NETGEAR ProSafe VPN Client to NETGEAR FVS318 or FVM318 VPN Routers
Follow these procedures to configure a VPN tunnel from a NETGEAR ProSafe VPN Client to an FVS318 or FVM318. This document follows the VPN Consortium interoperability guidelines. The configuration options and screens for the FVS318 and FVM318 are the same.

Configuration Summary

The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium. Gather all the necessary information before you begin the configuration process. Verify whether the firmware is up to date, all of the addresses that will be necessary, and all of the parameters that need to be set on both sides. Assure that there are no firewall restrictions.
Table C-1. Configuration Summary Scenario 1 PC/Client-to-Gateway IKE with Preshared Secret/Key (not Certificate-based) November 2003
VPN Consortium Scenario: Type of VPN Security Scheme: Date Tested: Model/Firmware Tested: Gateway Client IP Addressing: Gateway Client
FVS318 firmware version 2.2 or FVM318 firmware version 1.1 NETGEAR ProSafe VPN Client v10.1
Fully Qualified Domain Name (FQDN) Dynamic
NETGEAR ProSafe VPN Client to NETGEAR FVS318 or FVM318 VPN Routers 202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client

Network Addresses

Gateway LAN IP

192.168.0.1

WAN IP

FVSrouter.dydns.org FQDN

Client WAN IP
0.0.0.0 PC with Netgear ProSafe VPN client

FVS318

Figure C-1: Addressing and Subnets Used for Examples
The Use of a Fully Qualified Domain Name (FQDN)
Many ISPs provide connectivity to their customers using dynamic instead of static IP addressing. This means that a users IP address does not remain constant over time which presents a challenge for gateways attempting to establish VPN connectivity.
Note: This configuration case study is based on the FVS318 using FQDN. FQDN is the best option when the Internet connection for the FVS318 uses a dynamic IP configuration rather than a static IP configuration. However, the steps below can be used when the FVS318 has a static IP configuration as well.
A Dynamic DNS (DDNS) service allows a user whose public IP address is dynamically assigned to be located by a host name or domain name. It provides a central public database where information (such as email addresses, host names and IP addresses) can be stored and retrieved. Now, a gateway can be configured to use a 3rd party service in lieu of a permanent and unchanging IP address to establish bi-directional VPN connectivity. To use DDNS, you must register with a DDNS service provider. Example DDNS Service Providers include:
Reference Manual for the NETGEAR ProSafe VPN Client Table C-1.
Example DDNS Service Providers www.dyndns.org netgear.tzo.com ngddns.iego.net

DynDNS TZO.com ngDDNS

In this example, gateway A is configured using an example FQDN provided by a DDNS Service provider. In this case we established the hostname FVSrouter.dyndns.org for gateway A using the DynDNS service. Client B will use the host name registered with the DDNS Service Provider for gateway A when establishing a VPN tunnel. In order to establish VPN connectivity, client B must be configured to use a DNS hostname provided by the Gateway A DDNS Service Provider. The following step-by-step procedures assume that you have already registered with a DDNS Service Provider and have the configuration information necessary to set up the gateway and client.

