Netgear N600 Wireless Router User Manual

							NETGEAR VPN Configuration161
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
3. 
On the Gateway B router menu, under VPN, select  IKE Policies, and click the Edit button 
to display the IKE Policy Configuration screen:
toGW_A
14.15.16.17
22.23.24.25
4.  On Gateway B router menu, under VPN, select  VPN Policies, and click the Edit button to 
display the VPN - Auto Policy screen:
toGW_AtoGW_A
172239
1056
1
14.15.16.17
toGW_AtoGW_A
5.  Test the VPN tunnel by pinging the remote network from a PC attached to \
Gateway A 
(wireless modem router).
a.Open the command prompt (select  Start > Run > cmd). 
						

							NETGEAR VPN Configuration162
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
b. 
Type  ping 172.23.9.
If the pings fail the first time, try the pings a second time.
Wireless Modem Router with FQDN to Gateway B
This section is a case study on how to configure a VPN tunnel from a NET\
GEAR wireless 
modem router to a gateway using a fully qualified domain name (FQDN) t\
o resolve the public 
address of one or both routers. This case study follows the VPN Consorti\
um interoperability 
profile guidelines (found at http://www.vpnc.org/InteropProfiles/Interop-01.html). 
Configuration Profile
The configuration in this section follows the addressing and configurati\
on mechanics defined 
by the VPN Consortium. Gather the necessary information before you begin\
 configuration. 
Verify that the firmware is up to date, and that you have all the addres\
ses and parameters to 
be set on both sides. Check that there are no firewall restrictions.
Gateway A
WAN IPInternet
10.506.0/24
(DGND3700)
LAN IP
10.5.6.1 example.orgWAN IP
example2.orgGateway B
LAN IP
172.23.9.1172.23.9.0/24
(FQDN) (FQDN)
Figure 63. VPNC example, network interface addressing
Table 25.  Wireless modem router with FQDN to Gateway B profile summary \
 
VPN Consortium ScenarioScenario 1
Type of VPN  LAN-to-LAN or gateway-to-gateway (not PC/client-to-gateway)
Security scheme: IKE with pre-shared secret/key (not certificate based)
IP addressing: 
						

							NETGEAR VPN Configuration163
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
Use a Fully Qualified Domain Name (FQDN)
Many ISPs provide connectivity to their customers using dynamic instead \
of static IP 
addressing. This means that a user’s IP address does not remain const\
ant over time, which 
presents a challenge for gateways attempting to establish VPN connectivi\
ty.
A Dynamic DNS (DDNS) service allows a user whose public IP address is \
dynamically 
assigned to be located by a host or domain name. It provides a central p\
ublic database 
where information (such as email addresses, host names, and IP addresse\
s) can be stored 
and retrieved. Now, a gateway can be configured to use a third-party ser\
vice instead of a 
permanent and unchanging IP address to establish bidirectional VPN conne\
ctivity

.
To use DDNS, you have to register with a DDNS service provider. Some DDN\
S service 
providers include:
•     DynDNS: www.dyndns.org
•     TZO.com: netgear.tzo.com
•     ngDDNS: ngddns.iego.net
In this example, Gateway A is configured using a sample FQDN provided by\
 a DDNS service 
provider. In this case the hostname dgnd3300v2.dyndns.org for Gateway A \
was provided 
using the DynDNS service. Gateway B uses the DDNS service provider when \
establishing a 
VPN tunnel. 
To establish VPN connectivity, Gateway A has to be configured to use Dyn\
amic DNS, and 
Gateway B has to be configured to use a DNS host name provided by a DDNS\
 service 
provider to find Gateway A. Again, the following step-by-step procedures\
 assume that you 
have already registered with a DDNS service provider and have the config\
uration information 
necessary to set up the gateways.
Step-by-Step Configuration
To configure a VPN tunnel:
1.  Log in to Gateway A (your wireless modem router) as described in  Log In to the N600 
Modem Router on page  24.
This example assumes that you have set the local LAN address as 10.5.6.1\
 for Gateway 
A and have set your own password.
2.  On Gateway A, configure the Dynamic DNS settings.
NETGEAR-Gateway A Fully qualified domain name (FQDN)
NETGEAR-Gateway B FQDN
Table 25.  Wireless modem router with FQDN to Gateway B profile summary \
 (Continued)
VPN Consortium ScenarioScenario 1 
						

