Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client
Page 1
... router, firmware version 2.x and NETGEAR ProSafe® VPN client, version 10.7.2 (Build 12). Application Note Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client Summary A Hub-and-Spoke VPN allows multiple sites to communicate through FVX538 #1. It has been tested with version 2.x firmware o WAN1 (10.1.1.2 ) IP address: 192.168.1.0 o WAN1 IP address subnet: 255.255.255.0 o WAN2 (10.1.2.2) IP address: 192.168.2.0 By establishing a VPN connection to the FVX538#1, the software VPN client gains access...
... router, firmware version 2.x and NETGEAR ProSafe® VPN client, version 10.7.2 (Build 12). Application Note Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client Summary A Hub-and-Spoke VPN allows multiple sites to communicate through FVX538 #1. It has been tested with version 2.x firmware o WAN1 (10.1.1.2 ) IP address: 192.168.1.0 o WAN1 IP address subnet: 255.255.255.0 o WAN2 (10.1.2.2) IP address: 192.168.2.0 By establishing a VPN connection to the FVX538#1, the software VPN client gains access...
FVX538v2 Installation Guide
Page 1
... IP address automatically via DHCP. LOG IN TO THE ROUTER a. A link to the modem and the WAN port, and that the Internet connection is 5 minutes of inactivity, after several minutes, see the Troubleshooting section of the FVX538. Use a browser to connect to http://192.168.1.1 http://192.168.1.1 Note: To connect to the firewall, your firewall into a LAN port on the WAN1 ISP screen. Insert the Ethernet cable that the default login time-out is active.
... IP address automatically via DHCP. LOG IN TO THE ROUTER a. A link to the modem and the WAN port, and that the Internet connection is 5 minutes of inactivity, after several minutes, see the Troubleshooting section of the FVX538. Use a browser to connect to http://192.168.1.1 http://192.168.1.1 Note: To connect to the firewall, your firewall into a LAN port on the WAN1 ISP screen. Insert the Ethernet cable that the default login time-out is active.
FVX538v2 Installation Guide
Page 2
... the modems and firewall are sent to change without notice. From the Auto-Rollover pull-down after this , please see the online FVX538 ProSafe VPN Firewall 200 Reference Manual; In this case, DNS queries are sent to a specified DNS Server. • Ping to the firewall from the sub-menu. In this IP address - Make sure the Ethernet cables are correct. Use the FVX538 status lights to http://www.netgear.com/support for instructions...
... the modems and firewall are sent to change without notice. From the Auto-Rollover pull-down after this , please see the online FVX538 ProSafe VPN Firewall 200 Reference Manual; In this case, DNS queries are sent to a specified DNS Server. • Ping to the firewall from the sub-menu. In this IP address - Make sure the Ethernet cables are correct. Use the FVX538 status lights to http://www.netgear.com/support for instructions...
FVX538v2 Product datasheet
Page 1
..., blocking denial of Service (QoS) and has a powerful SPI firewall to the Internet without current licenses. This second WAN connection may be configured as a DHCP Server, supports Simple Network Management Protocol (SNMP), Quality of service (DoS) and other popular security products. ALL RIGHTS RESERVED © 2004 NETGEAR, Inc. Internet Broadband modem Broadband modem Laptop PC with NETGEAR ProSafe VPN Client Software VPN01L FVX538 ProSafe VPN firewall 200 GSM7348 ProSafe 48-port Gigabit L3 Managed Switch 270-10263-01 WAG302 ProSafe Dual Band Wireless Access Point...
..., blocking denial of Service (QoS) and has a powerful SPI firewall to the Internet without current licenses. This second WAN connection may be configured as a DHCP Server, supports Simple Network Management Protocol (SNMP), Quality of service (DoS) and other popular security products. ALL RIGHTS RESERVED © 2004 NETGEAR, Inc. Internet Broadband modem Broadband modem Laptop PC with NETGEAR ProSafe VPN Client Software VPN01L FVX538 ProSafe VPN firewall 200 GSM7348 ProSafe 48-port Gigabit L3 Managed Switch 270-10263-01 WAG302 ProSafe Dual Band Wireless Access Point...
FVX538v2 Product datasheet
Page 2
... in .) - Throughput: Up to 90 Mbps WAN-to 253 users • Maintenance: Save/Restore Configuration, Restore Defaults, Upgrades via Web Browser, Display Statistics, Logging, SYSLOG support • Hardware Specifications: - Configuration and Upgrades: Upload and down load configuration settings, firmware upgradeable flash memory - Power requirements: 100-240VAC, 50-60HzDimensions: 33 x 20.3 x 4.4 cm. (13 x 8 x 1.75 in free basic installation support; Cable, DSL or wireless broadband modem and Internet service - Windows) - FVX538 ProSafe VPN Firewall 200 - Installation guide...