Note: Product updates are available on the NETGEAR Web site at www.netgear.com/support/main.asp. VPNC Interoperability guidelines can be found at http://www.vpnc.org/InteropProfiles/Interop-01.html.
Step-By-Step Configuration of FVS318 or FVM318 Gateway A
Log in to the FVS318 gateway as in the illustration. Out of the box, the FVS318 or FVM318 is set for its default LAN address of http:// 192.168.0.1 with its default user name of admin and default password of password. For this example we will assume you set the local LAN address as 10.5.6.1 for the FVS318.
Click on the VPN Settings link on the left side of the main menu. For a FVS318: Click the radio button of the first available VPN tunnel. Click the Edit button below. This will take you to the VPN Settings Main Mode Menu. For a FVM318: Click Add. This will take you to the VPN Settings Main Mode Menu.
Figure C-2: NETGEAR FVS318 VPN Settings Main Mode
In the Connection Name box, enter in a unique name for the VPN tunnel to be configured between the NETGEAR devices. For this example we have used VPNclient. Enter a Local IPSec Identifier for the NETGEAR FVS318 Gateway A. In this example we used FVSrouter.dyndns.org as the local identifier.
Note: It is critical that the information entered for the Local IPSec Identifier match exactly what you configure in the NETGEAR VPN Client ID Type menus. Please see Configure the Connection Network Settings. on page C-7 below.
Enter a Remote IPSec Identifier name for the remote NETGEAR VPN Client. In this example we used VPNclient as the remote identifier. Choose a subnet of local addresses from the Tunnel can be accessed from menu. Type the starting LAN IP Address of Gateway A (192.168.0.0 in our example) in the Local IP Local LAN start IP Address field. Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Local LAN IP Subnetmask field. Choose A Single Remote Address from the Tunnel can access pull-down menu.
Figure C-3: NETGEAR FVS318 VPN Settings Main Mode C-4 NETGEAR ProSafe VPN Client to NETGEAR FVS318 or FVM318 VPN Routers 202-10015-01
Type the IP Address of client B (0.0.0.0 in our example) in the Remote LAN Start IP Address field. Entering 0.0.0.0 as the Remote LAN Start IP Address tells the FVS318 to accept a connection from any IP address. This enables travelling users who will not know the IP address of their connection to use this tunnel. It also allows telecommuters who have a direct connection at their home with a dynamic IP address to use this tunnel.

Note: Entering 0.0.0.0 as the Remote LAN Start IP Address uses two of the available 8 FVS318 tunnels. If you wish to provide a tunnel for home users who are connecting through a home NAT router, use a reserved IP configuration for the PC on the home router. Specifying a reserved IP address for a PC on the home NAT router assures that PC will always receive the same IP address from the DHCP server in the home NAT router. In such a case, you would enter the reserved IP address of the PC for the Remote LAN Start IP Address. To avoid duplicate IP address conflicts, be sure the remote PC IP address is on a different subnet than the FVS318.
Leave the Remote WAN IP or FQDN address field blank.
Figure C-4: NETGEAR FVS318 VPN Settings Main Mode
From the Secure Association drop-down box, select Main Mode. Next to Perfect Forward Secrecy, select the Enabled radio button. From the Encryption Protocol drop-down box, select 3DES. In the PreShared Key box, type a unique text string to be used as the shared key between the FVS318 and the VPN client. In this example, we used hr5xb84l6aa9r6. You must make sure the key is entered correctly in both the gateway and the client. In the Key Life box, enter 28800 seconds. In the IKE Life Time, enter 86400 seconds.
Check the NETBIOS Enable box if you wish to pass NetBIOS traffic over the VPN tunnel, allowing functions such as Microsoft Network Neighborhood browsing.
Click Apply to save all changes. This will return you to the VPN Settings screen. When the screen returns to the VPN Settings, make sure the Enable checkbox is selected.
Step-By-Step Configuration of the NETGEAR VPN Client B
Note: The NETGEAR ProSafe VPN Client has the ability to Import a predefined configuration profile. The FVS318.SPD file on the NETGEAR ProSafe VPN Client Resource CD (230-10007-01) includes all the settings identified in this procedure.
Whenever importing policy settings, you should first export any existing settings you may have configured to prevent the new imported settings from replacing an existing working configuration. To import this policy, use the Security Policy Editor File menu to select Import Policy, and select the FVS318.SPD file at D:\Software\Policies where D is the drive letter of your CD-ROM drive. This procedure describes linking a remote PC and a LAN. The LAN will connect to the Internet using an FVS318 with a dynamic address and a dynamic DNS host name. The PC can be directly connected to the Internet through dialup, cable or DSL modem, or other means, and we will assume it has a dynamically assigned IP address.

