IPSec VPN with Netgear FVS318v3
My Belkin N1 Vision router decided to die the other day. So i realized it was time for an industrial strength router. Checked out a really nice one with Linux built in and great application support. It was a little prize for me right now, just got a new girlfriend and moved in with her…. 🙂
I finally decided for the Netgear FVS318v3 which comes with a built in IPSec VPN server for 8 concurrent connections. Netgear wants ~$50 for the client software which I wasn’t really happy about paying. So I started checking around for a free alternative. Finally I came across Shrew Soft VPN Client (http://www.shrew.net/). It’s free and really light weight. It took some figuring out how to configure it all so I thought it was a good idea to share it.
I presume that you already have DynDNS enabled. If you have a dynamic WAN address it’s a must to get this to work.
First you have to set up your FVS318 router to accept the connections.
- Log on to your router and go to the “VPN Wizard” in the left hand menu.
- Just click “Next”…
- You have to set a name for your connection and a pre-shared key (PSK). Select “A remote VPN client” as connection type.
- You will get a confirmation screen next. Just click “Done”.
Now your router is up to speed and you need to download the VPN client from http://www.shrew.net/download
Ones installed it’s time to set up your new connection.
- In the router admin page select “IKE Policies” in the left hand menu. The two pieces of information you are interested in is “Local ID” and “Remote ID”.
- Now start Shrew Soft VPN Access Manager and click “Add”.
- Now enter your DynDNS, or static WAN address if you have one, in the “Host Name or IP Address” field.
- Set “Auto Configuration” to “disabled”.
- Set “Local Host” – “Address Method” to “Use an existing adapter and current address”.
- Now go to the “Name Resolution” tab. If you know the addresses to wins server and/or dns server on the remote network enter them here. If not uncheck the check boxes.
- Now go to the “Authentication” tab and set “Authentication Method” to “Mutual PSK”.
- “Local Identity” should be the field “Remote ID” on the routers “IKE Policies” page. “Identification Type” should be “Fully Qualified Domain Name”.
- On the “Remote Identity” tab the “Identification Type” should be “Fully Qualified Domain Name” and “FQDN String” should be the “Local ID” from the routers “IKE Policies” page.
- Moving on to the “Credentials” tab fill in your PSK in the “Pre Shared Key” field. In this case “areallylamekey”.
- Then you go to main tab “Policy”.
- Uncheck the “Obtain Topology Automatically or Tunnel All” check box.
- Click the “Add” button.
- Type in your network. To route all the 192.168.0.x addresses over the VPN tunnel enter address 192.168.0.0 and netmask 255.255.255.0. If you have the same network address range at home and in your current location you can enter specific addresses or add an other topology entry that excludes those addresses.
- Then hit “Save” and you will return to the mane window.
- Dubbel click your connection and select “Connect”. That’s it!
Your now up and running with your own secure IPSec tunnel to your home or office!
I tried this. Didn’t work for me. I get “[==== IKE PHASE 1 ESTABLISHED====]” okay, but I can’t seem to get PHASE II to happen. As a result no tunnel.
Alright, then. I tried again, following the steps you documented and this time it worked! Thanks for the guide, most helpful.
It worked as advertised.
hi I am able to connect but only to the firewall, let say I want to do https on one on the computers under this firewall I cannot.
Dude, you saved my day with these instructions.
Any idea what could be happening? I get “invalid message from gateway” through Shrew.
Man, saved our bacon too. Almost midnight and got it working thanks to your help! BTW, on the FVS318V3 firmware version 3.0_28 we had to do one additional config in the Shrew Soft client.
We could get Phase I to connect but were having issues with Phase II completing.
In the Phase II tab, we had to change “Transform Algorithm” to: esp-3des
and “HMAC Algorithm” to: sha1
and “PFS Exchange” to: disabled
Then we were able to connect properly.
Thank you, this tutorial was a great help for me!
I too would like to say thank you for the tutorial. Followed the instructions step by step and everything worked on the first try at connecting.
What’s up, just wanted to mention, I loved this article. It was helpful. Keep on posting!
I keep getting “invalid message from gateway” after “bringing up tunnel”. Any idea why this would occur?
Followed the tutorial but had the same problem as Rudy. I can establish the tunnel but can NOT communicate with any device on the other side. IPConfig shows the connection doesn’t have a Gateway address. Is the “Use Current adapter and Current Address” assuming both sides have the same ip range? What if they don’t? Assigning an address did not seems to help.
Thanks you! It’s very easy tutorial)))
Just wanted to write to say thanks for taking the time to document this. Worked perfectly and your instructions allowed me to get it working in about 5 minutes. Compare that to the several hours of research trying to find the Netgear VPN client, only to find out it isn’t compatible with Windows 7. Many thanks!
Awesome guide, this worked flawlessly for me. Really appreciate your efforts! Thanks!
