Client-to-Box VPN using Certificate Authentication
Page 1
Version 2.0 Using certificates as authentication method for VPN connections between Netgear ProSafe Routers and the ProSafe VPN Client This document describes how to use certificates as an authentication method when establishing a VPN Client-to-Box connection.
Version 2.0 Using certificates as authentication method for VPN connections between Netgear ProSafe Routers and the ProSafe VPN Client This document describes how to use certificates as an authentication method when establishing a VPN Client-to-Box connection.
Client-to-Box VPN using Certificate Authentication
Page 5
For last, input the settings like instructed in client software. Change the whole filename after creating a certificate request instead. Next - Note: Do not change file extension in the screenshot. generate certificate request using Certificate Manager which is built-in functionality of Netgear's ProSafe VPN Client following these steps: First, click on 'Yes' when you get the filebased request prompt. Then, click on Request Certificate. Version 2.0 9-
For last, input the settings like instructed in client software. Change the whole filename after creating a certificate request instead. Next - Note: Do not change file extension in the screenshot. generate certificate request using Certificate Manager which is built-in functionality of Netgear's ProSafe VPN Client following these steps: First, click on 'Yes' when you get the filebased request prompt. Then, click on Request Certificate. Version 2.0 9-
Client-to-Box VPN using Certificate Authentication
Page 7
Virtual adapter should be specified as Distinguished Name. Version 2.0 14- Select the correct certificate, leave the ID Type as : "Required" to these steps: First, input your settings are input correctly in the same way that is instructed here and click on Edit Name. Verify your own details in this screen and click on the client. Create a new VPN connection according to allow using of virtual adapter interface on OK.
Virtual adapter should be specified as Distinguished Name. Version 2.0 14- Select the correct certificate, leave the ID Type as : "Required" to these steps: First, input your settings are input correctly in the same way that is instructed here and click on Edit Name. Verify your own details in this screen and click on the client. Create a new VPN connection according to allow using of virtual adapter interface on OK.
Client-to-Box VPN using Certificate Authentication
Page 9
Modify your router using VPN Wizard. 2. Create IKE and VPN policies on your IKE Policy according to the following way: Note: IP address ranges defined in the following settings: Version 2.0 Delete the VPN Policy, leaving the IKE policy. 3. 1. Create new record for Mode Config in : First, Second and Third Pool should be different then router's own LAN IP address range. 4.
Modify your router using VPN Wizard. 2. Create IKE and VPN policies on your IKE Policy according to the following way: Note: IP address ranges defined in the following settings: Version 2.0 Delete the VPN Policy, leaving the IKE policy. 3. 1. Create new record for Mode Config in : First, Second and Third Pool should be different then router's own LAN IP address range. 4.
Hub and Spoke VPN network using the VPN Prosafe Client
Page 1
... shows a typical scenario. Hub and Spoke VPN using the VPN Prosafe Client This document describes the steps to undertake in configuring a Hub-and-Spoke network over the Internet using VPNs (box-to-box and client-to any of the VPN Firewall/Router from firmware version 3.5.0.24 and above, and VPN clients from version 10.8.3 and above. The...
... shows a typical scenario. Hub and Spoke VPN using the VPN Prosafe Client This document describes the steps to undertake in configuring a Hub-and-Spoke network over the Internet using VPNs (box-to-box and client-to any of the VPN Firewall/Router from firmware version 3.5.0.24 and above, and VPN clients from version 10.8.3 and above. The...
Hub and Spoke VPN network using the VPN Prosafe Client
Page 2
Table of Contents NETWORK SETUP...3 Physical setup...3 Logical setup ...3 Configuration of VPN policies on the Firewall/Routers 4 FVX538 VPN Config (Policy name: BoxtoBox 4 FVS338 VPN Config (Policy name: BoxtoBox 4 FVX538 VPN Config (Policy name: LAN1toVPN 5 FVX538 VPN Config (Policy name: LAN2Client 6 FVS338 VPN Config (Policy name: LAN2Client 6 VPN client configuration 7 Testing the connection ...8 Version 1.0
Table of Contents NETWORK SETUP...3 Physical setup...3 Logical setup ...3 Configuration of VPN policies on the Firewall/Routers 4 FVX538 VPN Config (Policy name: BoxtoBox 4 FVS338 VPN Config (Policy name: BoxtoBox 4 FVX538 VPN Config (Policy name: LAN1toVPN 5 FVX538 VPN Config (Policy name: LAN2Client 6 FVS338 VPN Config (Policy name: LAN2Client 6 VPN client configuration 7 Testing the connection ...8 Version 1.0
Hub and Spoke VPN network using the VPN Prosafe Client
Page 3
NETWORK SETUP Physical setup FVX538 connected to the Internet via a modem or modem/router FVS338 connected to the Internet via a modem or modem/router VPN Client PCs connected Wireless/Wired to the Internet (via a LAN allowing IPSEC traffic) Logical setup FVX538 LAN IP: 172.22.101.101/24 DHCP: 172.... using the IKE policy used for the box-to-box connection to allow the FVS338 to connect to the VPN clients (Policy name: LAN2toClient) VPN Client - 1x Policy connecting to the Public address of the FVS338 specifying as the IP range for the Remote party 172.22.0.0 mask 255.255.0.0 (...
NETWORK SETUP Physical setup FVX538 connected to the Internet via a modem or modem/router FVS338 connected to the Internet via a modem or modem/router VPN Client PCs connected Wireless/Wired to the Internet (via a LAN allowing IPSEC traffic) Logical setup FVX538 LAN IP: 172.22.101.101/24 DHCP: 172.... using the IKE policy used for the box-to-box connection to allow the FVS338 to connect to the VPN clients (Policy name: LAN2toClient) VPN Client - 1x Policy connecting to the Public address of the FVS338 specifying as the IP range for the Remote party 172.22.0.0 mask 255.255.0.0 (...
Hub and Spoke VPN network using the VPN Prosafe Client
Page 4
Click on Apply FVS338 VPN Config (Policy name: BoxtoBox) Access the VPN Wizard via the VPN configuration page. Configure the Connection name (for admin reasons this will match the FVS338 box as BoxtoBox). Click on Apply Version 1.0 Input the... and the LAN details (the Remote LAN IP address is intended as the subnet address). Configuration of VPN policies on the Firewall/Routers FVX538 VPN Config (Policy name: BoxtoBox) Access the VPN Wizard via the VPN configuration page. Configure the Connection name (for admin reasons this will match the other box as BoxtoBox). ...
Click on Apply FVS338 VPN Config (Policy name: BoxtoBox) Access the VPN Wizard via the VPN configuration page. Configure the Connection name (for admin reasons this will match the FVS338 box as BoxtoBox). Click on Apply Version 1.0 Input the... and the LAN details (the Remote LAN IP address is intended as the subnet address). Configuration of VPN policies on the Firewall/Routers FVX538 VPN Config (Policy name: BoxtoBox) Access the VPN Wizard via the VPN configuration page. Configure the Connection name (for admin reasons this will match the other box as BoxtoBox). ...
Hub and Spoke VPN network using the VPN Prosafe Client
Page 5
Click on Apply Version 1.0 FVX538 VPN Config (Policy name: LAN1toVPN) Access the VPN Wizard via the VPN configuration page. Create a new VPN client policy named LAN1toVPN (with subnet mask 255.255.255.0 Click on Apply Edit the LAN1toVPN. Change the Local IP setting to any and the Remote IP to subnet, modifying the Start IP address to 192.168.0.0 with any pre-shared key) Take note of the Remote and Local identifier whether using the default ones or new ones.
Click on Apply Version 1.0 FVX538 VPN Config (Policy name: LAN1toVPN) Access the VPN Wizard via the VPN configuration page. Create a new VPN client policy named LAN1toVPN (with subnet mask 255.255.255.0 Click on Apply Edit the LAN1toVPN. Change the Local IP setting to any and the Remote IP to subnet, modifying the Start IP address to 192.168.0.0 with any pre-shared key) Take note of the Remote and Local identifier whether using the default ones or new ones.
Hub and Spoke VPN network using the VPN Prosafe Client
Page 6
... one of the FVS338 172.22.102.0/24 and the Remote IP subnet to be the LAN of the VPN clients as 192.168.0.0/24 and the Remote IP subnet to be the VPN clients one of the FVS338 as 172.22.102.0/24 Ensure that the Select IKE Policy is set... to BoxtoBox Click on Apply Version 1.0 In the VPN Policy section click on Add (this will create a new manual VPN policy which will use an existing IKE policy) Create a new VPN client policy named LAN2toClient Specify the Remote Endpoint IP address to be the Public address...
