Resumen del contenido incluido en la página 1
Appendix B
NETGEAR VPN Configuration
DG834GSP to FVL328
This appendix is a case study on how to configure a secure IPSec VPN tunnel from a NETGEAR
DG834GSP to a FVL328. This case study follows the VPN Consortium interoperability profile
guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html).
Configuration Profile
The configuration in this document follows the addressing and configuration mechanics defined
by the VPN Consortium. Gather all the necessary information before y
Resumen del contenido incluido en la página 2
Reference Manual for the ADSL Modem Wireless Router DG834GSP 10.5.6.0/24 172.23.9.0/24 VPNCExample NetworkInterfaceAddressing GatewayA GatewayB 14.15.16.17 22.23.24.25 LANIP LANIP WANIP WANIP 10.5.6.1 172.23.9.1 DG834G FVL328 Figure B-1 Note: Product updates are available on the NETGEAR, Inc. web site at http://kbserver.netgear.com/DG834GSP.asp. Step-By-Step Configuration 1. Configure the DG834GSP as in the Gateway-to-Gateway procedures using the VPN Wizard (see “How to Set Up a Gateway-to-Gat
Resumen del contenido incluido en la página 3
Reference Manual for the ADSL Modem Wireless Router DG834GSP Click VPN Policies under Advanced - VPN to invoke this screen 10.5.6.1 172.23.9.1 toFVL328 toFVL328 22.23.24.25 10 10 5 6 172 23 9 Figure B-2 NETGEAR VPN Configuration B-3 v1.0, June 2007
Resumen del contenido incluido en la página 4
Reference Manual for the ADSL Modem Wireless Router DG834GSP 2. Configure the FVL328 as in the Gateway-to-Gateway procedures for the VPN Wizard (see “How to Set Up a Gateway-to-Gateway VPN Configuration” on page 8-21), being certain to use appropriate network addresses for the environment. a. In Step 1, enter toDG834 for the Connection Name b. In Step 2, enter 14.15.16.17 for the remote WAN's IP address c. In Step 3, enter the following: • IP Address = 10.5.6.1 • Subnet Mask = 255.255.255.0
Resumen del contenido incluido en la página 5
Reference Manual for the ADSL Modem Wireless Router DG834GSP toDG834 toDG834 22.23.24.25 14.15.16.17 22.23.24.25 Click IKE Policies under VPN to invoke this screen 14.15.16.17 toDG834 172.23.9.1 10.5.6.1 Click VPN Policies under VPN to invoke this screen toDG834 toDG834 14.15.16.17 172 23 9 1 10 5 6 Figure B-3 NETGEAR VPN Configuration B-5 v1.0, June 2007
Resumen del contenido incluido en la página 6
Reference Manual for the ADSL Modem Wireless Router DG834GSP 3. Test the VPN tunnel by pinging the remote network from a PC attached to the DG834GSP. a. Open the command prompt (Start -> Run -> cmd) b. ping 172.23.9.1 Figure B-4 Note: The pings may fail the first time. If this happens, try the pings a second time. DG834GSP with FQDN to FVL328 This appendix is a case study on how to configure a VPN tunnel from a NETGEAR DG834GSP to a FVL328 using a Fully Qualified Domain Name (FQDN) to resolve
Resumen del contenido incluido en la página 7
Reference Manual for the ADSL Modem Wireless Router DG834GSP Table B-2. Profile Summary VPN Consortium Scenario: Scenario 1 Type of VPN LAN-to-LAN or Gateway-to-Gateway (not PC/Client-to-Gateway) Security Scheme: IKE with Preshared Secret/Key (not Certificate-based) IP Addressing: NETGEAR-Gateway A Fully Qualified Domain Name (FQDN) NETGEAR-Gateway B FDQN 10.5.6.0/24 172.23.9.0/24 VPNCExample NetworkInterfaceAddressing GatewayA GatewayB WANIP WANIP LANIP LANIP 10.5.6.1 172.23.9.1 dg834g.dyndns.o
Resumen del contenido incluido en la página 8
Reference Manual for the ADSL Modem Wireless Router DG834GSP The Use of a Fully Qualified Domain Name (FQDN) Many ISPs (Internet Service Providers) provide connectivity to their customers using dynamic instead of static IP addressing. This means that a user’s IP address does not remain constant over time which presents a challenge for gateways attempting to establish VPN connectivity. A Dynamic DNS (DDNS) service allows a user whose public IP address is dynamically assigned to be located by a
Resumen del contenido incluido en la página 9
Reference Manual for the ADSL Modem Wireless Router DG834GSP 3. On the DG834GSP, configure the Dynamic DNS settings. a. Browse to the Dynamic DNS Setup Screen (see Figure B-6) in the Advanced menu. Figure B-6 b. Configure this screen with appropriate account and hostname settings and then click Apply. • Check the box Use a Dynamic DNS Service. • Host Name = dg834g.dyndns.org • User Name = • Password = c. Click Show Status. The resulting screen
Resumen del contenido incluido en la página 10
Reference Manual for the ADSL Modem Wireless Router DG834GSP 4. On the FVL328, configure the Dynamic DNS settings. Assume a properly configured DynDNS account. a. Browse to the Dynamic DNS Setup Screen (see Figure B-8) in the Advanced menu. Figure B-8 b. Select the DynDNS.org radio button (see Figure B-8), configure with appropriate account and hostname settings (see Figure B-9), and then click Apply. • Host and Domain Name = fvl328.dyndns.org • User Name = • Password
