IP Securitas Os X – Netgear FVS336G VPN Settings

Those are working settings to get IPSec VPN from OsX (10.6.x) with IP Securitas to a Netgear FVS336G

Netgear Routeur config

Routeur Status

Log in to your routeur interface. Check the status to note your WAN IP address.
If you have dual WAN just choose on what WAN interface you’ll have VPN connections.

NETGEAR-ProSafe-Router-Stat

Create IKE policy

Go to VPN tab,
First you need to create a New IKE policy.

General tab:

  • Choose a policy Name : REMOTEID (for the test purpose)
  • Direction / type : Responder
  • Exchange Mode : Aggressive

Note : Policy Name must be the same for the VPN Policy name (see below)

Local tab:

  • Select local gateway : choose the WAN interface you want
  • Identifier Type : choose FQDN
  • Identifier : choose what you want. I like it with ending .com or .local;
    I also like to indicate clearly “local” like : me_local.com, or johndoe_local.com
    we’ll choose id_local.com here, for the test purpose.

Remote tab:

  • Identifier Type : choose FQDN
  • Identifier : id_remote.com

Note : this is important to be able to identify local vs remote as they will be reversed in the IPsecuritas settings.

IKE SA Parameters:

  • Encryption Algorithm : choose 3DES
  • Authentication Algorithm : SHA-1
  • Authentication Method : choose pre-shared key
  • Pre-shared key : MySuperSecretKey
  • Diffie-Hellman (DH) Group : Choose Group 2 1024bit
  • SA-Lifetime (sec) : 28800
  • Enable Dead Peer Detection : No

Extended Authentication tab:

  • XAUTH Configuration : Choose None

NETGEAR-ProSafe-Edit-IKE-Policy

Create VPN Policy

You now are ready to create a New VPN

General tab:
– Policy Name : REMOTEID
– Policy Type : choose auto Policy
– Local Gateway : choose the same WAN from IKE above.
– Remote endpoint : choose FQDN, and enter id_remote.com (the remote ID of the IKE policy above)

Note : you must choose the exact same name of the policy name you choosed in the IKE policy name
(don’t ask me why, I don’t know)

Traffic Selection tab:

  • Local IP: choose subnet and fill accordingly to your LAN (here 192.168.1.0/24)
  • Remote IP : choose ANY

Manual Policy Parameters tab:

  • Encryption Algorithm : choose 3DES
  • Integrity Algorithm : choose SHA-1

Auto Policy Parameters tab:

  • SA Lifetime : enter 3600, choose Seconds
  • Encryption Algorithm : 3DES
  • Integrity Algorithm : SHA-1
  • PFS Key Group : select it, if not and then choose DH Group 1 (768bit)
  • Select IKE Policy : choose REMOTEID (note this is the same as the IKE Policy Name, well actually you choose the IKE Policy you just created)

NETGEAR-ProSafe-Edit-VPN-Policy

IP Securitas Connections settings

Download and install IP Securitas.

Make a new connections. Name it as you want. here will name it FVS336G for the test

General tab

  • Remote IPSec Device: enter you WAN IP Address
  • Local Side Endpoint mode : Choose Host, and you can leave it blank.
    Note if you have trouble (when you are connected, you could manually add one IP here like your current LAN IP, the one from the computer you configuring IPSecuritas)
  • Remote Side endpoint : choose Network, and enter remote LAN range (here 192.168.1.0/24)

Important note : this is basic for VPN settings but if you don’t know it, you can be mad. you current local LAN range MUST be different from the remote LAN range IPs. meaning your computer mus t eb on a range like 192.168.0.x/24, or 192.168.2.x/24 and above. If both are on the same subnet range it will fail.

VPN_CONFIG_1

Phase 1 tab

  • here you’ll fill with IKE settings.

VPN_CONFIG_2

Phase 2 tab

  • here you’ll fill with VPN policy settings

VPN_CONFIG_3

ID tab

the tricky part with local vs remote IDs

  • Local Identifier : id_remote.com
  • Remote Identifier : id_local.com

Note : you reverse IDs. this is simple logic as you now are the remote part considering the Netgear.

  • Authentication Method : Pre-shared Key, and fill in MySuperSecretKey (the preshared key you’ve entered in the IKE settings).

VPN_CONFIG_4

DNS tab

While not mandatory, I always prefer to fill in DNS settings for DOmains and Servers Addresses.

So fill in accordingly to your Remote LAN settings if you chose so.
Note that if, like me the DHCP (and DNS) are not handled by the Netgear routeur but rather by your (Mac Os X ) Server, then you definitly want to fill in the info here.

VPN_CONFIG_5

Options tab

Well here settings may differ and you can then do with trial and errors and check at the IP Securitas logs. Anyway here are the settings working for me with this Netgear.

I also choosed to Enable NAT-Translation.

VPN_CONFIG_6

Save your config.

You should now be ready to connect and enjoy your VPN connection.

You also should be able to do Command-K in the finder, choose your server dns name and access your shares.

In my case, once all is ok, it takes less that 3-5 seconds to get a green dot (VPN connection up and running).

Final notes :

  • In case of trouble the IP Securitas log is quite helpfull.
  • Those settings are based on older settings I had with another Netgear FVS124. that was working like a charm. The routeur just died, so we choose this new one.

Hope this will be Helpfull for anyone.

Olivier
About

Product and graphic designer turned to be a Mac SysAdmin.

Posted in Admin, Mac, tips tricks scripts Tagged with: , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>