HOW TO SET UP A CLIENT IPSEC VPN
UPDATE: 11/16/2012
The Views Expressed Below Do not in any way reflect Internal Doctorine or Official Statements of Netgear Inc. These are just my notes – Use at your own Risk.
BY: infotinks
This document explains how to set up a simple Client to Network VPN with IPSEC, also know as a Client to Box VPN. It also explains some of the terminology and some fixes for some issues you may encounter.
Read SECTION 1 and 2 first, that explains how to set it up. Then Read all of this, it doesnt take too long to read. Again SECTION 1 and 2 Explain how to set it up. Section 1 is for the setup on the local network NETGEAR router (lets imagine your head office at Austin Texas) and Section 2 is on the computer which will be connecting to the network from a remote site (lets imagine a Hotel in France). Fill it out as you go where the stars are at.
OUR CLIENT SOFTWARE
Netgear VPNs work best with the NETGEAR client. VPNS are server client applications so its best to use the netgear client. The netgear client so far only works with Windows. For any other operating system you could check out the forums online for how to setup different client software, the netgear tech support team doesnt support and wont provide assistance with seting up other clients because they are not made by netgear.
THE TRIAL AND OLDER SOFTWARE
If you have windows operating system you can download the client, the license costs 50$ per person. Or you can buy 5 licenses for cheaper. There is a trial available which is good for 30 days. Just google.com NETGEAR VPNG01L and download version 5.14. Make sure the G is there in the middle, VPN G 01L, but without spaces, because the client with out the G, VPN01L, is the old client which is end-of-life and no longer supported. That old client misses features like forcing the IP address of the remote side in the vpn, which prooves to be a useful utility when experiencing vpn connection problems. So all in all just google for “VPNG01L 5.14 download”
DOWNLOAD LINKS FOR CURRENT LITE AND PRO VERSION
* Lite Version (sometimes you get license keys for free with certain models of our vpn routers/firewalls)
**** VPN 5.14 LITE: http://kb.netgear.com/app/answers/detail/a_id/20317/related/1
* Pro Version (has 30 day trial, but you can also purchase keys, and sometimes it comes with certain models of our vpn routers/firewalls) DOWNLOAD THIS:
**** VPN 5.14 PRO: http://kb.netgear.com/app/answers/detail/a_id/20316/~/vpng01l
TERMS ILL USE
WAN IP = WIDE AREA NETWORK IP = most often this is the public ip address of a network. The one that everyone knows you as.
LAN IP = LOCAL AREA NETWORK IP = this is the addresses of your computers and other machines inside your network. They usually are of the form 192.168.a.b or 172.x.a.b or 10.a.b.c. Where a,b, and c could be any number from 0 and including 0 to 255 and including 255, and x is any number from 16 and including 16 to 31 and including 31. The address schemes typically follow this pattern, you can also check out by googling “RFC 1918” or google “Private Addresses”.
local = network where the firewall router is that we will try to access from random location
remote = the computer we are using to access the local network with our vpn tunnel
PHASE 1 same as IKE POLICY on the router same as GATEWAY on client
PHASE 1 essentially connects your WAN IPs together, so your routers together
PHASE 2 same as VPN POLICY on the router same as TUNNEL on client
PHASE 2 essentially connects the devices beyond the routers, so it connects the private networks beyond that. So it connects the LAN IPs together from the different sides.
