There's not a lot of documentation on using Netgear VPN routers as hardware IPSec VPN clients for an Endian firewall - so I thought I'd post how I got mine up and running.
(This will be with a Netgear FVS124G - the Netgear settings are the same on an FVS338 as well, although arranged differently) First, on the main Endian side: Under VPN > IPSec - Make sure you use the FQDN of your device as the local hostname/IP. Set up a new VPN connection. Put in your Remote host/IP - this should be the public IP address of the Netgear. The Local subnet should be the local subnet of the Endian (ie 192.168.0.0/24) The Remote subnet should be the subnet of the network that the Netgear is on (ie 192.168.1.0/24) For the Local and Remote IDs, make sure you use the FQDN of the public side of the Endian and the Netgear - I have found that it WILL NOT work if you simply use the public IP addresses of the devices as the IDs. Put in whatever pre-shared key you like. Click Advanced Use 3DES as the IKE Encryption, SHA for Integrity Use DH Group2 (1024) for the IKE group type For ESP Encryption use 3DES and SHA1 - DH Group2 (1024) Uncheck Aggressive, Check Perfect Forward Secrecy, and Uncheck Negotiate payload compression Save your settings. (Note - if you do not have an Orange or Blue interface on your Endian - the IPSec service WILL NOT come up if you leave the default VPN on ORANGE and VPN on BLUE options enabled on the main IPSec page under VPN > IPSec. Your remote endpoint will sit there for forever waiting for an IKE response and the Endian will not send it. It took me forever to find this out... I finally looked in the IPSec logs and found that the IPSec service was looking for "br2" and was not finding it, and then simply not starting the service.) On the Netgear: First - the IKE Policy Settings - Direction/Type should be Both Directions Set the Exchange Mode to Main Mode For the Local Identity Type, use the FQDN of the public side of the Netgear. If you do not know this, go to http://ipid.shat.net/ and look under "Your host address" Use the FQDN of the Endian as the Remote Identity Type Encryption Algorithm should be 3DES, and Authentication Algorithm should be SHA1 The Authentication Method should be set to Pre-Shared Key - and enter the same key that you entered on the Endian above Set the Diffie-Hellman (DH) Group to Group2 (1024) Set the SA Lifetime to 28800 Seconds Now, under the VPN Policy Settings - Put in the public IP of the Endian for the Remote VPN Endpoint SA Lifetime should be 28800 Seconds Check IPSec PFS and set it to Group2 (1024) Under Traffic Selector - put in the Local and Remote subnets as above (ie 192.168.0.0/255.255.255.0 and 192.168.1.0/255.255.255.0) Under ESP Configuration check both Enable Encryption and Enable Authentication, using 3DES and SHA1 I hope this helps someone. Mike Bleiweiss -- View this message in context: http://www.nabble.com/Endian-to-Netgear-IPSec-HOWTO-tp21339557p21339557.html Sent from the efw-user mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Efw-user mailing list Efw-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/efw-user