Thanks so much for taking the time to type this out and include the screen shots. I initially followed the Netgear How-To on the Shrew site but it didn’t work. After finding your instructions I followed the steps and everything worked perfectly! Thanks again!
everything is working at first connection. Thanks, you are very great!!!!!
Hey awesome guide, I finally was able to connect o my vpn but I can’t ping anything on that network.
My network is set at 192.168.1.x
the VPN network is at 10.1.1.x
how would i do that? i tried the virtual adapter thing.
Wasnt much luck.
I tried following some tutorials here and there and nothing worked.
I followed your tutorial and it worked perfectly at the first try. I just needed to specify some more parameters in shrew under Phase1 and Phase2 tabs.
Great great help indeed!
Excellent, took me hours to come close to this, but your tutorial got me the rest of the way and fast, Thank you so much!!!
set it up, can connect just fine but like others have said I can’t ping anything on the other network
When you say connect just fine does that include other comminication with the other network except ping or is it just the tunnel that works?
Still useful four years on…
I had a working config but I started getting the “invalid message from gateway” error message. I’m using XAUTH though to allow login user user names and IDs configured on the router. I read somewhere there there is a Netgear bug in their protocol implementation – but I think it may be more like a timing issue. My OSX clients were having no problems (but they are not using Shrew obviously, just the standard CISCO VPN support).
What I found was when I configured my Windows to not autoconfigure as you suggest, and use the existing network connection with manually configured DNS setting it all just works. Not as flexible if our internal config ever changes but not the end of the world. I can always send out the users a new exported config to use.
The topology discovery stuff was also very useful for those who don’t want all their traffic to go over the VPN which seems to upset Gmail and others sometimes. I hadn’t spotted the topology config option so this was useful.
Thanks for posting this detailed how to!
So frustrated with this thing…. feel like I am close but just don’t know what it is I am doing wrong. At least this method seems to be getting me closer.
I am able to establish the tunnel but am unable to ping or map a drive while connected. I currently have everything set up exactly as listed above, other than the phase 2 tweeks Keith recommended because if I leave these set to “auto” I get security failures on the shrew client. Other than that I have tried every configuration I can think of on both the shrew side as well as the Netgear side.
I think this may be something on the Netgear side that is preventing traffic to pass through but for the life of me I cannot figure out what it is. Any suggestions as to what I can try or adjust would be greatly appreciated.
Thank you for this article, it makes life for us easier. but I have a problem like Rudy, I was able to establish the tunnel, I can even ping the IPaddress of the computers connected to the netgear but I can not access it using http/s:
Was a while ago I fiddled with this the last time… Are you sure setup allows traffic between networks? What does the log say?
Tod does your network have DNS? Have you checked to make sure windows 7 clients have Ping enable through firewall? by default it is not. Try using ip addresses and not host names to map your drives. This works on networks without local DNS. Just some thoughts on further trouble shooting that you have not mentioned yet.
Thanks for the reply Dheath…
Our network does not have a DNS. I enabled echo request for all profiles (Private and Domain) and still can’t ping anything. I also selected the option on the Netgear security tab to respond to Ping on internet ports, still no luck.
Thanks a lot !
I have configured VPN client for remote user to access the my local LAN systems. It’s showing tunnel has connected but when i ping the lan ip 192.168.1.1 or any ip from class c address with subnet of 255.255.255.0 i cant ping. In the firewall side the connections has established for phase 1 and phase 2 and also data has transmitted but i am not able to ping or connect my systems.
That can be a number of things, check the following:
Make sure that your local LAN isn’t the same as the remote LAN subnet.
Check with tracert to see were if you can get a hint to the problem.
Make sure windows firewall isn’t blocking.
If this doesn’t help please share more of your configuration details and I will see if I can help!
Kristofer kallsbo : Thanks for your reply .Yes i have checked the Lan subnet (192.168.1.0 & 255.255.255.0)and remote lan subnet (172.16.0.1 & 255.255.0.0) and windows isn’t blocking. Tired tracert too but it doesn’t show the remote lan ip address.
Note : client is mac machine.
Okej, so then your client settings look a little different?
Is there any setting for what traffic should be routed over the VPN tunnel?
It’s important that the VPN client put the route for the 172.16.0.1/16 into the routing table otherwise it will try to route over your default gateway. Did you maybe see your default gateway in the tracert?
I think some of you folks are missing that you need vpn client users setup. (under the vpn tab) Otherwise as you say nothing is pingable once the tunnel is established.
Some of you folks are missing that you need vpn client users (under the VPN tab) to get things pingable once the tunnel is established.
Hi! Thank you for the great job! Do you or anyone else know whether it might work with v1 of the same router too?
I don’t know but I think the firmware would probably be similar. I have moved on to openVPN myself.
Well I did too… but in this case I’m just helping a not very experienced guy that has to deal with that router in his office : )