SECTION 1 SETUP ON LOCAL ROUTER
*LOCAL WAN IP:
*PRESHARED KEY:
*LOCAL LAN NETWORK IP (ends with 0s):
*LOCAL LAN SUBNET:
*ROUTER REMOTE IDENTIFIER:
*ROUTER LOCAL IDENTIFIER:
1) First we need to gather some information. Get the WAN IP (or also known and sometimes seen in our interfaces as the “Internet Ip”) by going to Monitoring –> Wan Settings… or Monitoring —> Router Status(or Network Status if on a different NETGEAR device). AFTER that go to www.ipchicken.com (or www.whatismyip.com or www.myipaddress.com). If the WAN IP from your router and and www.ipchicken.com match then type it above in LOCAL WAN IP and go to the next step. If there is a mismatch between the router WAN IP that you have and what ipchicken.com has for your ip then you are double NATTED and most likely the VPN will not work unless you do some fixes. (FIXES: Putting the MODEM into BRIDGE MODEM, call your ISP for this one. Also putting your NETGEAR ROUTER on the DMZ of your MODEM can help you fix this but its not always the case. When you do this you have to widen the LOCAL SUBNET in the VPN POLICY settings on your ROUTER , and match that by widening the REMOTE SUBNET in the TUNNEL settings on the CLIENT. You have to widen them enough to include your network address and your DMZ. PS: your DMZ address is the address on your WAN IP you got from the INTERNET)
2) get the lan ip of the networks with the subnet mask your on network config –> lan settings.. you can also get this after you have made vpn (after step 10).. and fill out the LOCAL LAN NETWORK IP and the LOCAL LAN SUBNET
3) second go to VPN -> IPsec VPN -> VPN WIZARD
4) select VPN Client isntead of Gateway
5) name the connection: give it any name… like “vpn1”
6) give it a password under the preshared key like: 12345678
7) specify what WAN interface you will use, if you only have one WAN interface this is greyed out and usually its fine to leave it as WAN1, if you change it make sure you check what you wrote for LOCAL WAN IP from step 1
8) What is the Remote Identifier Information? put what ever there but write it down uptop, i usually leave it as default. Fill this out at ROUTER REMOTE IDENTIFIER
9) What is the Local Identifier Information? put what ever there but write it down uptop, i usually leave it as default. Fill this out at ROUTER LOCAL IDENTIFIER
10) hit apply
– at this point in the VPN Policy tab under local you can see the LOCAL LAN NETWORK IP and the LOCAL LAN SUBNET incase you didnt get it at step 2
SECTION 2 SETUP ON REMOTE CLIENT
**REMOTE LAN NETWORK IP: you can get this from “cmd” then typing “ipconfig”
**REMOTE LAN SUBNET: you can get this from “cmd” then typing “ipconfig”
can download free 30 day trial netgear vpn client of the professional
1) run the configuration wizard you can find that thru the menus
2) select connecting to “A router or a VPN gateway”
3) IP or DNS public address: put the LOCAL WAN IP from section 1 in here
4) Preshared key: put the PRESHARED KEY from section 1 in here
5) IP private address: put the LOCAL LAN NETWORK IP (ends with 0s) from section 1 here
6) Hit next and then Finish
– You now have a tree with ROOT (this is where you set SA lifetime, but thats another discussion) and you have GATEWAY (which is phase 1) and TUNNEL (which is phase 2)
7) Click on Gateway and click on P1 Advanced or the Advanced tab under it, which ever one you see
8) Make sure the only thing checked is Aggressive mode
9) Change LOCAL ID and REMOTE ID type to “DNS” with the drop down
10) the value for Local ID should be set to ROUTER REMOTE IDENTIFIER from above, yes it is flipped like this, this is not a mistake
11) the value for Remote ID should be set to ROUTER LOCAL IDENTIFIER from above, yes it is flipped like this, this is not a mistake
12) Hit Okay
13) Right click on tunnel or click on tunnel and hit open tunnel
[update 11/16/2012]
NOTE IMPORTANT: Its actually better to have the VPN CLIENT ADDRESS on the “tunnel” options set to some private address that is not part of the local network it solves future problems(the network where your firewall/router is where you set up the section1).
So if you section 1: 192.168.1.0/24 subnet
The pick an address like: 192.168.2.10 for the VPN CLIENT ADDRESS
Any address works that fits the PRIVATE ADDRESS SCHEME
192.168.0.0 to 192.168.255.254
172.16.0.0 to 172.31.255.254
10.0.0.0 to 10.255.255.254
Also each person that will be connecting have thier VPN CLIENT address just be an increment
Example:
If my Router network is 192.168.1.0 and its IP is 192.168.1.1 localy.
Then for Person1 I would set the VPN CLIENT address in the tunnel options on the CLIENT software to:
192.168.2.10
For person 2 I would do 192.168.2.11. For person 3 I would do 192.168.2.13. Remember: Each person signifies a different license than the other person. So 5 people for the 5 license pack, and 1 person only for the 1 license pack.