Install the NETGEAR VPN Client Software on the PC.
Note: Before installing the NETGEAR ProSafe VPN Client software, be sure to turn off any virus protection or firewall software you may be running on your PC.
You may need to insert your Windows CD to complete the installation. Reboot your PC after installing the client software.
Reference Manual for the NETGEAR ProSafe VPN Client 2.
Configure the Connection Network Settings.
Figure C-5: Security Policy Editor New Connection a.
Run the Security Policy Editor program and create a VPN Connection.
Figure C-6: Security Policy Editor Options menu
Note: If the configuration settings on this screen are not available for editing, go to the Options menu, select Secure, and Specified Options to enable editing of these settings. From the Edit menu of the Security Policy Editor, click Add, then Connection. A New Connection listing appears. Rename the New Connection to FVS318.
In this example, type 192.168.0.0 in the Subnet field. The network address is the LAN IP Address of the FVS318 with 0 as the last number.
Reference Manual for the NETGEAR ProSafe VPN Client c. d.
Enter 255.255.255.0 in the Mask field as the LAN Subnet Mask of the FVS318 Assure that the following settings are configured: In the Connection Security box, Secure is selected In the ID Type menu, IP Subnet is selected In the Protocol menu, All is selected The Connect using Secure Gateway Tunnel checkbox is checked
In the ID Type menus, select Domain Name and Gateway Hostname. Enter the public FQDN of the FVS318 in the field directly below the ID Type menu. In this example, FVSrouter.dyndns.org would be used for both the Domain Name and Gateway Hostname.
Configure the Connection Identity Settings.
In the Network Security Policy list, click the My Identity subheading.
Figure C-7: Connection Identity b.

Click Pre-Shared Key.

In this example, enter this pre-shared key in this field: hr5xb84l6aa9r6
Figure C-8: Connection Identity Pre-Shared Key C-8 NETGEAR ProSafe VPN Client to NETGEAR FVS318 or FVM318 VPN Routers 202-10015-01
Reference Manual for the NETGEAR ProSafe VPN Client c.
Enter the same Pre-Shared Key used in the FVS318 VPN router. In this example, we used hr5xb84l6aa9r6.

Click OK.

Configure the Security Policy Settings.
In the Network Security Policy list, click the Security Policy subheading.
Figure C-9: Security Policy b.

For this example, assure that the following settings are configured: In the Select Phase 1 Negotiation Mode menu, select Main Mode. Check the Enable Perfect Forward Secrecy (PFS) checkbox. In the PFS Key Group drop-down list, Diffie-Hellman Group 2. Check the Enable Replay Detection checkbox.
Configure the Connection Security Policy In this step, you will provide the authentication (IKE Phase 1) settings, and the key exchange (Phase 2) settings. The setting choices in this procedure follow the VPNC guidelines.
Figure C-10: Connection Security Policy Authentication (Phase 1)
Configure the Authentication (Phase 1) Settings. Expand the Security Policy heading, then expand the Authentication (Phase 1) heading, and click on Proposal 1. For this example, assure that the following settings are configured: In the Encrypt Alg menu, select Triple DES. In the Hash Alg, select SHA-1. In the SA Life, select Unspecified. In the Key Group menu, select Diffie-Hellman Group 2.
Figure C-11: Connection Security Policy Key Exchange (Phase 2)
Configure the Key Exchange (Phase 2). Expand the Key Exchange (Phase 2) heading, and click on Proposal 1.
For this example, assure that the following settings are configured: In the SA Life menu, select Unspecified. In the Compression menu, select None. Check the Encapsulation Protocol (ESP) checkbox. In the Encrypt Alg menu, select Triple DES. In the Hash Alg, select SHA-1. In the Encapsulation menu, select Tunnel.
Configure the Global Policy Settings.
From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings.
Figure C-12: Security Policy Editor Global Policy Options b. c. 6.
Increase the Retransmit Interval period to 45 seconds. Check the Allow to Specify Internal Network Address checkbox and click OK.
Save the VPN Client Settings. From the File menu at the top of the Security Policy Editor window, select Save. After you have the VPN client information, your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN routers LAN.
Note: Whenever you make changes to a Security Policy, save them first, then deactivate the security policy, reload the security policy, and finally activate the security policy. This assures that your new settings will take effect.
Testing the VPN Connection
You can test the VPN connection in several ways: From the client PC to the FVS318 From the FVS318 to the client PC
These procedures are explained below.
Note: Virus protection or firewall software can interfere with VPN communications. Be sure such software is not running on the remote PC with the NETGEAR VPN Client and that the firewall settings of the FVS318 do not prevent VPN communications.

