VPN using 2 NETGEAR FVS318 Firewalls 3

[altitudeman]

I have 2 FVS318 firewalls and need to create a vpn between the 2. I have established internet connectivity but do not know what settings to put in for the vpn. Both of these are using non fixed IP addresses. The internal IP addresses are 192.168.1.2 range. Can anybody help me out please as this is my first vpn using a hardware device.

 

[AlexIT]

Do a keyword search for the 318 in this forum, I have done this before and there was a pretty long discussion on that model here.

First, you must have a static way to reach both outside interfaces (look at DNS2GO or such so you can ALWAYS reach the other device by

http://www.otherlan.dns2go.com

or something.) That or (better in most cases) get static IP's for both devices.
Second, you must have DIFFERENT IP sub-nets for the two ends. Read the manual carefully! There is one particular statement about where to enter the other router sub-net (I haven't got a manual in front of me or I'd try to be more clear...) this gives the device a way to route traffic from 192.168.1.2 to 192.168.2.2 without all those issues from having two hosts on the LAN with same IP address.

Those are the tips I can recall right now...sorry.

Alex

 

[crabjoe]

altitudeman,

Yes, we can help. 1st, what firmware version are you using? I've found version 1.4 to work excellent on teh FSV318.

Like the previous post, you will need a way to make those dynamic address to static or what I call sudo static. I recommand Dyndns.org as you can select this option right in the router configuration. This way you know it will update correct.

Also, place the LAN sides on difference subnets. Easy to do. Do it like the pevious post suggests.

Now you'll need to enter setup the VPN. Here's a setup you can follow.


Site 1 on with the LAN IP setup using DHCP. IP Range 192.168.1.1 thru 192.168.1.100

==================================
VPN Settings - Main Mode

Connection Name : VPNWORKS
Local IPSec Identifier : SITE1.DYNDNS.ORG
Remote IPSec Identifier : SITE2.DYNDSN.ORG

Tunnel can be accessed from: any local address

Local LAN start IP Address (nothing is entered here)
Local LAN finish IP Address (nothing is entered here)
Local LAN IP Subnetmask (nothing is entered here)

Tunnel can access: a subnet of remote address

Remote LAN start IP Address : 192.168.2.1
Remote LAN finish IP Address (nothing is entered here)
Remote LAN IP Subnetmask : 255.255.255.0

Remote WAN IP or FQDN : SITE2.DYNDSN.ORG
Secure Association : Main Mode
Perfect Forward Secrecy : Enabled
Encryption Protocol : DES
PreShared Key : XYZVPNKEY
Key Life Seconds : 3600 Seconds
IKE Life Time : 28800 Seconds
NETBIOS Enable




Site 2 on with the LAN IP setup using DHCP. IP Range 192.168.2.1 thru 192.168.2.100

==================================
VPN Settings - Main Mode

Connection Name : VPNWORKS
Local IPSec Identifier : SITE2.DYNDNS.ORG
Remote IPSec Identifier : SITE1.DYNDSN.ORG

Tunnel can be accessed from: any local address

Local LAN start IP Address (nothing is entered here)
Local LAN finish IP Address (nothing is entered here)
Local LAN IP Subnetmask (nothing is entered here)

Tunnel can access: a subnet of remote address

Remote LAN start IP Address : 192.168.1.1
Remote LAN finish IP Address (nothing is entered here)
Remote LAN IP Subnetmask : 255.255.255.0

Remote WAN IP or FQDN : SITE1.DYNDSN.ORG
Secure Association : Main Mode
Perfect Forward Secrecy : Enabled
Encryption Protocol : DES
PreShared Key : XYZVPNKEY
Key Life Seconds : 3600 Seconds
IKE Life Time : 28800 Seconds
NETBIOS Enable



It's really that simple.

 

[crabjoe]

Oh almost forgot. To initiate the VPN connection, just go into diagnostics and ping any remote LAN address. So from site 1, you could ping 192.168.2.1 or from site 2 ping 192.168.1.1

Now enjoy your VPN connection!!

 

[AlexIT]

Crabjoe,

That is exactly what everyone with a pair of FVS318 needs to know! (Here's my star...I hope it helped the original poster too!)

Thanks for fillinf in my blank memory (or is it ______ memory)

Alex

 

[crabjoe]

Alex it was no big deal, but thanks! Just wanted to be helpful as others were to me when I needed it.

Shoot just last month, I had no idea on how any of the Netgear VPN boxes worked and that was after reading Netgear's instructions.

 

[altitudeman]

Thank you both very much for your help and advice in this matter. I will try this on Monday and fingers crossed it will be okay, thanks again.,.

 

[altitudeman]

Hi Crabjoe and AlexIT

I have tried what you said and it seems okay on my end but now I am setting up the other end with a fixed ip. I have followe your suggestions in the basic settings but have changed the WAN IP to the fixed ip address. Once I have done this I cannot access the web but I can ping the fixed ip externally. Any ideas as once this is sorted I am feel sure I will be able to connect the VPN from the info you have already given me.

Please help if you can


Thanks

 

[crabjoe]

altitudeman,

What's your email addy? I'm not sure exactly what I can send you but if need be, I might be able to send you a set of config files, one for each end so you can see the setup.

 

[s73880b]

I too am having trouble with setting up a vpn. Our main site has a fixed wan ip address with the internal lan set up as 206.94.181.xx ( I do not know why this address was used). We are using w2k exchange server and all of our client pc's are w2k pro on and off site. Our remote site has a fixed wan and uses an internal lan of 192.168.2.xx. My home has a dynamic ip withe a lan of 192.168.0.xx. All are behind the FVS318 firewall. The remote site and main office are at version 1.0 firmware. I upgraded the home to version 1.4. I really want to be able to join the domain at the main office from home and the remote site but I am not sure how to go about it as far as what port #'s and other settings since version 1.4 is different than 1.0. Any help would be appreciated!

 

[altitudeman]

Thanks Crabjoe

My e-mail addy is jason@clubrunner.co.uk.

Thanks again.

 

[AlexIT]

I would recommend that all pieces have the same revision...I once shut down a client (whole company) because I flashed a new version in to the router (which "fixed" an AES key problem.)

Seems all the client drivers had the same AES problem too, and I had to install the new revision of client software on every PC (so that they were "fixed" too) to get them to re-connect to the secure LAN.

Also, I don't know if the FVS318 supports multiple simutaneous tunnels...have to look.

Alex

 

[s73880b]

Is there anything special I need to know about joining the domain from both remote sites ie: ports in the firewall and the server itself? Thanks for all your help since I inherited this job at work!

 

[AlexIT]

The VPN occurs before/outside the firewall, that is there are no filters applied to the VPN connection - 100% open from ends, so you should be able to connect without any special settings.

Alex