							NETGEAR VPN Configuration164
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
a.
Under Advanced, select  Dynamic DNS.
b. Fill in the fields with account and host name settings.
•     Select the Use a Dynamic DNS Service check box.
•     In the Host Name field, type dgnd3300v2.dyndns.org.
•     In the User Name field, enter the account user name.
•     In the Password field, enter the account password.
c.  Click  Apply .
d.  Click  Show Status. The resulting screen should show Update OK: good: 
3. On NETGEAR Gateway B, configure the Dynamic DNS settings. Assume a corre\
ctly 
configured DynDNS account.
a.From the main menu, select Dynamic DNS.
b.  Select the DynDNS.org radio button.  
						

							NETGEAR VPN Configuration165
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
The Dynamic DNS screen displays:
c. 
Fill in the fields with the account and host name settings.
•     In the Host and Domain Name field, enter fvl328.dyndns.org.
•     In the User Name field, enter the account user name.
•     In the Password field, enter the account password.
d.  Click  Apply.
e.  Click  Show Status . 
The resulting screen should show Update OK: good:
4.  Configure the N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND37\
00 as in 
the gateway-to-gateway procedures using the VPN Wizard (see  Set Up a 
Gateway-to-Gateway VPN Configuration on page  101), being certain to use appropriate 
network addresses for the environment. 
						

							NETGEAR VPN Configuration166
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
The LAN addresses used in this example are as follows:
Table 26.  
DeviceLAN IP AddressLAN Subnet Mask
DGND3700 10.5.6.1255.255.255.0
FVL328 172.23.6.1255.255.255.0
a.For the connection name, enter toFVL328.
b.  For the remote WANs IP address, enter fvl328.dyndns.org.
c.  Enter the following:
•     IP Address.  172.23.9.1 
•     Subnet Mask. 255.255.255.0 
5.  Configure the FVL328 as in the gateway-to-gateway procedures for the VPN\
 Wizard (see 
Set Up a Gateway-to-Gateway VPN Configuration  on page  101), being certain to use 
appropriate network addresses for the environment.
a. For the connection name, enter toDGND3300v2.
b.  For the remote WANs IP address, enter dgnd3300v2.dyndns.org.
c.  Enter the following:
•     IP Address.  10.5.6.1 
•     Subnet Mask. 255.255.255.0 
6.  Test the VPN tunnel by pinging the remote network from a PC attached to \
the N600 
Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700.
a.Open the command prompt (select Start > Run > cmd)
b.  Type  ping 172.23.9.1.
If the pings fail the first time, try the pings a second time.
Configuration Summary (Telecommuter Example)
The configuration in this section follows the addressing and configurati\
on mechanics defined 
by the VPN Consortium. Gather the necessary information before you begin\
 configuration.  
						

							NETGEAR VPN Configuration167
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
Verify that the firmware is up to date, and make sure you have all the a\
ddresses and 
parameters to be set on both sides. Assure that there are no firewall re\
strictions
Table 27.  Configuration summary (telecommuter example) 
 
VPN Consortium ScenarioScenario 1
Type of VPN: PC/client-to-gateway, with client behind NAT router
Security scheme: IKE with pre-shared secret/key (not certificate based)
IP addressing: Gateway  Fully qualified domain name (FQDN)
Client  Dynamic
.
Gateway A
(main office) Gateway B
LAN IP
192.168.0.1
192.168.0.1/24
FQDN
ntgr.dyndns.org “from_GW_A” WAN IP
InternetWAN IP
0.0.0.0
“toGW_A” IP: 192.168.2.3(regional office)
Client PC
(running NETGEAR
ProSafe VPN client)
Figure 64. Telecommuter example
Set Up Client-to-Gateway VPN (Telecommuter Example)
Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN cli\
ent and a 
network gateway involves two steps, described in the following sections:\
•     Step 1: Configure Gateway A (VPN Router at Main Office)  on page  168.
•     Step 2: Configure Gateway B (VPN Router at Regional Office) on page  169 describes 
configuring the NETGEAR ProSafe VPN client endpoint. 
						

							NETGEAR VPN Configuration168
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
Step 1: Configure Gateway A (VPN Router at Main Office)
To configure a VPN tunnel:
1. 
Log in to the VPN router. Select  VPN Policies to display the VPN Policies screen. Click 
Add Auto Policy  to proceed and enter the information.
toGW_A.com (in this example)
fromGW_A.com (in this example)
fromGW_A
 (in the example)
192.168.2.3 (in this example)
IKE Keep Alive is optional; has to match
Remote LAN IP Address when enabled
(remote PC must respond to pings)
(Remote NAT router has to have
Address Reservation set and VPN Passthrough enabled)
2.  Click  Apply when you are finished to display the VPN Policies screen.
To view or modify the tunnel settings, select the radio button next to t\
he tunnel entry, and then 
click Edit.  
						

							NETGEAR VPN Configuration169
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
Step 2: Configure Gateway B (VPN Router at Regional Office)
This procedure assumes that the PC running the client has a dynamically \
assigned IP 
address.
The PC has to have a VPN client program installed that supports IPSec (\
in this case study, 
the NETGEAR VPN ProSafe Client is used). Go to the NETGEAR website 
(
www.netgear.com ) for information about how to purchase the NETGEAR ProSafe VPN 
Client.
Note:   Before installing the software, be sure to turn off any virus protection\
 
or firewall software you might be running on your PC.
To configure a VPN tunnel:
1. Install the NETGEAR ProSafe VPN Client on the remote PC, and then reboot\
.
a.You might need to insert your Windows CD to complete the installation.
b.  If you do not have a modem or dial-up adapter installed in your PC, you \
might see 
the warning message stating, “The NETGEAR ProSafe VPN Component requi\
res at 
least one dial-up adapter be installed.” You can disregard this messa\
ge.
c.  Install the IPSec component. You might have the option to install either\
 the VPN 
adapter or the IPSec component or both. The VPN adapter is not necessary\
.
d.  The system should show the ProSafe icon (
) in the system tray after you reboot.
e.  Double-click the system tray icon to open the Security Policy Editor.
2.  Add a new connection.
a.Run the NETGEAR ProSafe Security Policy Editor program, and create a VPN\
 
connection. 
b.  From the Edit menu of the Security Policy Editor, select Add > Connection . A New 
Connection listing appears in the list of policies. 
c.  Rename the new connection to match the connection name you entered in th\
e VPN 
settings of Gateway A. Choose connection names that make sense to the pe\
ople 
using and administrating the VPN. 
						

							NETGEAR VPN Configuration170
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
Note:
 
In this example, the connection name on the client side of the VPN 
tunnel is toGW_A. It does not have to match the VPN_client connection na\
me 
used on the gateway side of the VPN tunnel because connection names do n\
ot 
affect how the VPN tunnel functions.
d.  In the Connection Security section, select  Secure.
toGW_A
e. In the ID Type drop-down list, select IP Subnet. 
f.  In this example, in the Subnet field, type  192.168.0.1 as the network address of the 
wireless modem router.
g.  In the Mask field, enter 255.255.255.0 as the LAN subnet mask of the wireless 
modem router.
h.  In the Protocol drop-down list, select All to allow all traffic through the VPN tunnel. 
i.  Select the Connect  using Secure Gateway Tunnel check box. 
j.  In the ID Type drop-down list, select Domain Name, and enter fromGW_A.com (in 
this example). 
k.  Select  Gateway Hostname  and enter ntgr.dyndns.org  (in this example).
3.  Configure the security policy in the wireless modem router software.