Netgear → FVS318 and VPN, my head is about to explode!

Ok, to start off, this is my first attempt at creating a VPN. What I'm looking for is the easiest way to get it setup using the following:
1. Windows 2000 server with a static IP provided by Bellsouth (as static as that can possibly be anyway .
2. Windows 2000/XP clients with broadband access and dynamic IP's
3.FVS318 firewall VPN router with the 1.4G firmware (the VPN screen in this version looks a little different, which doesn't help my confusion factor heh).

I want to use Windows 2000 VPN services if possible, getting a new client/server package at this point would be too late. Though if it's just not gonna happen then let me know before I keep banging heads with this heh. The server here is already setup and running RAS services, so it would seem it's just a matter of configuration.

Main question I have though, according to the FVS318 docs, you must be using an IPSec client. Ok, no problem, Win2000 client supports that. However, from reading the Microsoft docs on setting it up, they say you have to issue certificates for the VPN server and clients. No clue how this is done, and quite frankly I think I'm starting to get in over my head at this point heh. I've read through so many configuration documents that I'm more confused that when I started I think.

Other thing I don't quite understand is, on the FVS318, is the router actually doing the authentication and acting as a VPN server or is it just sort of acting as a pre authorization gateway to the actual VPN server? How should the client be setup to get past it?

If anyone can help me out with this it would much appreciated. The setup is basically, Westell modem (bridged), into FVS318, into Win2000 server with static IP (no DNS entry however), which also provides DNS, DHCP, WINS etc. for the internal network. There's about 9 people on this network, and I really only need to setup VPN for like 3 of them. Who probably wouldn't even be using it at the same time.

Oh, and the simpler you can make it the better. I'm starting to drool on myself from all the information I've taken in in the last few days! High security isn't really all that much of an issue, but I'm assuming that since I'm using the FVS318 that I have to use IPSec regardless.

Thanks for the help!

I think what you're asking is what part the FVS will play -

There can be a few ways to skin that cat -

1) You can put the W2K server in the DMZ and not use any of the FVS capabilities. Form there, use IPSec, PPTP, L2TP, VPN and SSL(if WIN2K AND the clients support). The FVS provides no VPN value here.

2) You can map the public IP to the server and not use the FVS VPN services. The FVS provides no VPN value here.

3) You can make the FVS the endpoint and not use WIN2K VPN services. Point your VPN clients to the internal address of the server. The FVS provides the VPN functionality here.

Others may have more to add. I personally like what is simplest that meets the performance, interoperability and security requirements of the business. With just the information you provided and no other requirements, I'd pick #3.

Hope this helps - Others, chime in!

Cheers, EG

Thanks for the reply! From the sounds of it, the 3rd option would be the easiest to implement. If I'm understanding it correctly, the FVS would take care of creating and authenticating the tunnel. So WIN2K's VPN server would not need to be in the equation at all? Basically, WIN2K/XP client connects to FVS from the internet, FVS authenticates with the client using IPSec, FVS creates the tunnel, then client can login into the server as if they were on the local network?

The only things they'll really need access to are e-mail (using Outlook 2002 and Exchange also running on the same server), and certain folders on the shared drive of the WIN2K server. Obviously, the FVS is also acting as the firewall for the WIN2K server. So option one and two above sound as though they'll defeat the purpose of hooking up the FVS in the first place (unless I'm mistaken which I very well could be!). It's basically one server running the show for all nine or so users.

Also I'm wondering, using option 3. What will be assigning an IP to the incoming client? Would the FVS's DHCP client do that or would they get one when they logged into the actual server (assuming they do log in to the server at some point, for all I know they might be a part of the LAN once the tunnel is created. Though I don't see how that would give them access to any resources on the server). The server has 2 NIC's, one that goes to the FVS for WAN and one that goes to a switch for the LAN.

Sigh, sorry for all the questions but I've got until Tues to get this up and running and it's been one big jumbled mess up in my noggin for the last few days. Although your post certainly helped put some missing pieces together

I connect to a win2000 server system using winxp with no problems at all. The router at the server is a vpn router, my connection is cable modem/standard router. The server has a static ip.

It was very simple to configure xp by setting up a new network connection and filling in the details.

Once the connection is made I then use remote desktop connection to log into the server desktop and can do anything I want.

As for using the integrated Win2K/XP VPN clients with the FVS318...ummm...no. The FVS318 is an IPsec implementation, and won't work with the Microsoft clients as they attempt either PPTP or L2TP connections (and use IPsec to encrypt the L2TP session). You'll need to get a 3rd party client like SoftRemote or SSH Sentinel in order to pull off remote access from roaming users. Not pretty.

One other problem I've found with the Netgear is the lack of any form of user authentication beyond the pre-shared key used to negotiate the VPN connection between the client and the FVS318...definitely an issue if you plan on using it in a small office.

Hmmm...should have read your original post a bit more carefully. When setting up the FVS318:
1. Update the running firmware on the router to at least 1.4D before even trying to get it to work.

2. Your IPsec client should have an option to set the client IP manually. Neither the onboard DHCP server in the FVS318 or a different one on your LAN will be passed through the connection as the protocol relies on UDP and is not forwarded through the VPN tunnel.

3. The IP set in #2 must be different than the range already in use on your private LAN.

All said and done, you will probably find that disabling the FVS318's VPN functions and simply forwarding port 1723 to the server and using RRAS as a PPTP server will be the least headache inducing. It's not the best solution but it's easy to get running, the client is free (or at least bundled into the cost of the OS). Especially if you're under this kind of time constraint.