Resumen del contenido incluido en la página 11
Reference Manual for the ADSL Modem Wireless Router DG834GSP Figure B-9 c. Click Show Status. The resulting screen should show Update OK: good (see Figure B-10). Figure B-10 NETGEAR VPN Configuration B-11 v1.0, June 2007
Resumen del contenido incluido en la página 12
Reference Manual for the ADSL Modem Wireless Router DG834GSP 5. Configure the DG834GSP as in the Gateway-to-Gateway procedures using the VPN Wizard (see “How to Set Up a Gateway-to-Gateway VPN Configuration” on page 8-21), being certain to use appropriate network addresses for the environment. The LAN Addresses used in this example are as follows: Device LAN IP Address LAN Subnet Mask DG834GSP 10.5.6.1 255.255.255.0 FVL328 172.23.6.1 255.255.255.0 a. In Step 1, enter toFVL328 for the Connectio
Resumen del contenido incluido en la página 13
Reference Manual for the ADSL Modem Wireless Router DG834GSP Figure B-11 Note: The pings may fail the first time. If this happens, try the pings a second time. NETGEAR VPN Configuration B-13 v1.0, June 2007
Resumen del contenido incluido en la página 14
Reference Manual for the ADSL Modem Wireless Router DG834GSP Configuration Summary (Telecommuter Example) The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium. Gather all the necessary information before you begin the configuration process. Verify whether the firmware is up to date, all of the addresses that will be necessary, and all of the parameters that need to be set on both sides. Assure that there are no firewall restrictio
Resumen del contenido incluido en la página 15
Reference Manual for the ADSL Modem Wireless Router DG834GSP • Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter’s Home Office configures the NETGEAR ProSafe VPN Client endpoint. Step 1: Configuring the Client-to-Gateway VPN Tunnel on the VPN Router at the Employer’s Main Office Follow this procedure to configure a client-to-gateway VPN tunnel by filling out the VPN Auto Policy screen. 1. Log in to the VPN router at its LAN address of http://10.1.1.1 wit
Resumen del contenido incluido en la página 16
Reference Manual for the ADSL Modem Wireless Router DG834GSP fromDG834GSP (in the example) Dynamic IP address IKE Keep Alive is optional; must match Remote LAN IP Address when enabled (remote PC must respond to pings) Subnet address 192.168.0.1 (in this example) 255.255.255.0 Single address 192.168.2.3 (in this example) (Remote NAT router must have Address Reservation set and VPN Passthrough enabled) Main Mode Fully Qualified Domain Name fromDG834G.com (in this example) Fully Qualified Domain Na
Resumen del contenido incluido en la página 17
Reference Manual for the ADSL Modem Wireless Router DG834GSP 2. Click Apply when done to get the VPN Policies screen. Figure B-14 To view or modify the tunnel settings, select the radio button next to the tunnel entry and click Edit. NETGEAR VPN Configuration B-17 v1.0, June 2007
Resumen del contenido incluido en la página 18
Reference Manual for the ADSL Modem Wireless Router DG834GSP Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter’s Home Office This procedure describes how to configure the 54 Mbps ADSL Modem Wireless Router Model DG834GSP. We will assume the PC running the client has a dynamically assigned IP address. The PC must have a VPN client program installed that supports IPSec (in this case study, the NETGEAR VPN ProSafe Client is used). Go to the NETGEAR website (
Resumen del contenido incluido en la página 19
Reference Manual for the ADSL Modem Wireless Router DG834GSP b. From the Edit menu of the Security Policy Editor, click Add, then Connection. A New Connection listing appears in the list of policies. Rename the New Connection so that it matches the Connection Name you entered in the VPN Settings of the DG834GSP on Gateway A. Note: In this example, the Connection Name used on the client side of the VPN tunnel is to DG834GSP and it does not have to match the VPN_client Connection Name used on
Resumen del contenido incluido en la página 20
Reference Manual for the ADSL Modem Wireless Router DG834GSP Figure B-16 c. Select Secure in the Connection Security check-box group. d. Select IP Subnet in the ID Type menu. e. In this example, type 10.1.1.1 in the Subnet field as the network address of the DG834GSP. f. Enter 255.255.255.0 in the Mask field as the LAN Subnet Mask of the DG834GSP. g. Select All in the Protocol menu to allow all traffic through the VPN tunnel. h. Select the Connect using Secure Gateway Tunnel check box. i. Se