From the Client PC to the FVS318
To check the VPN Connection, you can initiate a request from the remote PC to the FVS318 by using the Connect option of the NETGEAR VPN Client popup menu.
Right-mouse-click on the system tray icon to open the popup menu.
Figure C-13: Connecting the PC the FVS318 over the VPN tunnel
Reference Manual for the NETGEAR ProSafe VPN Client 1. 2. 3.
Open the popup menu by right-clicking on the system tray icon. Select Connect to open the My Connections list. Choose FVS318. The NETGEAR VPN Client will report the results of the attempt to connect.
Once the connection is established, you can access resources of the network connected to the FVS318. Another method is to ping from the remote PC to the LAN IP address of the FVS318. To perform a ping test using our example, start from the remote PC:

1. 2. 3.

Establish an Internet connection from the PC. On the Windows taskbar, click the Start button, and then click Run. Type ping -t 192.168.0.1, and then click OK. This will cause a continuous ping to be sent to the first FVS318. After a period of up to two minutes, the ping response should change from timed out to reply. To test the connection to a computer connected to the FVS318, simply ping the IP address of that computer.
Once connected, you can open a browser on the remote PC and enter the LAN IP Address of the FVS318, which is http://192.168.0.1 in this example. After a short wait, you should see the login screen of the FVS318.
From the FVS318 to the Client PC
You can use the FVS318 Diagnostic utilities to test the VPN connection from the FVS318 to the client PC. Run ping tests from the Diagnostics link of the FVS318 main menu.
Monitoring the VPN Connection from the PC
Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR VPN Client Connection Monitor or Log Viewer. To launch these functions, click on the Windows Start button, then select Programs, then NETGEAR ProSafe VPN Client, then either the Connection Monitor or Log Viewer. The Log Viewer screen for a successful connection is shown below:
Figure C-14: Log Viewer screen
A sample Connection Monitor screen for a different connection is shown below:
Figure C-15: Connection Monitor screen
In this example you can see the following: The FVS318 has a public IP WAN address of 66.120.188.147 The FVS318 has a LAN IP address of 192.168.100.0 The VPN client PC has a dynamically assigned address of 67.74.40.68
While the connection is being established, the Connection Name field in this menu will say SA before the name of the connection. When the connection is successful, the SA will change to the yellow key symbol shown in the illustration above.