[text was edited by author 2003-06-19 17:25:39]

You don't only have the PPTP or L2TP option with Win2k, you can use 'mmc' in Win2k to implement an Ipsec policy that will connect to the FVS (run->mmc->add snap in->Ipsec policy). The configuration is somewhat complex but it works. There is a document to this effect on Netgear site (within the FAQ somewhere, I think).

But I agree with Bulkrate, the forwarding of port 1723 to a PPTP server inside your local lan is the easiest solution.

Good luck
[text was edited by author 2003-06-19 18:53:07]

Well Twang - Lots of good replies here! We Hope you keep us posted as to your progress, problems encountered and overcome, your final setup etc.

Good point on the client PCs - How they connect will be a critical piece to determine your solution - Dialup or broadband?

Also what O/S the clients are running - MAC, LinUx, WIn 95, 98, ME, XP etc? They support various implementations of VPN.

You may be able to use the native support in the remote clients to connect to the WIN2K server - or you may elect to use a VPN client supported by WIN2K or the router.

If you're using a dial-in RAS or RADIUS server, somebody here may have some tips - Wish I could add knowledge for you there but not able to do so yet ...

Bottom line on all this - be sure you document your present network design, HW, SW, access, as well as your planned needs, security requirements etc. just writing it down and organising it into bulleted lists helps relieve the brain overload. It'll also make it MUCH easier to select and implement a solution without having to back out an install or fight problems due to incompatibilities or unforseen needs.

It also looks good as a career accomplishment piece as well as providing you with a handy roadmap for future upgrades.

Good luck and keep us posted!

Well off to a nightcap and sleep.

Cheers,

EG

Thanks for all the great replies! I'm thinking the forwarding port 1723 sounds like the best way to go. Security doesn't need to be super tight but a little would be nice

Just to make sure I'm doing this correctly as far as the port forwarding goes. So far I've added a new service named VPN and set it for 1723. Then I went into the ports section and added the VPN service I created, set it to allow, gave it the IP of the server, and left it set for any WAN users address. Anything else I'm missing for that?

I'm assuming when I setup the client I'll be able to specify which port to go to. Oh, is there anything I need to open up on the W2K server for that port or is it already setup to receive incoming data on that port as long as RRAS is running?

Oh, and to answer EGeezer's question! The clients are running W2K and XP pro, and are connecting through personal broadband connections from home. So I'm thinking it should actually be pretty easy to setup the native clients for PPTP, especially now that I'll be taking the FVS out of the equation. I think it's all starting to make sense now woo! Now to actually get it to work hehe.

Update! I have successfully created a PPTP connection to my server woo! I really do appreciate all the help you guys gave, the more I delved into this the more I felt like I was in over my head heh. Now that it's all said and done however, it actually seems pretty easy The changes I made in the router seemed to have worked just fine, and setting up a PPTP connection in W2K was a breeze. I may even try and set it up using L2TP, seems it would be good experience setting up certificates. Heck I'm on a roll why not haha!

With XP, WIN2K and broadband, that simplified the connection issues greatly - go right to the server to limit access.

Now that you have the connections humming along, make sure those client systems with tunnels, home networks and "always on" broadband are secured so they won't become unknowing portals for unauthorized access. You don't need one of those remotes loaded with a trojan or worm that turns your server into a movie, MP3 or pay-per-file porn server or spammer relay - or worse, a handy repository from which sensitive information can be retrieved...

Even if your routers are set up to block these guys, the tunnel is not affected. They can still come in through the remote system, up the tunnel and into the network.

Thanks for the updates and Keep us posted!

Cheers,

EG

I got an FVS318 and it seems to work fine except for setting up the VPN tunnels. I found the instructions for setting up W2K IPSec and the two seem to talk fine, but it gets so far and then the two disagree on something and then the router times out. I'll see if I can post exactly what the vpn log says, but if anyone has played around with this, some advice would be most helpful.

I found the disagreement. I don't know what it means: FVS318 IPsec:peer client ID payload ID_IPV4_ADDR specifies protocol 17; we only support 0
Tues, 06/17/2003 22:23:32 - FVS318 IPsec:Receive Packet address:0x1806edc from 209.00.00.0
Tues, 06/17/2003 22:23:32 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Hash Payload has an unknown value: 177
It repeats this about 4 or 5 times and then deletes the SA.
Thanks for any advice.

If the VPN hasn't worked yet, it's probably a config or firewall blocking problem and hopefully, somebody who has encountered the problem will post.

If the VPN has worked, I wonder if someone hasn't found your router and tried to hack the connection?

SYSLOG your router and match the times of IPsec negotiations with SYSLOG entries. Be sure to verify and correct time zone settings to match times. See what the connecting IP is and match it to the client that's trying to init. If it doesn't match, it's somebody you don't really want.

I logged a similar item on one of my Netopias recently. The Netopia simply rejects the try and logs a "no matching Ph1 profile" and the IP address of the source of the request. It was an Asian IP block.. No adverse effects. I now have a little birdie out in the DMZ to get to know my new friend a bit better ... heh.

Hope this helps!

CHeers, EG

The vpn has never worked from the start. I think the hang up is in this line: FVS318 IPsec:peer client ID payload ID_IPV4_ADDR specifies protocol 17; we only support 0
The peer client is xp and i guess my question is, can the "client ID payload ID_IPV4_ADDR protocol" be changed in xp to match fvs318's protocol "0". It's really frustrating that netgear doesn't explain things better in the documentation for setting up w2k. If i could, I would take the thing back, but I'm stuck with it so i have to make it work.

I wonder if you have NAT Traversal enabled in the client?

(Protocol 17 is UDP, whereas the FVS is probably expecting the IKE/ESP packets to be contained directly within IP, not re-encapsulated in UDP, as can be done for NAT traversal).

Sorry, I'm kinda dumb,but where whould I find that out in xp or even w2k?