IF YOU EXPERIENCE PROBLEMS
CLIENT PROBLEMS
– if the client is giving you problems close the client (make sure you completely turn it off, sometimes it sticks in the bottom right taskbar, right click and close it if it does) and go to RUN and type “services.msc” hit enter, find TGbike, right click, stop the service, wait 10 seconds, start the service, restart the vpn client
– uninstall the client, reinstall the client from windows safe mode (accessed by hitting F8 during computer start up process when the screen is black with lots of writing)
MISMATCH PROBLEMS
– Make sure all the fields are correct especially the network ids and the preshared keys
– Make sure that settings match horizontally (so remote to local) so the encryption for phase 1 matches on both sides. In other words the same setting is applied to the IKE POLICY ENCRYPTION METHOD at the router and GATEWAY ENCRYPTION METHOD on the remote client
– Do the same for phase 1 AUTHENTICATION and Phase 1 KEY GROUP (notice on the remote client you cannot turn of Key Group)
– Do the same for phase 2 ENCYPTION and phase 2 AUTHENTICATION and phase 2 PFS GROUP check box and value
– make sure the local and remote ids are flipped at the remote and local side
– Make sure MODE is Tunnel in GATEWAY ON CLIENT
ON THE VPN CLIENT ON THE GATEWAY PAGE
– The VPN Client address is the address that the computer will have thru the VPN in the local network. if its set to 0.0.0.0 it will keep the settings that it gets from the network that it is currently on
– make sure the “VPN Client Address” is set to 0.0.0.0 only and only if the remote lan network is not the same the local lan network. go to “run” type “cmd” hit enter and type “ipconfig” and look at the IPv4 address and fill out the ** above. If they match change the VPN Client address to not be 0.0.0.0 but to be something that is not in the same network as the local lan (local lan in this case is still where the router is as per my terminology as i have stated in the beginning).
– So for example if your connected to starbucks network and your lan ip from them is 192.168.1.3 which you found out from ipconfig (or running “pathping 8.8.8.8” to googles dns server shows you what network card ip and hense command and then lets say the network address of your local network where the router is also the same subnet 192.168.1.0 then YOU CANNOT have 0.0.0.0 pick anything else than 0.0.0.0 pick something that is not in the same subnet like 192.168.3.55 or 10.5.2.3. Just use any local private (RFC 1918 Section 3, google it)
– Also for example if your connected to a hotel network and your ip is 192.168.55.4 which you found out from ipconfig command and then lets say the network address of your local network where the router is the subnet 192.168.1.0 then you CAN have 0.0.0.0. OR just for kicks you can spoof your VPN tunnel ip address just make sure you pick any RFC-1918-Section-3 address and that is not on the same subnet as your network.. you cant pick for example 192.168.1.6 or 192.168.1.254, since they are the same subnet as the lan network at the local site
SA Lifetime
Tell you how often connections are reset
Just leave them as defualt
OR follow this rule
PHASE 1 SA LIFETIME has to be GREATER OR EQUAL to PHASE 2 SA LIFETIME
or just for kicks and giggles I set both to 86400 seconds and match that one phase 1 and phase 2 and on remote and local site
Connection Drops
Lower the MTU of the router to 1408 from the defualt 1500 because IPsec gives overhead to the internet packets/frames
Also Lower the Encryption, but not all the way or your tunnel wont work, and make sure they match horizontally (so like phase 1 pfs group on router matches phase 1 pfs group on remote client)
you can bring it up slowly as you wish to increase security
CAN PING SOME BUT NOT OTHERS
If you can ping at least one thing inside the network with your VPN up. Then that means the VPN is fully functional. The other device could be not pinging back (or being accessed) because of its own security software, or any security device behind it. Make sure the FIREWALLS allow your VPN CLIENT ADDRESS subnet in ( if you have the VPN CLIENT ADDRESS set to 0.0.0.0 – then the subnet the LOCAL SIDE needs to allow is YOUR LAN SUBNET of where the remote CLIENT IS INSTALLED).