It has a public IP and use NAT to translate to 192.168.2.0/24. On the Netgear side the FVS338 is a simple little firewall/router. Roughly speaking I think the network looks like (though this isn't really accurate because my public IP's aren't shown): internet I have defined a route for 192.168.10.0/24 to ethernet0/1 I have policy based NAT configured such that requests for the 1st public IP address is NAT'd to a specific IP (192.168.10.11). The second, ethernet0/1, is for my block of 8 public IP's, set as zone Trust, interface mode Route, type Layer 3. The first, ethernet0/0, is for the SSG5's public IP, set as zone Untrust, interface mode Route, type Layer 3. There are two interfaces defined on the SSG5. I have a block of 8 public IPs (/29), the SSG5 has it's own IP (separate subnet from my 8 public IPs), and routes requests for the public IP's to the server. The server (just one for now) is a dedicated host at a hosting company. Under ESP Configuration check both Enable Encryption and Enable Authentication, using 3DES and SHA1Įxcellent post, thanks kindly :) Netgear routers are great.I'm trying to configure a Juniper SSG5 for VPN. Put in the public IP of the Endian for the Remote VPN EndpointĬheck IPSec PFS and set it to Group2 (1024) Set the Diffie-Hellman (DH) Group to Group2 (1024) The Authentication Method should be set to Pre-Shared Key - and enter the same key that you entered on the Endian above Use the FQDN of the Endian as the Remote Identity TypeĮncryption Algorithm should be 3DES, and Authentication Algorithm should be SHA1 If you do not know this, go to and look under "Your host address" I finally looked in the IPSec logs and found that the IPSec service was looking for "br2" and was not finding it, and then simply not starting the service.)įor the Local Identity Type, use the FQDN of the public side of the Netgear. Your remote endpoint will sit there for forever waiting for an IKE response and the Endian will not send it. (Note - if you do not have an Orange or Blue interface on your Endian - the IPSec service WILL NOT come up if you leave the default VPN on ORANGE and VPN on BLUE options enabled on the main IPSec page under VPN > IPSec. Uncheck Aggressive, Check Perfect Forward Secrecy, and Uncheck Negotiate payload compression Use DH Group2 (1024) for the IKE group typeįor ESP Encryption use 3DES and SHA1 - DH Group2 (1024) Use 3DES as the IKE Encryption, SHA for Integrity The Remote subnet should be the subnet of the network that the Netgear is on (ie 192.168.1.0/24)įor the Local and Remote IDs, make sure you use the FQDN of the public side of the Endian and the Netgear - I have found that it WILL NOT work if you simply use the public IP addresses of the devices as the IDs. The Local subnet should be the local subnet of the Endian (ie 192.168.0.0/24) Put in your Remote host/IP - this should be the public IP address of the Netgear. Make sure you use the FQDN of your device as the local hostname/IP. (This will be with a Netgear FVS124G - the Netgear settings are the same on an FVS338 as well, although arranged differently) There's not a lot of documentation on using Netgear VPN routers as hardware IPSec VPN clients for an Endian firewall - so I thought I'd post how I got mine up and running.
0 Comments
Leave a Reply. |