255.255.0

   
   

To Configure FVX538 #2

1. Create IKE policy to FVX538 #1.
2. Create VPN policy using IKE policy created in Step 1. For local subnet, use the LAN subnet behind FVX538#2. For the remote subnet, use the LAN subnet behind FVX538 #1.
3. Create the second VPN policy to allow the VPN client to access network behind FVX538#2. Use the same IKE policy created in Step 1. For remote network, enter the network address being used by the VPN client – 192.168.4.0, subnet mask 255.255.255.0

To Configure the VPN Client Software

1. Create a new connection. Under Remote Party Identity and Addressing, we need to define an object to cover both LANs behind FVX538 #1 and FVX538 #2. In our case, we select IP Address Range as ID Type and enter an IP address range of 192.168.1.1 to 192.168.2.254 This will cover both 192.168.1.0, subnet mask 255.255.255.0 and 192.168.2.0, subnet mask 255.255.255.0
2. Click on My Identity, for Internal Network IP Address, enter the same address used in the client VPN policy on the FVX538 #1 – 192.168.4.100
   The rest of the configurations are the same as a standard VPN client configuration. First, configure Security Policy.
3. Configure Authentication/Proposal 1.
4. Configure Key Exchange/Proposal 1.

Testing the Connection

1. Right click on the VPN client icon on the system tray. Select Connect and choose the client policy just created. A window will pop up and show attempting to connect and eventually will show successfully connected to the FVX538.
2. From the command prompt, you should be able to ping both the subnet behind FVX538 #1 and FVX538 #2.

N101545.asp Sept. 20, 2005