Netgear Dgn2200v4 N300 Wireless Adsl2 Plus Modem Router User Manual

							Virtual Private Networking 111
 N300 Wireless ADSL2+ Modem Router DGN2200v4
Add or Edit a VPN Auto Policy
An Auto VPN policy uses the IKE (Internet Key Protocol) to exchange and n\
egotiate 
parameters for the IPSec SA (security association). Because of this ne\
gotiation, not all of the 
settings on this VPN gateway have to match the settings on the remote VP\
N endpoint. 
Where settings have to match, this requirement is indicated.
To add an Auto policy: 
1.  Set the LAN IPs on each gateway to dif
 ferent subnets and configure each correctly for 
the Internet. 
2.  Select  Advanced >  Advanced - VPN > VPN Policies and click the  Add Auto 
 Policy 
button.
3.  Specify the general settings:
• In the Policy Name field, enter a unique name.
This name is not supplied to the remote VPN endpoint. It is used only to\
 help you  manage the policies.
• From the 
 Address Type list, select Fully Qualified Domain Name , Dynamic IP 
Address or  Fixed IP Address .
You can set up multiple remote dynamic IP policies, but only one policy c\
an be  enabled at a time. 
• If you want to ensure that a connection is kept open, or
 , if that is not possible, it is 
quickly reestablished when disconnected, select the  IKE Keep Alive check box and 
fill in the Ping IP Address field.
• Fill in the Ping IP 
 Address field.
The ping IP address has to be associated with the remote endpoint. Eithe\
r the WAN  or a LAN address can be used; a LAN address is preferable. 
 This IP address is 
pinged to generate some traffic for the VPN tunnel. 
						

							Virtual Private Networking 
112 N300 Wireless ADSL2+ Modem Router DGN2200v4 
4. Specify the Local LAN settings:
•From the IP Address list, select Subnet address, Single address, or Range 
address.
•Fill in the Single/Start IP Address field.
•If you are specifying a range, fill in the Finish IP Address field. 
This range must be an address range used on your LAN. For a single IP address, do 
not fill in the Finish IP Address field.
The remote VPN endpoint must have these IP addresses entered as its remote 
addresses.
5. Specify the Remote LAN settings.
•From the IP Address list, select Single PC -no Subnet, Single address, Range 
address, or Subnet address. 
If there is no LAN (only a single computer) at the remote endpoint, select the Single 
PC -no Subnet option. The Single address option is typically used to access a server 
on the remote LAN.
•If you want to specify a range, fill in the Finish IP Address field. 
This range must be an address range used on the remote LAN.
•Fill in the Subnet Mask field.
The remote VPN endpoint must have these IP addresses entered as its local addresses.
6. Specify the IKE settings:
•From the Direction list, select either Responder only or Initiator and Responder.
The modem router uses this setting to determine if the IKE policy matches the current 
traffic. With the Responder only setting, incoming connections are allowed and 
outgoing connections are blocked. With the Initiator and Responder setting, both 
incoming and outgoing connections are allowed. 
•Ensure that the remote VPN endpoint is set to use Main Mode.
•Select the Diffie-Hellman (DH) Group from the list. 
The Diffie-Hellman algorithm is used when keys are exchanged. The DH Group 
setting determines the bit size used in the exchange. This value needs to match the 
value used on the remote VPN gateway.
•Select the local identity type. 
Select an option to match the Remote Identity Type setting on the remote VPN 
endpoint. 
-WAN IP Address. Your Internet IP address. 
-Fully Qualified Domain Name. Your domain name. 
-Fully Qualified User Name. Your name, email address, or other ID.
•Select the remote identity type.  
						

							Virtual Private Networking 
113  N300 Wireless ADSL2+ Modem Router DGN2200v4
Select the option that matches the Local Identity Type setting on the remote VPN 
endpoint. 
-IP Address. The Internet IP address of the remote VPN endpoint. 
-Fully Qualified Domain Name. The domain name of the remote VPN endpoint. 
-Fully Qualified User Name. The name, email address, or other ID of the remote 
VPN endpoint. 
7. Specify the following parameters:
•Select the encryption algorithm. 
This is the encryption algorithm used for both IKE and IPSec. This setting has to 
match the setting used on the remote VPN gateway. DES and 3DES are supported.
-DES. The Data Encryption Standard (DES) processes input data that is 64 bits 
wide, encrypting these values using a 56-bit key. Faster but less secure than 
3DES. 
-3DES. (Triple DES) achieves a higher level of security by encrypting the data 
three times using DES with three different, unrelated keys.
•Select the authentication algorithm. 
This is the authentication algorithm used for both IKE and IPSec. This setting has to 
match the setting used on the remote VPN gateway. Auto, MD5, and SHA-1 are 
supported. Auto negotiates with the remote VPN endpoint and is not available in 
responder-only mode.
-MD5. 128 bits, faster but less secure.
-SHA-1. 160 bits, slower but more secure. This is the default.
•Enter the pre-shared key. 
The key has to be entered both here and on the remote VPN gateway.
•Enter the SA life time value. 
This value is the time interval before the SA (security association) expires. (It is 
automatically reestablished as required.) While using a short time period (or data 
amount) increases security, it also degrades performance. It is common to use 
periods over an hour (3600 seconds) for the SA life time. This setting applies to both 
IKE and IPSec SAs. 
•If you want enhanced security, select the Enable IPSec PFS (Perfect Forward 
Secrecy) check box. 
If this check box is selected, security is enhanced by ensuring that the key is changed 
at regular intervals. Also, even if one key is broken, subsequent keys are no easier to 
break. (Each key has no relationship to the previous key.) 
This setting applies to both IKE and IPSec SAs. When configuring the remote 
endpoint to match this setting, you might have to specify the key group used. For this 
device, the key group is the same as the DH Group setting in the IKE section. 
8. Click Apply.  
						

