How to Connect NETGEAR VPN Client Software to FVS318 or FVM318 Routers

Instructions to configure a VPN tunnel between a NETGEAR ProSafe VPN Client and a FVS318 (or a FVM318) router. This works for either a dial-up or a permanent Internet connection.

* This is tested with FVS318 router firmware 2.2 and Netgear VPN client software version 10.
* This also tested with FVM318 firmware 1.1 and Netgear VPN client software version 10.
* Earlier versions of these routers' firmware work similarly.

First collect this information:

* Your routers's WAN IP or the Fully Qualified Domain Name (FQDN) of your router’s WAN IP address. Find this by clicking Maintenance > Router Status. If your router has a dynamic WAN IP address, configure the Dynamic DNS setting under the Advanced menu. Otherwise, the next time your router’s WAN IP address changes, the VPN client won’t connect.
* The Local IP address of your LAN. E.g., is the factory default address of your LAN for the router. You can find the LAN IP address of your router by selecting Advanced > LAN IP Setup.
* Remote IP address. This is the virtual IP address the VPN client gets when connecting to the router. It can be any IP address other than the LAN IP address.

To Configure the Router

1. Log in to the FVS318 (or FVM318) gateway.
2. Click Setup > VPN Setting. Choose one of the unassigned policies and click Edit.
1. Enter a descriptive name for the policy in the Connection Name textbox. It is only used to help you manage the VPN polices.
2. For "Local IPSEC Identifier", enter the WAN IP address or the Fully Qualified Domain Name. If you select Fully Qualified Domain Name, make sure your FQDN resolves to your WAN IP address.
3. For "Remote IPSec Identifier", enter any name. The same name is used when you configure the VPN client software. (Step 12d in the next section.)
4. In the "Tunnel can be accessed from" box, choose a subnet of local address. For Local LAN start IP Address, enter your LAN’s starting IP address. For Local LAN IP Subnet mask, enter your LAN’s netmask. You can look it up from the LAN IP Setup menu.
5. In the Tunnel can access box, choose a single remote address.
6. For Remote LAN start IP address, enter an IP address that’s not in your LAN IP subnet. For this example,
7. Leave the Remote WAN IP or FQDN box blank.
8. For "Secure Association", choose Aggressive Mode.
9. For "Perfect Forward Secrecy", check Enabled.
10. For "Encryption Protocol", choose an encryption algorithm. In this example we'll choose 3DES. Use the same algorithm when configuring the VPN client software. (Step 11c in the next section.)
11. For "Key Group", choose Diffie-Hellman Group2.
12. For "Pre-shared Key", enter a string of numbers or letters. The same key needs to be entered when configuring the VPN client software.
13. Enter 28800 seconds for Key Life.
14. Enter 86400 for IKE Life Time.
15. If you use Netbios, check NETABIOS Enable.
16. Click Apply.

To Configure the VPN Client Software

1. Install the NETGEAR VPN client.
2. Start the Security Policy Editor by right-clicking on the NETGEAR VPN client icon on the system tray and choose Security Policy Editor.
3. Create a new VPN connection profile. Edit > Add > Connection. This creates a new connection profile named New Connection. You can rename the connection profile by double-clicking the name and typing over a new one.
4. Click the new connection profile, the right panel displays the connection properties.
1. For "Connection Security", choose Secure.
2. Under "Remote Party Identity and Addressing", choose IP Subnet for ID Type.
3. For "Subnet" and "Mask", enter the same subnet and netmask you defined in Step 2d of the of the router configuration. It is your LAN IP subnet behind the router.
4. Choose All for Protocol.
5. Check Connect using.
6. Choose Secure Gateway tunnel.
7. For "ID Type", choose Any.
8. If, in Step 2b, you specified local IPSec identifier as WAN IP Address, choose Gateway IP Address and enter the router's WAN IP
9. If, in Step 2b, you specified local IPSec identifier as Fully Qualified Domain Name, choose Gateway Hostname and enter the FQDN of your router’s WAN IP.
5. On the Security Policy Editor menu, click Options > Global Policy Settings. The Global Policy Setting dialog box opens.
1. Enter 45 for Retransmit Interval.
2. Enter 3 for Number of Retries.
3. Check Send status notifications to peer hosts.
4. Check Allow to Specify Internal Network Address.
5. Check Enable IPSEC logging.
6. Click OK.
6. Click Security Policy. In the right panel, choose Aggressive Mode for Phase 1 Negotiation Mode.
7. Check Enable Perfect Forward Secrecy (PFS).
8. Choose Diffie-Hellman Group 2 for PFS Key Group.
9. Check Enable Replay Detection.
10. Expand Security Policy and expand Authentication (Phase 1), click on Proposal 1.
1. In the right panel: For Authentication Method, choose Pre-Shared Key.
2. For Encrypt Alg, choose the same encryption algorithm you chose in Step 2j of the previous section. In our example, we chose Triple DES (3DES).
3. For Hash Alg, choose MD5 or SHA-1. SHA-1 is fine.
4. For SA Life, choose Unspecified.
5. For Key Group, choose Diffie-Hellman Group 2.
11. Expand Key Exchange and click Proposal 1.
1. In the right panel, under IPSec Protocols, choose Unspecified for SA Life.
2. Choose None for Compression.
3. Check Encapsulation Protocol (ESP). Choose the same encryption algorithm you chose in Step 2j of the previous section for Encrypt Alg.
4. For Hash Alg., choose MD5 or SHA-1.
5. Choose Tunnel for Encapsulation.
12. Expand the connection profile and click My Identity.
1. In the right panel: For "Select Certificate", click None.
2. Click Preshared Key. The Preshared Key dialog box opens.
3. Click Enter Key and enter the same key as in Step 2l of the previous section. (That's Step 2 lowercase L.)
4. For ID Type, choose Domain Name and enter the same name you entered in Step 2c.
5. For "Virtual Adapter", choose Disabled.
6. For "Internal Network IP Address", enter the IP address in Step 2f. In our example this was
7. For "Internet Interface", choose Any for Name.
13. Save the configuration by selecting File > Save.

To test the VPN connection, right-click the Netgear VPN icon in the System Tray, and click Connect. Choose the new connection you just created. If you have been successful a pop-up box Manual Connection Status reads "Successfully connected…."

Also test by pinging the IP address on the LAN subnet of your router.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License