Monitoring the VPN Connection from the FVS318
Information on the status of the VPN client connection can be viewed by opening the FVS318 VPN Status screen. To view this screen, click the Router Status link of the FVS318 main menu, then click the VPN Status button. The FVS318 VPN Status screen for a successful connection is shown below:
Figure C-16: FVS318 IPSec Connection Status screen
To view the FVS318 VPN log, click on the Router Status link on the left side of the main menu. Click the Show VPN Logs button. The FVS818 or FVM318 log files should be similar to the example below:
Thur, 11/13/2003 10:32:24 - FVS318 IPsec:Receive Packet address:0x13974d4 from 67.74.56.79 Thur, 11/13/2003 10:32:24 - FVS318 IPsec:New State index:1, sno:4 Thur, 11/13/2003 10:32:24 - FVS318 IPsec:quick_inI1_outR1() Thur, 11/13/2003 10:32:24 - FVS318 IKE:[vpnclient_tmp6] RX << QM_I1 : 67.74.56.79 Thur, 11/13/2003 10:32:24 - FVS318 IPsec:in get_ipsec_spi() spi=3834090c Thur, 11/13/2003 10:32:24 - FVS318 IKE:[ESP_3DES/AUTH_ALGORITHM_HMAC_SHA1/In SPI:3834090c,Out SPI:97baddc] Thur, 11/13/2003 10:32:24 - FVS318 IPsec:responding to Quick Mode Thur, 11/13/2003 10:32:24 - FVS318 IPsec:****Install INBOUND SA: Thur, 11/13/2003 10:32:24 - FVS318 IPsec: ESP(3DES-CBC SHA-1) Thur, 11/13/2003 10:32:24 - FVS318 IKE:[vpnclient_tmp6] TX >> QM_R1 : 67.74.56.79 Thur, 11/13/2003 10:32:24 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #4 Thur, 11/13/2003 10:32:26 - FVS318 IPsec:Receive Packet address:0x13974d4 from 67.74.56.79 Thur, 11/13/2003 10:32:26 - FVS318 IPsec:quick_inI2() Thur, 11/13/2003 10:32:26 - FVS318 IKE:[vpnclient_tmp6] RX << QM_I2 : 67.74.56.79 Thur, 11/13/2003 10:32:26 - FVS318 IPsec:****Install OUTBOUNDSA: Thur, 11/13/2003 10:32:26 - FVS318 IPsec: ESP(3DES-CBC SHA-1) Thur, 11/13/2003 10:32:26 - FVS318 IKE:[vpnclient_tmp6] established with 67.74.56.79 successfully Thur, 11/13/2003 10:32:26 - FVS318 IPsec:inserting event EVENT_SA_EXPIRE, timeout in 28980 seconds for #4 Thur, 11/13/2003 10:32:26 - FVS318 IPsec:STATE_QUICK_R2: IPsec SA established End of Log ----------

Appendix H NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328
This appendix provides a case study on how to configure a VPN tunnel between a NETGEAR FVS318 or FVM318 to a FWG114P v2 using a Fully Qualified Domain Name (FQDN) to resolve the public address of one or both routers. The configurations screens and settings for the FVS318 and FVM318 are the same.

Configuration Template

The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium. Gather all the necessary information before you begin the configuration process. Verify whether the firmware is up to date, all of the addresses that will be necessary, and all of the parameters that need to be set on both sides. Check that there are no firewall restrictions.
Table H-1. Summary Scenario 1 LAN-to-LAN or Gateway-to-Gateway (not PC/Client-to-Gateway) IKE with Preshared Secret/Key (not Certificate-based) December 2003
VPN Consortium Scenario: Type of VPN Security Scheme: Date Tested: Model/Firmware Tested: NETGEAR-Gateway A NETGEAR-Gateway B IP Addressing: NETGEAR-Gateway A NETGEAR-Gateway B
FVS318 firmware version A1.4 or 2.0; FVM318 firmware version 1.1 FVS328 with firmware version 1.0 Release 00
Fully Qualified Domain Name (FQDN) Static IP address H-1
NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 Version V2.2, July 2005
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2
Figure H-1: Addressing and Subnet Used for Examples
Using DDNS and Fully Qualified Domain Names (FQDN)
Many ISPs (Internet Service Providers) provide connectivity to their customers using dynamic instead of static IP addressing. This means that a users IP address does not remain constant over time, which presents a challenge for gateways attempting to establish VPN connectivity. A Dynamic DNS (DDNS) service allows a user whose public IP address is dynamically assigned to be located by a host or domain name. It provides a central public database where information (such as e-mail addresses, host names and IP addresses) can be stored and retrieved. Now, a gateway can be configured to use a 3rd party service in lieu of a permanent and unchanging IP address to establish bi-directional VPN connectivity. To use DDNS, you must register with a DDNS service provider. Example DDNS Service Providers include:

Table H-1.