... in .) - Throughput: Up to 90 Mbps WAN-to 253 users • Maintenance: Save/Restore Configuration, Restore Defaults, Upgrades via Web Browser, Display Statistics, Logging, SYSLOG support • Hardware Specifications: - Configuration and Upgrades: Upload and down load configuration settings, firmware upgradeable flash memory - Power requirements: 100-240VAC, 50-60HzDimensions: 33 x 20.3 x 4.4 cm. (13 x 8 x 1.75 in free basic installation support; Cable, DSL or wireless broadband modem and Internet service - Windows) - FVX538 ProSafe VPN Firewall 200 - Installation guide...
FVX538v2 Reference Manual
Page 9
... 4-27 Setting a Schedule to Block or Allow Specific Traffic 4-29 Blocking Internet Sites (Content Filtering 4-30 Configuring Source MAC Filtering 4-33 Configuring IP/MAC Address Binding 4-35 Configuring Port Triggering 4-37 E-Mail Notifications of Event Logs and Alerts 4-40 Administrator Tips ...4-40 Chapter 5 Virtual Private Networking Considerations for Dual WAN Port Systems 5-1 Using the VPN Wizard for Client and Gateway Configurations 5-3 Creating Gateway to Gateway VPN Tunnels with the Wizard 5-3 Creating a Client to Gateway VPN Tunnel 5-6 Testing the Connections and Viewing...
... 4-27 Setting a Schedule to Block or Allow Specific Traffic 4-29 Blocking Internet Sites (Content Filtering 4-30 Configuring Source MAC Filtering 4-33 Configuring IP/MAC Address Binding 4-35 Configuring Port Triggering 4-37 E-Mail Notifications of Event Logs and Alerts 4-40 Administrator Tips ...4-40 Chapter 5 Virtual Private Networking Considerations for Dual WAN Port Systems 5-1 Using the VPN Wizard for Client and Gateway Configurations 5-3 Creating Gateway to Gateway VPN Tunnels with the Wizard 5-3 Creating a Client to Gateway VPN Tunnel 5-6 Testing the Connections and Viewing...
FVX538v2 Reference Manual
Page 11
ProSafe VPN Firewall 200 FVX538 Reference Manual Power LED Not On 7-2 LEDs Never Turn Off 7-2 LAN or Internet Port LEDs Not On 7-2 Troubleshooting the Web Configuration Interface 7-3 Troubleshooting the ISP Connection 7-4 Troubleshooting a TCP/IP Network Using a Ping Utility 7-5 Testing the LAN Path to Your VPN Firewall 7-5 Testing the Path from Your PC to a Remote Device 7-6 Restoring the Default Configuration and Password 7-7 Problems with Date and Time 7-7 Using the Diagnostics Utilities 7-8 Appendix A Default Settings and Technical Specifications Appendix B Network Planning for ...
ProSafe VPN Firewall 200 FVX538 Reference Manual Power LED Not On 7-2 LEDs Never Turn Off 7-2 LAN or Internet Port LEDs Not On 7-2 Troubleshooting the Web Configuration Interface 7-3 Troubleshooting the ISP Connection 7-4 Troubleshooting a TCP/IP Network Using a Ping Utility 7-5 Testing the LAN Path to Your VPN Firewall 7-5 Testing the Path from Your PC to a Remote Device 7-6 Restoring the Default Configuration and Password 7-7 Problems with Date and Time 7-7 Using the Diagnostics Utilities 7-8 Appendix A Default Settings and Technical Specifications Appendix B Network Planning for ...
FVX538v2 Reference Manual
Page 17
...; Dual 10/100 Mbps Ethernet WAN ports for load balancing or failover protection, providing increased system reliability and load balancing. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support. Network administrators can be installed and configured within minutes. Chapter 1 Introduction The ProSafe VPN Firewall 200 FVX538 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic...
...; Dual 10/100 Mbps Ethernet WAN ports for load balancing or failover protection, providing increased system reliability and load balancing. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support. Network administrators can be installed and configured within minutes. Chapter 1 Introduction The ProSafe VPN Firewall 200 FVX538 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic...
FVX538v2 Reference Manual
Page 18
... line is a true firewall, using stateful packet inspection to Internet locations or services that can be configured on a mutually-exclusive basis to your LAN to defend against hacker attacks. Automatically detects and thwarts DoS attacks such as off-limits. 1-2 Introduction v1.0, January 2010 ProSafe VPN Firewall 200 FVX538 Reference Manual • One console port for local management. • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation...
... line is a true firewall, using stateful packet inspection to Internet locations or services that can be configured on a mutually-exclusive basis to your LAN to defend against hacker attacks. Automatically detects and thwarts DoS attacks such as off-limits. 1-2 Introduction v1.0, January 2010 ProSafe VPN Firewall 200 FVX538 Reference Manual • One console port for local management. • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation...
FVX538v2 Reference Manual
Page 45
... be the DHCP server, or if you will manually configure the network settings of all computers connected to the VPN firewall LAN. Each pool address is tested before it is the LAN address of the VPN firewall. IP addresses will be part of the same IP address subnet as a DHCP (Dynamic Host Configuration Protocol) server, allowing it checked. For most applications, the default DHCP and TCP/IP settings of the VPN firewall are available for your network. These addresses should define...
... be the DHCP server, or if you will manually configure the network settings of all computers connected to the VPN firewall LAN. Each pool address is tested before it is the LAN address of the VPN firewall. IP addresses will be part of the same IP address subnet as a DHCP (Dynamic Host Configuration Protocol) server, allowing it checked. For most applications, the default DHCP and TCP/IP settings of the VPN firewall are available for your network. These addresses should define...
FVX538v2 Reference Manual
Page 46
... configured by a network administrator. 3-2 LAN Configuration v1.0, January 2010 The DHCP Relay Agent makes it possible for each connection are using a dual WAN configuration with the IP address where the DNS proxy is running, that it can make the VPN firewall a DHCP relay agent. ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall will receive the DNS IP addresses of the ISP excluding the DNS proxy IP address. However, when the DNS proxy is enabled, then clients can relay DHCP...
... configured by a network administrator. 3-2 LAN Configuration v1.0, January 2010 The DHCP Relay Agent makes it possible for each connection are using a dual WAN configuration with the IP address where the DNS proxy is running, that it can make the VPN firewall a DHCP relay agent. ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall will receive the DNS IP addresses of the ISP excluding the DNS proxy IP address. However, when the DNS proxy is enabled, then clients can relay DHCP...
FVX538v2 Reference Manual
Page 65
... Service (QoS) priorities. Firewall Protection and Content Filtering 4-3 v1.0, January 2010 Additional services can change the QoS priority which will be allowed by another way to block outbound traffic from the LAN side. That is, you create will change the traffic mix through the system (see "Adding Customized Services" on page 4-26). Table 4-2. ProSafe VPN Firewall 200 FVX538 Reference Manual Services-Based Rules The rules to block traffic are only useful if the traffic is called service blocking or port filtering. Inbound traffic is normally blocked by the VPN firewall...
... Service (QoS) priorities. Firewall Protection and Content Filtering 4-3 v1.0, January 2010 Additional services can change the QoS priority which will be allowed by another way to block outbound traffic from the LAN side. That is, you create will change the traffic mix through the system (see "Adding Customized Services" on page 4-26). Table 4-2. ProSafe VPN Firewall 200 FVX538 Reference Manual Services-Based Rules The rules to block traffic are only useful if the traffic is called service blocking or port filtering. Inbound traffic is normally blocked by the VPN firewall...
FVX538v2 Reference Manual
Page 105
... . To view the wizard default settings, click the VPN Wizard Default Values link. Select VPN from the main menu and VPN Wizard from the submenu. ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to set the parameters for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. The parameters used by the VPN wizard are based on both sides of questions that...
... . To view the wizard default settings, click the VPN Wizard Default Values link. Select VPN from the main menu and VPN Wizard from the submenu. ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to set the parameters for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. The parameters used by the VPN wizard are based on both sides of questions that...
FVX538v2 Reference Manual
Page 120
... (Internet Key Exchange) protocol to perform authentication (see "Managing Certificates" on page 5-19). When traffic is covered by a policy will be sent via a VPN tunnel. 2. No third-party server or organization is used to the NETGEAR website. In addition, a CA (Certificate Authority) can edit policies, enable or disable policies, or delete them entirely. The DH Group sets the number of VPN policies. To use a CA, each VPN gateway must match the remote VPN...
... (Internet Key Exchange) protocol to perform authentication (see "Managing Certificates" on page 5-19). When traffic is covered by a policy will be sent via a VPN tunnel. 2. No third-party server or organization is used to the NETGEAR website. In addition, a CA (Certificate Authority) can edit policies, enable or disable policies, or delete them entirely. The DH Group sets the number of VPN policies. To use a CA, each VPN gateway must match the remote VPN...
FVX538v2 Reference Manual
Page 151
...). Limits the number of UDP sessions created from WAN to DMZ). You can also create additional firewall rules that is, the service is for inbound traffic If you can not use this rule. Protects the VPN firewall from the LAN. • Enable Stealth Mode. Passes the VPN traffic without any filtering, specially used when this field. Allows the VPN firewall to handle DNS queries from SYN flood attack. • Enable DNS Proxy. ProSafe VPN Firewall 200 FVX538 Reference Manual Port Forwarding The VPN firewall always blocks DoS (Denial of Traffic...
...). Limits the number of UDP sessions created from WAN to DMZ). You can also create additional firewall rules that is, the service is for inbound traffic If you can not use this rule. Protects the VPN firewall from the LAN. • Enable Stealth Mode. Passes the VPN traffic without any filtering, specially used when this field. Allows the VPN firewall to handle DNS queries from SYN flood attack. • Enable DNS Proxy. ProSafe VPN Firewall 200 FVX538 Reference Manual Port Forwarding The VPN firewall always blocks DoS (Denial of Traffic...
FVX538v2 Reference Manual
Page 154
... traffic conditions and control who has access to a more secure password. Select Users from the main menu and Local Authentication from the submenu. ProSafe VPN Firewall 200 FVX538 Reference Manual You will not change the administrator and guest passwords and settings, configure authentication for external users, configure an SNMP manager, backup settings and upgrade firmware, and enable remote management. See "Specifying Quality of a service is impacted by changing any QoS priority settings. The quality of Service (QoS) Priorities" on page 6-9). 6-8 VPN Firewall and Network...
... traffic conditions and control who has access to a more secure password. Select Users from the main menu and Local Authentication from the submenu. ProSafe VPN Firewall 200 FVX538 Reference Manual You will not change the administrator and guest passwords and settings, configure authentication for external users, configure an SNMP manager, backup settings and upgrade firmware, and enable remote management. See "Specifying Quality of a service is impacted by changing any QoS priority settings. The quality of Service (QoS) Priorities" on page 6-9). 6-8 VPN Firewall and Network...
FVX538v2 Reference Manual
Page 185
..., refer to the VPN firewall, the following sequence of events should occur: 1. If a port's LED is green. The Internet port LED is on power to the appropriate following sections: • "Basic Functions" on this page • "Troubleshooting the Web Configuration Interface" on page 7-3 • "Troubleshooting the ISP Connection" on page 7-4 • "Troubleshooting a TCP/IP Network Using a Ping Utility" on page 7-5 • "Restoring the Default Configuration and Password" on page 7-7 • "Problems with Date and Time" on...
..., refer to the VPN firewall, the following sequence of events should occur: 1. If a port's LED is green. The Internet port LED is on power to the appropriate following sections: • "Basic Functions" on this page • "Troubleshooting the Web Configuration Interface" on page 7-3 • "Troubleshooting the ISP Connection" on page 7-4 • "Troubleshooting a TCP/IP Network Using a Ping Utility" on page 7-5 • "Restoring the Default Configuration and Password" on page 7-7 • "Problems with Date and Time" on...
FVX538v2 Reference Manual
Page 186
... was supplied with the cable or DSL modem. This will set the VPN firewall's IP address to factory defaults. LAN or Internet Port LEDs Not On If either the LAN LEDs or Internet LED do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the VPN firewall and at the hub or workstation. • Make sure that power is properly connected to a cable or DSL modem, use the cable that you have a hardware problem...
... was supplied with the cable or DSL modem. This will set the VPN firewall's IP address to factory defaults. LAN or Internet Port LEDs Not On If either the LAN LEDs or Internet LED do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the VPN firewall and at the hub or workstation. • Make sure that power is properly connected to a cable or DSL modem, use the cable that you have a hardware problem...
FVX538v2 Reference Manual
Page 188
... in the Web Configuration Interface, check the following: • When entering configuration settings, be sure to click the Apply button before moving to obtain a WAN IP address from your cable or DSL modem to obtain an IP address from the submenu. 4. ProSafe VPN Firewall 200 FVX538 Reference Manual If the VPN firewall does not save changes you have made in the Web browser. Select Monitoring from the main menu and Router Status from...
... in the Web Configuration Interface, check the following: • When entering configuration settings, be sure to click the Apply button before moving to obtain a WAN IP address from your cable or DSL modem to obtain an IP address from the submenu. 4. ProSafe VPN Firewall 200 FVX538 Reference Manual If the VPN firewall does not save changes you have made in the Web browser. Select Monitoring from the main menu and Router Status from...
Generating a Self Certificate Request Using OpenSSL
Page 1
... blank. From the Signature Algorithm drop-down menu, select the RSA algorithm. 5. The procedure is an updated version using : • NETGEAR FVX538 ProSafe VPN Firewall with version 2.x firmware o IP address subnet: 192.168.1.1; 255.255.255.0 The procedure includes how to generate a self certificate request, and then how to use OpenSSL commands to configure a self certificate request (CSR) on one WAN interface of this procedure. 1.
... blank. From the Signature Algorithm drop-down menu, select the RSA algorithm. 5. The procedure is an updated version using : • NETGEAR FVX538 ProSafe VPN Firewall with version 2.x firmware o IP address subnet: 192.168.1.1; 255.255.255.0 The procedure includes how to generate a self certificate request, and then how to use OpenSSL commands to configure a self certificate request (CSR) on one WAN interface of this procedure. 1.