							Virtual Private Networking 114
N300 Wireless ADSL2+ Modem Router DGN2200v4 
The VPN Policies screen displays:
9. 
Repeat these steps for the gateway on LAN B. 
Pay special attention to the following network settings:
• General, Remote 
 Address Data (for example, 14.15.16.17)
• Remote LAN, Start IP 
 Address
- IP 
Address (for example, 192.168.0.1)
-Subnet Mask (for example, 255.255.255.0)
- Pre-shared Key (for example, 12345678)
10.  T
o activate the VPN tunnel, start using it, or use the VPN Status screen \
(select the tunnel 
and click  Connect). 
						

							Virtual Private Networking 115
 N300 Wireless ADSL2+ Modem Router DGN2200v4
Add or Edit a Manual VPN Policy
A manual VPN policy requires all settings for the VPN tunnel to be manua\
lly entered at each 
end (both VPN endpoints). 
To add or edit a manual policy:
1.  Select  Advanced > 
 Advanced - VPN > VPN Policies and click the  Add Manual Policy 
radio button.
The VPN - Manual Policy screen displays.
2.  Specify the general settings:
• In the Policy Name field, enter a unique name.
This name is not supplied to the remote VPN endpoint. It is used only to\
 help you  manage the policies.
• From the 
 Address Type list, select  Fully Qualified Domain Name , or select Fixed IP 
Address and fill in the Address Data field.
You can set up multiple remote dynamic IP policies, but only one such pol\
icy can be  enabled at a time. 
3.  Specify the Local LAN settings:
• From the IP 
 Address list, select  Subnet address, Single address, or Range 
address.
• Fill in the Single/Start IP 
 Address field.
• If you are specifying a range, fill in the Finish IP 
 Address field. 
This range must be an address range used on your LAN. For a single IP ad\
dress, do  not fill in the Finish IP 
 Address field.
The remote VPN endpoint must have these IP addresses entered as its remo\
te  addresses. 
						

							Virtual Private Networking 
116 N300 Wireless ADSL2+ Modem Router DGN2200v4 
4. Specify the Remote LAN settings.
•From the IP Address list, select Single PC -no Subnet, Single address, Range 
address, or Subnet address. 
If there is no LAN (only a single computer) at the remote endpoint, select the Single 
PC -no Subnet option. The Single address option is typically used to access a server 
on the remote LAN.
•If you want to specify a range, fill in the Finish IP Address field. 
This range must be an address range used on the remote LAN.
•Fill in the Subnet Mask field.
The remote VPN endpoint must have these IP addresses entered as its local addresses.
5. Specify the ESP (Encapsulating Security Payload) settings:
ESP provides security for the payload (data) sent through the VPN tunnel.
•In the SPI field, enter the required security policy indexes (SPIs). 
Each policy has to have unique SPIs. These settings need to match the remote VPN 
endpoint. The in setting here has to match the out setting on the remote VPN 
endpoint, and the out setting here has to match the in setting on the remote VPN 
endpoint.
•From the Encryption list, select DES or 3DES, and fill in the Key field. 
For 3DES, the keys should be 24 ASCII characters, and for DES, the keys should be 
8 ASCII  characters. 
-DES. The Data Encryption Standard (DES) processes input data that is 64 bits 
wide, encrypting these values using a 56-bit key. Faster but less secure than 
3DES. 
-3DES. (Triple DES) achieves a higher level of security by encrypting the data 
three times using DES with three different, unrelated keys. 
•From the Authentication list, select MD5 or SHA-1, and fill in the Key field. 
						