Example DDNS Service Providers www.dyndns.org netgear.tzo.com ngddns.iego.net

DynDNS TZO.com ngDDNS

In this example, Gateway A is configured using an example FQDN provided by a DDNS Service provider. In this case we established the hostname netgear.dyndns.org for Gateway A using the
DynDNS service. Gateway B will use the DDNS Service Provider when establishing a VPN tunnel. In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS, and Gateway B must be configured to use a DNS hostname to find Gateway A provided by a DDNS Service Provider. Again, the following step-by-step procedures assume that you have already registered with a DDNS Service Provider and have the configuration information necessary to set up the gateways.
Step-By-Step Configuration of FVS318 or FVM318 Gateway A
Log in to the FVS318 or FVM318 labeled Gateway A as in the illustration. Out of the box, the FVS318 or FVM318 is set for its default LAN address of http://192.168.0.1, with its default user name of admin and default password of password. For this example we will assume you have set the local LAN address as 10.5.6.1 for Gateway A and have set your own password.
Click Dynamic DNS on the left side of the Settings management GUI. Access the Web site of one of the dynamic DNS service providers whose names appear in the Use a dynamic DNS service list, and register for an account. For example, for dyndns.org, click the link or go to www.dyndns.org.
Figure H-2: Dynamic DNS Setup menu NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVS328 Version V2.2, July 2005 H-3
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2 4.
Select the Use a dynamic DNS service radio button for the service you are using. In this example we are using www.DynDNS.org as the service provider. Type the Host Name that your dynamic DNS service provider gave you. The dynamic DNS service provider may call this the domain name. In this example we are using dyndns.org as the domain suffix. Type the User Name for your dynamic DNS account. In this example we used netgear as the Host Name. This means that the complete FQDN we are using is netgear.dyndns.org and the Host Name is netgear. Type the Password (or key) for your dynamic DNS account.
Click Apply to save your configuration.
Note: The router supports only basic DDNS and the login and password may not be secure. If your ISP assigns a private WAN IP address, such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet.

Click VPN Settings on the left side of the Settings management GUI.
Figure H-3: NETGEAR FVS318 VPN Settings Pre-Configuration 7.
Click the radio button of first available VPN leg (all 8 links are available in the example). Click Edit. This will take you to the VPN Settings Main Mode Menu.
Figure H-4: NETGEAR FVS318 VPN Settings (part 1) Main Mode
In the Connection Name box, enter in a unique name for the VPN tunnel to be configured between the NETGEAR devices. For this example we have used toFVS328. Enter a Local IPSec Identifier name for the NETGEAR FVS318 Gateway A. This name must be entered in the other endpoint as Remote IPSec Identifier. In this example we used netgear.dyndns.org (the FQDN) as the local identifier. Enter a Remote IPSec Identifier name for the remote NETGEAR FVS328 Gateway B. This name must be entered in the other endpoint as Local IPSec Identifier. In this example we used 22.23.24.25 as the remote identifier. Choose a subnet from local address from the Tunnel can be accessed from pull-down menu. Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Local IP Local LAN start IP Address field. Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Local IP Local LAN finish IP Address field. Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Local LAN IP Subnetmask field. Choose a subnet from local address from the Tunnel can access pull-down menu. Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local IP Remote LAN Start IP Address field.
Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP Remote LAN Finish IP Address field. Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Remote LAN IP Subnetmask field. Type the WAN IP address (22.23.24.25 in our example) of Gateway B in the Remote WAN IP or FQDN field.
Figure H-5: Figure 4 NETGEAR FVS318 VPN Settings (part 2) Main Mode
From the Secure Association drop-down box, select Main Mode. Next to Perfect Forward Secrecy, select the Enabled radio button. From the Encryption Protocol drop-down box, select 3DES. In the PreShared Key box, type a unique text string to be used as the shared key between Gateway A and Gateway B. In this example we used hr5xb84l6aa9r6. You must make sure the key is the same for both gateways. In the Key Life box, enter in 3600 seconds. In the IKE Life Time, enter 28800 seconds. Check the NETBIOS Enable box if you wish to pass NetBIOS traffic over the VPN tunnel, allowing functions, such as Microsoft Network Neighborhood browsing.
Click the Apply button in the lower center of the screen to save all changes and return to the VPN Settings screen. When the screen returns to the VPN Settings, make sure the Enable check box is selected.

Step-By-Step Configuration of FVS328 Gateway B
Log in to the NETGEAR FVS328, labeled Gateway B in the illustration. Out of the box, the FVS328 is set for its default LAN address of http://192.168.0.1, with its default user name of admin and default password of password. For this example we will assume you have set the local LAN address as 172.23.9.1 for Gateway B.
Click IKE Policies link under the VPN category and click Add on the IKE Policies Menu.
Figure H-6: NETGEAR FVS328 IKE Policy Configuration Part 1
Enter an appropriate name for the policy in the Policy Name field. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the IKE policies. In our example we have used FVS318 as the Policy Name. In the Policy Name field type FVS318. From the Direction/Type drop-down box, select Both Directions. From the Exchange Mode drop-down box, select Main Mode. From the Local Identity drop-down box, select WAN IP Address (WAN IP address will automatically be populated into the Local Identity Data field after policy is applied). From the Remote Identity drop-down box, select Fully Qualified Domain Name. Type the FQDN (netgear.dnydns.org in our example) in the Remote Identity Data field.
Figure H-7: NETGEAR FVS328 IKE Policy Configuration Part 2
From the Encryption Algorithm drop-down box, select 3DES. From the Authentication Algorithm drop-down box, select MD5. From the Authentication Method radio button, select Pre-shared Key. In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the same for both gateways. From the Diffie-Hellman (DH) Group drop-down box, select Group 1 (768 Bit). In the SA Life Time field, type 28800.
Click Apply. This will bring you back to the IKE Policies Menu.
Figure H-8: NETGEAR FWG114P v2 IKE Policies (Post Configuration)
The FVS318 IKE Policy is now displayed in the IKE Policies page.
Click the VPN Policies link under the VPN category on the left side of the Settings management GUI. This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN Auto Policy.
Figure H-9: NETGEAR FVS328 VPN Auto Policy (part 1)
Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name. In the Policy Name field type to318. From the IKE policy drop-down box, select the IKE Policy that was set up in the earlier step the FVS318 IKE Policy. From the Remote VPN Endpoint Address Type drop-down box, select IP Address. Type the WAN IP Address of Gateway A (14.15.16.17 in our example) in the Remote VPN Endpoint Address Data field. Type 300 in the SA Life Time (Seconds) field. Type 0 in the SA Life Time (Kbytes) field. Check the IPSec PFS check box. From the PFS Key Group drop-down box, select Group 2 (1024 Bit). From the Traffic Selector Local IP drop-down box, select Subnet address. Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local IP Start IP Address field. Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP Finish IP Address field. Type the LAN Subnet Mask of Gateway B (255.255.255.0 in our example) in the Local IP Subnet Mask field.

Figure H-10: NETGEAR FVS328 VPN Auto Policy (part 2)
From the Traffic Selector Remote IP drop-down box, select Subnet address. Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address field. Type the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Remote IP Finish IP Address field. Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Remote IP Subnet Mask field. From the AH Configuration Authentication Algorithm drop-down box, select MD5. Select the Enable Encryption check box. From the ESP Configuration Encryption Algorithm drop-down box, select 3DES. Select the Enable Authentication check box. From the ESP Configuration Authentication Algorithm drop-down box, select MD5. Select the NETBIOS Enable check box.
Click the Apply Button. You will be taken back to the VPN Policies Menu page.
Figure H-11: NETGEAR FVS328 VPN Policies Menu (Post Configuration) 6.
When the screen returns to the VPN Policies, make sure the Enable check box is selected. Click the Apply button.

Test the VPN Connection

From a PC behind the NETGEAR FVS318 or FVM318 Gateway A, attempt to ping the remote FWG114P v2 Gateway B LAN Interface address (example address 172.23.9.1).
2. From the FVS318 or FVM318, click the Router Status link on the left side of the Settings management menu. Click the Show VPN Status button. This will take you to the IPSec Connection Status Screen. If the connection is functioning properly, the State fields will show Estab. 3. From the FVS328, click the VPN Status link under the VPN section of the main menu. The VPN Logs and status are displayed.