Figure 6-6: LAN to LAN VPN access through an FVS318 to an FVS318
Follow this procedure to configure a VPN tunnel between two FVS318 VPN Firewalls. The worksheet below shows the settings for this example. A blank worksheet is provided at page 6-31. Table 6-1. Sample Network to Network IKE VPN Tunnel Configuration Worksheet
IKE Security Association Settings
Connection Name: VPNAB
Pre-Shared Key: r>T(h4&3@#kB
Secure Association -- Main Mode or Aggressive Mode: Main
Perfect Forward Secrecy: Enabled
Encryption Protocol -- Null, DES, 3DES, or AES -128, -192, or -256: DES
Key Life in seconds: 3600 (1 hour)
IKE Life Time in seconds: 28800 (8 hours)
Network Local IPSec ID LAN IP Address Subnet Mask FQDN or Gateway IP (WAN IP Address)
LAN A LAN_A 192.168.3.1 255.255.255.0 24.0.0.1
LAN B LAN_B 192.168.0.1 255.255.255.0 10.0.0.1
6-12 Virtual Private Networking 1. Set up the two LANs to have different IP address ranges.
Note: The LAN IP address ranges of each connected network must be different. The connection will fail if both are using the NETGEAR default address range of 192.168.0.x. This procedure uses the settings in the configuration worksheet above. A blank worksheet you can use to record your settings is provided on page 6-31.
a. Log in to the FVS318 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of admin and password of password. Click the LAN IP Setup link in the main menu Advanced section to display the LAN TCP/IP Setup menu shown below.
Figure 6-7: Configuring the Local LAN (A) via the LAN IP Setup Menu
b. For this example, configure the FVS318 settings on LANs A and B as follows:
Note: If port forwarding, trusted user, or static routes are set up, you will need to change these configurations to match the 192.168.3.x network as well.
c. Click Apply. Because you changed the Firewall’s IP address, you are now disconnected.
Network Configuration Settings
Network LAN IP Address Subnet Mask FQDN or Gateway IP (WAN IP Address)
LAN A 192.168.3.1 255.255.255.0 24.0.0.1
LAN B 192.168.0.1 255.255.255.0 10.0.0.1
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall
d. Reboot all computers on network A and log back in to FVS318 A at the new address of
http://192.168.3.1. The network configuration should now look like this:
Figure 6-8: Network configuration
2. Configure the VPN settings on each FVS318.
a. From the main menu, click the VPN Settings link, click the radio button of the tunnel you will update, and click Edit to view the VPN Settings - Main Mode window:
Figure 6-9: VPN Settings - Main Mode IKE Edit menu
FVS318 A FVS318 B 192.168.3.1 192.168.0.1
VPN Tunnel
24.0.0.1 10.0.0.1LAN A
LAN B
From FVS A From FVS B6-14 Virtual Private Networking b. For each FVS318, fill in the Connection Name VPN settings as illustrated above.
• The Connection Names can be the same: VPNAB
• Local IPSec Identifier name in the FVS318 on LAN A: LAN_A Note: The IPSec names must unique in this VPN network. • Local IPSec Identifier in the FVS318 on LAN B: LAN_B • Remote IPSec Identifier in the FVS318 on LAN A: LAN_B • Remote IPSec Identifier in the FVS318 on LAN B: LAN_A • Remote LAN IP Address in the FVS318 on LAN A: 192.168.0.1
and Remote Subnet Mask in the FVS318 on LAN A: 255.255.255.0 This is the LAN IP Address and Subnet Mask for the FVS318 on LAN B.
Note: With these IP settings, using this VPN tunnel, you can connect to any device on LAN B. Alternatively, you can specify a single address, a subnet of local addresses, or a range of local addresses on LAN B which will limit the VPN tunnel to connecting to just those devices. For example, you can specify the IP address of a single address on LAN B and a Subnet Mask of 255.255.255.255 which will limit the VPN tunnel to connecting to just that device.
• Remote LAN IP Address in the FVS318 on LAN B: 192.168.3.1 and Remote Subnet Mask in the FVS318 on LAN B: 255.255.255.0 This is the LAN IP Address for the FVS318 on LAN A.
• Remote WAN IP Address in the FVS318 on LAN A: 10.0.0.1 This is the WAN IP Address for the FVS318 on LAN B.
You can look up the WAN IP Address of the FVS318 on LAN B by viewing its WAN Status screen. When the FVS318 on LAN B is connected to the Internet, log in, go to its Maintenance menu Router Status link. If you find the WAN Port DHCP field says “DHCP Client” or “PPPOE,” then it is a dynamic address. For a dynamic address, you would enter 0.0.0.0 in the configuration screen of the FVS318 on LAN A as the WAN IP Address for the FVS318 on LAN B. Alternatively, you could use the FQDN of the FVS318.
Note: If one FVS318 has a dynamic IP address and you do not use FQDN, that FVS318 must always initiate the connection.
• Remote WAN IP Address in the FVS318 on LAN B: 24.0.0.1 This is the WAN IP Address for the FVS318 on LAN A.
Reference Manual for the Model FVS318 Broadband ProSafe VPN Firewall
The IKE settings for each end point of the VPN tunnel must match exactly. To configure the IKE settings, enter the following settings in each FVS318:
• Enable Perfect Forward Secrecy. • For Encryption Protocol, select: DES.
• Enter the Pre-Shared Key. In this example, enter r>T(h4&3@#kB as the Pre-Shared Key. With IKE, a pre-shared key that you make up is used for mutual identification. The Pre-Shared Key should be between 8 and 80 characters, and the letters are case sensitive. Entering a combination of letters, numbers and symbols, such as
r>T(h4&3@#kB provides greater security. • Key Life - Default is 3600 seconds (1 hour)
• IKE Life Time - Default is 28800 seconds (8 hours). A shorter time increases security, but users will be temporarily disconnected upon renegotiation.
d. If you need to run Microsoft networking functions such as Network Neighborhood, click the NETBIOS Enable check box to allow NETBIOS traffic over the VPN tunnel.
e. Click Apply to save the Security Association tunnel settings into the table. 3. Check the VPN Connection
To check the VPN Connection, you can initiate a request from one network to the other. If one FVS318 has a dynamically assigned WAN IP address, you must initiate the request from that FVS318’s network. The simplest method is to ping the LAN IP address of the other FVS318. a. Using our example, from a PC attached to the FVS318 on LAN A, on the Windows
taskbar click the Start button, and then click Run. b. Type ping -t 192.168.0.1 , and then click OK.
6-16 Virtual Private Networking c. This will cause a continuous ping to be sent to the first FVS318. After between several
seconds and two minutes, the ping response should change from “timed out” to “reply.”
Figure 6-11: Ping test results
At this point the connection is established. Now that your VPN connection is working, whenever a PC on the second LAN needs to access an IP address on the first LAN, the Firewalls will automatically establish the connection.