							117
10
10.   Troubleshooting
This chapter provides information to help you diagnose and solve problems you might have with 
your modem router. If you do not find the solution here, check the NETGEAR support site at 
http://support.netgear.com for product and contact information.
This chapter contains the following sections:
•Troubleshoot with the LEDs 
•Cannot Log In to the Modem Router 
•Troubleshoot the Internet Connection 
•TCP/IP Network Not Responding 
•Changes Not Saved 
•Incorrect Date or Time  
						

							Troubleshooting 
118 N300 Wireless ADSL2+ Modem Router DGN2200v4 
Troubleshoot with the LEDs
When you turn on the power, the power, LAN, and DSL LEDs should light as described here. 
If they do not, refer to the sections that follow for help.
1. When power is first applied, the Power LED lights.
2. After approximately 10 seconds, the LAN and DSL LEDs light as follows:
a.The LAN port LEDs light for any local ports that are connected.
b. The DSL link LED lights green to indicate that a DSL link is established.
c. If a LAN port is connected to a 100 Mbps device, verify that the LAN port’s LED is 
green. If the LAN port is 10 Mbps, the LED is amber.
Power LED Is Off
If the Power and other LEDs are off when your modem router is turned on:
•Check that the power cord is correctly connected to your modem router and the power 
supply adapter is correctly connected to a functioning power outlet. 
•Check that you are using the 12 V DC power adapter supplied by NETGEAR for this 
product.
If the error persists, you could have a hardware problem and should contact NETGEAR 
technical support.
Power LED Is Red
When the modem router is turned on, it performs a power-on self-test, during which time the 
Power LED turns red. If the Power LED does not turn green within a minute or so or if it turns 
red at any other time during normal operation, there is a fault within the modem router. 
If the Power LED turns red to indicate a modem router fault, turn the power off and on to see 
if the modem router recovers. If the Power LED is still red 1 minute after power-up:
•Turn the power off and on one more time to see if the modem router recovers.
•Clear the modem router’s configuration to factory defaults as explained in Factory 
Settings on page 126. This sets the modem router’s IP address to 192.168.0.1. 
If the error persists, you could have a hardware problem and should contact NETGEAR 
technical support.
LAN LED Is Off
If the LAN LED for a port does not light when you connect a device, check the following:
•The Ethernet cable connections are secure at the modem router and at the hub or device.
•The power is turned on to the connected hub or device.
•You are using the correct cable. 
						

							Troubleshooting 
119  N300 Wireless ADSL2+ Modem Router DGN2200v4
Cannot Log In to the Modem Router
If you are unable to log in to the modem router from a computer on your local network, check 
the following:
•If you are using an Ethernet-connected computer, check the Ethernet connection 
between the computer and the modem router as described in the previous section.
•Make sure that your computer’s IP address is on the same subnet as the modem router. 
If you are using the recommended addressing scheme, your computer’s address should 
be in the range of 192.168.0.2 to 192.168.0.254. 
•If your computer’s IP address is shown as 169.254.x.x, recent versions of Windows and 
Mac OS generate and assign an IP address if the computer cannot reach a DHCP server. 
These autogenerated addresses are in the range of 169.254.x.x. If your IP address is in 
this range, check the connection from the computer to the modem router, and reboot your 
computer.
•If your modem router’s IP address was changed and you do not know the current IP 
address, clear the modem router’s configuration to factory defaults. This sets the modem 
router’s IP address to 192.168.0.1. This procedure is explained in 
Factory Settings on 
page 126.
•Make sure that your browser has Java, JavaScript, or ActiveX enabled. If you are using 
Internet Explorer, click Refresh to be sure that the Java applet is loaded.
•Try quitting the browser and launching it again.
•Make sure that you are using the correct login information. The factory default login name 
is admin, and the password is password. Make sure that Caps Lock is off when you 
enter this information. 
						

							Troubleshooting 
120 N300 Wireless ADSL2+ Modem Router DGN2200v4 
Troubleshoot the Internet Connection
If your modem router is unable to access the Internet, check the ADSL connection, then the 
WAN TCP/IP connection. 
ADSL Link
If your modem router is unable to access the Internet, first determine whether you have an 
ADSL link with the service provider. The state of this connection is indicated with the Internet 
LED.
ADSL Link LED Is Green
If your ADSL link LED is green, you have a good ADSL connection. You can be confident that 
the service provider has connected your line correctly and that your wiring is correct.
ADSL Link LED Is Blinking Green
If your ADSL link LED is blinking green, your modem router is attempting to make an ADSL 
connection with the service provider. The LED should turn green within several minutes. 
If the ADSL link LED does not turn green, disconnect all telephones on the line. If this solves 
the problem, reconnect the telephones one at a time, being sure to use a microfilter on each 
telephone. If the microfilters are connected correctly, you should be able to connect all your 
telephones.
If disconnecting telephones does not result in a green ADSL link LED, there might be a 
problem with your wiring. If the telephone company has tested the ADSL signal at your 
network interface device (NID), then you might have poor-quality wiring in your house.
ADSL Link LED Is Off
If the ADSL link LED is off, disconnect all telephones on the line. If this solves the problem, 
reconnect the telephones one at a time, being sure to use a microfilter on each telephone. If 
the microfilters are connected correctly, you should be able to connect all your telephones.
If disconnecting telephones does not result in a green ADSL link LED, check for the following:
•Check that the telephone company has made the connection to your line and tested it.
•Verify that you are connected to the correct telephone line. If you have more than one 
phone line, be sure that you are connected to the line with the ADSL service. It might be 
necessary to use a swapper if your ADSL signal is on pins 1 and 4 or the RJ-11 jack. The 
modem router uses pins 2 and 3.
Internet LED Is Red
If the Internet LED is red, the device was unable to connect to the Internet. Verify the 
following: