Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 29 March 2024, 07:02:51 am

Login with username, password and session length

Visit the Official Endian Reference Manual  HERE
14247 Posts in 4376 Topics by 6490 Members
Latest Member: maquino
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  Endian to Netgear IPSec HOWTO
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Endian to Netgear IPSec HOWTO  (Read 16174 times)
mbleiweiss
Jr. Member
*
Offline Offline

Posts: 2


« on: Thursday 08 January 2009, 07:22:07 am »

There's not a lot of documentation on using Netgear VPN routers as hardware IPSec VPN clients for an Endian firewall - so I thought I'd post how I got mine up and running.

(This will be with a Netgear FVS124G - the Netgear settings are the same on an FVS338 as well, although arranged differently)

First, on the main Endian side:
Under VPN > IPSec -
Make sure you use the FQDN of your device as the local hostname/IP.

Set up a new VPN connection.
Put in your Remote host/IP - this should be the public IP address of the Netgear.

The Local subnet should be the local subnet of the Endian (ie 192.168.0.0/24)

The Remote subnet should be the subnet of the network that the Netgear is on (ie 192.168.1.0/24)

For the Local and Remote IDs, make sure you use the FQDN of the public side of the Endian and the Netgear - I have found that it WILL NOT work if you simply use the public IP addresses of the devices as the IDs.

Put in whatever pre-shared key you like.

Click Advanced
Use 3DES as the IKE Encryption, SHA for Integrity

Use DH Group2 (1024) for the IKE group type

For ESP Encryption use 3DES and SHA1 - DH Group2 (1024)

Uncheck Aggressive, Check Perfect Forward Secrecy, and Uncheck Negotiate payload compression

Save your settings.

(Note - if you do not have an Orange or Blue interface on your Endian - the IPSec service WILL NOT come up if you leave the default VPN on ORANGE and VPN on BLUE options enabled on the main IPSec page under VPN > IPSec.  Your remote endpoint will sit there for forever waiting for an IKE response and the Endian will not send it.  It took me forever to find this out... I finally looked in the IPSec logs and found that the IPSec service was looking for "br2" and was not finding it, and then simply not starting the service.)

On the Netgear:
First - the IKE Policy Settings -
Direction/Type should be Both Directions

Set the Exchange Mode to Main Mode

For the Local Identity Type, use the FQDN of the public side of the Netgear.  If you do not know this, go to http://ipid.shat.net/ and look under "Your host address"

Use the FQDN of the Endian as the Remote Identity Type

Encryption Algorithm should be 3DES, and Authentication Algorithm should be SHA1

The Authentication Method should be set to Pre-Shared Key - and enter the same key that you entered on the Endian above

Set the Diffie-Hellman (DH) Group to Group2 (1024)

Set the SA Lifetime to 28800 Seconds

Now, under the VPN Policy Settings -
Put in the public IP of the Endian for the Remote VPN Endpoint

SA Lifetime should be 28800 Seconds

Check  IPSec PFS and set it to Group2 (1024)

Under Traffic Selector - put in the Local and Remote subnets as above (ie 192.168.0.0/255.255.255.0 and 192.168.1.0/255.255.255.0)

Under ESP Configuration check both Enable Encryption and Enable Authentication, using 3DES and SHA1



I hope this helps someone.



Mike Bleiweiss
Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #1 on: Saturday 17 January 2009, 03:19:59 am »

Excellent post, thanks kindly Smiley  Netgear routers are great.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com