... one of the FVS338 172.22.102.0/24 and the Remote IP subnet to be the LAN of the VPN clients as 192.168.0.0/24 and the Remote IP subnet to be the VPN clients one of the FVS338 as 172.22.102.0/24 Ensure that the Select IKE Policy is set... to BoxtoBox Click on Apply Version 1.0 In the VPN Policy section click on Add (this will create a new manual VPN policy which will use an existing IKE policy) Create a new VPN client policy named LAN2toClient Specify the Remote Endpoint IP address to be the Public address...
Hub and Spoke VPN network using the VPN Prosafe Client
Page 7
...the Phase 1 negotiation mode is set to match the VPN policy LAN1toVPN created on the FVX538 (12345678) Set the Virtual adapter as Required as specify a unique value for the Internal network IP address (this will be specified at the WAN address of the FVX538 in our case In My ...255.255.255.0 (this will address both Local Area Network #1 and Local Area Network #2 in our scenario. VPN client configuration This configuration requires advanced IP address planning. Create a new VPN client policy Specify the Remote Party ID type as IP Subnet and the subnet and mask as one subnet or...
...the Phase 1 negotiation mode is set to match the VPN policy LAN1toVPN created on the FVX538 (12345678) Set the Virtual adapter as Required as specify a unique value for the Internal network IP address (this will be specified at the WAN address of the FVX538 in our case In My ...255.255.255.0 (this will address both Local Area Network #1 and Local Area Network #2 in our scenario. VPN client configuration This configuration requires advanced IP address planning. Create a new VPN client policy Specify the Remote Party ID type as IP Subnet and the subnet and mask as one subnet or...
Hub and Spoke VPN network using the VPN Prosafe Client
Page 8
Testing the connection VPN Client From the VPN client run ipconfig to confirm once the VPN is established that the Virtual adapter interface is assigned with the IP address specified in the policy (in this case 192.168.0.1 ) Test the VPN connection to both the FVX538 and FVS338 by pinging each box LAN IP address FVS338 From Monitoring, Diagnostic on the FVS338 ping the VPN client IP address 1902.168.0.1 Version 1.0
Testing the connection VPN Client From the VPN client run ipconfig to confirm once the VPN is established that the Virtual adapter interface is assigned with the IP address specified in the policy (in this case 192.168.0.1 ) Test the VPN connection to both the FVX538 and FVS338 by pinging each box LAN IP address FVS338 From Monitoring, Diagnostic on the FVS338 ping the VPN client IP address 1902.168.0.1 Version 1.0
Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client
Page 1
... FVX538 #1. In this configuration, there is a gateway-to configure a Hub-and-Spoke VPN when one of the spokes is the NETGEAR VPN client. Procedure This procedure was developed and tested using: • NETGEAR FVX538 ProSafe VPN Firewall with the FVX538 router, firmware version 2.x and NETGEAR ProSafe174; VPN client, version 10.7.2 (Build 12). It has been tested with version 2.x firmware o WAN1...
... FVX538 #1. In this configuration, there is a gateway-to configure a Hub-and-Spoke VPN when one of the spokes is the NETGEAR VPN client. Procedure This procedure was developed and tested using: • NETGEAR FVX538 ProSafe VPN Firewall with the FVX538 router, firmware version 2.x and NETGEAR ProSafe174; VPN client, version 10.7.2 (Build 12). It has been tested with version 2.x firmware o WAN1...
Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client
Page 2
... is the LAN subnet behind FVX 538 #2. Create an IKE policy for VPN to address both Local Area Network #1 and Local Area Network #2 in Step 1. o WAN2 IP address subnet: 255.255.255.0 • NETGEAR ProSafe VPN client, version 10.7.2 (Build 12) o IP address: 192.168.1.100... IP Address Requirements This configuration requires advanced IP address planning. Configuring the Hub-and-Spoke VPN To configure the FVX538 #1 (the Hub): 1.
... is the LAN subnet behind FVX 538 #2. Create an IKE policy for VPN to address both Local Area Network #1 and Local Area Network #2 in Step 1. o WAN2 IP address subnet: 255.255.255.0 • NETGEAR ProSafe VPN client, version 10.7.2 (Build 12) o IP address: 192.168.1.100... IP Address Requirements This configuration requires advanced IP address planning. Configuring the Hub-and-Spoke VPN To configure the FVX538 #1 (the Hub): 1.
Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client
Page 3
First create the IKE policy for the VPN client. 3. Create a VPN client policy.
First create the IKE policy for the VPN client. 3. Create a VPN client policy.
Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client
Page 4
For the local network, use the VPN client network defined in Step 3. For the remote network, use the same IKE policy created in the VPN client policy profile. In this example, 192.168.4.100. 5. Create the VPN policy that will allow the VPN client to be defined in Step 1. 4. The remote ...subnet is Any. Create a VPN policy using the IKE policy created in Step 4, 192....
For the local network, use the VPN client network defined in Step 3. For the remote network, use the same IKE policy created in the VPN client policy profile. In this example, 192.168.4.100. 5. Create the VPN policy that will allow the VPN client to be defined in Step 1. 4. The remote ...subnet is Any. Create a VPN policy using the IKE policy created in Step 4, 192....
Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client
Page 5
... Identity and Addressing, define an object to access the network behind FVX538 #1 and FVX538 #2. Create an IKE policy to Create the second VPN policy to allow the VPN client to cover both LANs behind FVX538 #2. Use the same IKE policy that you created in Step 1. Configuring the... VPN Client Software To configure the VPN client software: 1. For the local subnet, use the LAN subnet behind FVX538 #2. For the remote subnet, use the LAN subnet behind FVX538 #1. 3. ...
... Identity and Addressing, define an object to access the network behind FVX538 #1 and FVX538 #2. Create an IKE policy to Create the second VPN policy to allow the VPN client to cover both LANs behind FVX538 #2. Use the same IKE policy that you created in Step 1. Configuring the... VPN Client Software To configure the VPN client software: 1. For the local subnet, use the LAN subnet behind FVX538 #2. For the remote subnet, use the LAN subnet behind FVX538 #1. 3. ...
Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client
Page 6
...them, please refer to the FVX538. 3. Testing the Connection To test the connection: 1. November 27, 2006 Copyright © 2006 NETGEAR174; Right-click the VPN client icon on the FVX538 #1, which is a successful connection to this document. Eventually the message will cover both the subnets behind FVX538...wants to configure two remote locations so their traffic goes through a central location instead of the configurations are the same as a standard VPN client configuration. 3. 192.168.2.254. Select Connect and choose the client policy that there is 192.168.4.100. Click on My ...
...them, please refer to the FVX538. 3. Testing the Connection To test the connection: 1. November 27, 2006 Copyright © 2006 NETGEAR174; Right-click the VPN client icon on the FVX538 #1, which is a successful connection to this document. Eventually the message will cover both the subnets behind FVX538...wants to configure two remote locations so their traffic goes through a central location instead of the configurations are the same as a standard VPN client configuration. 3. 192.168.2.254. Select Connect and choose the client policy that there is 192.168.4.100. Click on My ...
FVX538 Application Note Mode Config VPN Configuration
Page 1
...public IP address on the WAN interface or that the gateway device(s) have the correct port forwarding or DMZ configured so that port 500 UDP is a feature included in some of the Netgear Routers which allows the IP addressing of a VPN tunnel from ProSafe Client to allow VPN pass-through. NOTE: ...This document assumes that your FVX538v2, as well as how to configure the VPN Pro-Safe VPN client in order to FVX538v2 Router: Mode Config...
...public IP address on the WAN interface or that the gateway device(s) have the correct port forwarding or DMZ configured so that port 500 UDP is a feature included in some of the Netgear Routers which allows the IP addressing of a VPN tunnel from ProSafe Client to allow VPN pass-through. NOTE: ...This document assumes that your FVX538v2, as well as how to configure the VPN Pro-Safe VPN client in order to FVX538v2 Router: Mode Config...
FVX538 Application Note Mode Config VPN Configuration
Page 2
Likewise for the client virtual adapters. (Note: DO NOT add IP addresses that you can add up to the VPN section and then select Mode Config. Notice that are all in use in use . Mode Config: To configure it 'll be used when the first ... we'll use the following settings: The first pool of the first pool are currently in any of the networks at either side of the VPN tunnel - FVX538v2 -
Likewise for the client virtual adapters. (Note: DO NOT add IP addresses that you can add up to the VPN section and then select Mode Config. Notice that are all in use in use . Mode Config: To configure it 'll be used when the first ... we'll use the following settings: The first pool of the first pool are currently in any of the networks at either side of the VPN tunnel - FVX538v2 -