Wednesday, January 14, 2009

Netgear FVS336G Gigabit VPN



The company I work at is small, so we all have to wear different hats from time to time. Even though I am a software engineer, I find myself helping out with IT issues every once in a while. In fact, I am the official Wireless Administrator! We have made some infrastructure changes recently and I feel compelled to write about the obstacles that we encountered. This post will be the first of a two part series on the trials and tribulations of the setup and administration of Netgear products.

We recently moved offices and we took it as an opportunity to upgrade our VPN. We spent a fair amount of time comparing specifications and reading reviews. Eventually we settled on the Netgear FVS336G Gigabit VPN. It is the only unit in its class that had a built in Gigabit switch, which is nice. It claims to not need any special client software, it is an order of magnitude faster than our previous VPN and it had decent reviews on Newegg.

Once I began setting it up I immediately encountered obstacle number one. The statement that it does not need any client software is only partially true. The SSL VPN mode does not require any special software, but the IPsec VPN requires the Netgear ProSafe VPN Client. Because we require using the IPsec VPN I reluctantly went down the path of purchasing the VPN Client software.

From the buynetgear.com website it wasn't clear if the software was going to be shipped, or if it was available as a download. We really wanted to be able to buy the software and download it immediately because we needed that VPN up and running ASAP. I called Netgear to verify that I could download it. The support agent assured me that I could download it, and then she rushed me off the phone.

Well, as I quickly found out, she was wrong, you can't download it. I had to wait for it to arrive via the mail system. After many days I finally had the clients in hand and within minutes obstacle number two was discovered. Even though the Website claims that the VPN Client is Windows Vista compatible, it would not install on Vista. Through some research on the forums I discovered that the software in the box was really old, and that a much newer version exists. There is no information that I could find on the internet about how to acquire the new version, so I called Netgear a second time.

I had to get transferred several times before I finally reached a technical support person who could help me. But before he would help me I had to prove to him that I purchased the software. I actually had to forward him a receipt from my e-mail, he had no way of looking up my information. Once he was satisfied that I had purchased the software he e-mailed me a special link through a 3rd party download service so that I could acquire the latest version of the software.

The whole process was completely asinine. I don't understand why the client software isn't included with the VPN hardware! The technical support agent actually told me that the software is difficult to acquire on purpose! The reasoning is that there is no software protection built into the software so they are worried about piracy. The client software has no way of informing the user if an update is available, nor will they publish any information on the website about new updates. The only way to make sure I stay current with the software is to call Netgear every few months and ask! This was the agent's advice! Unbelievable.

Now that I was able to install the client I encountered the final obstacle. The Reference Manual is no longer in sync with the current version of the firmware. In the latest documentation it describes this crazy scheme where the users' ID should be of the 'Domain Name' form and should be constructed like "[name][XY].fvg_remote.com" where XY is a unique two digit number. Well, this functionality no longer appears to work in the latest firmware. I finally realized that the right way to configure the VPN is to use Extended Authentication where each user has a username/password managed by the hardware, which is much better. I understand why they moved away from that crazy scheme, it is completely unmanageable, the administrator would have to keep a separate spreadsheet to manage those unique two digit numbers.

Even though it was such a bear to get up and running, it has been working well. It is much much faster than our previous Symantec unit. If they made it easier to acquire the client software, had more accurate documentation, and was a little more honest in the marketing materials then I would definitely recommend the product.

13 comments:

atonaldenim said...

Hi, I have one of these routers coming next week to my small office. Any further thoughts after having used it a few months? Wouldn't it be possible to use a 3rd party VPN client instead of Netgear's?

Cheers!

Peter said...

Hi, overall we really like the VPN. It is much faster than our previous one. The only problem so far is that it seems like it needs to be rebooted every now and then, but so did our last one which was a Symantec 360.

If you use SSL, than you don't need the Netgear VPN client, but if you use IPsec, then it seems like you do. I tried using Vista's built in VPN client but it didn't have all the settings that Netgear expects, so I couldn't get it to work.

Doc Dire said...

Its been one of those long days between med school exams, research and some nagging 'flu'. Was so angry today. I couldn't believe they would put a product like this out and the screw the pooch on the software. Almost identical situation. Read the reviews on Smallnet builder and Newegg which all seemed pretty good.

The FVS336G as a router works decently and the firmware seems manageable with supported updates. Received the Prosafe VPN05L 5 client pack about a month ago and went to install today. After requesting it specifically for vista.. Of courses, it wont even install in vista. The support section said that it would auto update - right... Called in for tech support and some guy in India going through the script hangs up on me after waiting 20 minutes.

So tried another client http://www.shrew.net but being an opensrc VPN grasshopper learning to wax on, I haven't been able to get it working. Anywayz, if a wave of pitty or compassion comes over y'all and you might find any detailed config notes for dummies or a working client kicking around please email me or pm bishop.dire at hotmail. thanks and good luck.

Doc Dire said...

Figured I would provide an update. Still have not been able to configure VPN successfully but did manage to receive a new client from Netgear, after registering product and ticket.. yeah! Useful Links below:

Telephone Support: http://kb.netgear.com/app/answers/detail/a_id/984
I guess depends on what time of day. One time Philippines?, India and North America. Twice professional and gave me ticket and name etc to register product and the other time just hung up on me.

Netgear Online Support Request REGISTRATION: https://my.netgear.com/registration/login.aspx used this to enter ticket and get free email support, but they wanted me to pay as well to get support.. no way.


Cool firmware emulator: http://firmware.netgear-forum.com/index.php?act=interface

BullS#$%# update product instructions for Vista: http://kb.netgear.com/app/answers/detail/a_id/50/session/L2F2LzEvc2lkL0x6TmJpTUFq

Good PreSales Forum Interesting: http://forum1.netgear.com/search.php?searchid=3394740

Interesting Config Info for VPN: http://www.vpncasestudy.com/

SMalletnetBuilder page 3-4 has config notes: http://www.smallnetbuilder.com/content/view/30280/51/

Basically Netgear sends you two files on time limited 3rd party DL service an uninstaller to clear out old VPN drivers and an installer which seems like Safenet's older v10.8.3 client..for xp32 and supposed to works with vista32

http://biz.safenet-inc.com/prod/software/index.asp


As i said.. i havn't been able to configure anything yet so will see. :(

PS. btw has this irritating issue about not being able to remotely log in to administer through WAN ports (remotely from internet) . Probably disabled as default security measure. But irritation to test remote access. To re-enable WAN logon or just goto users tab and find the admin or create a new admit level account user and edit click the profiles button beside the listed user. Then two check box options come up "DENY Logon from WAN Inerface" (uncheck). See Pg 154 manual "Setting User Login Policies"

Goodluck, y'all.

Peter said...

Hello,

I am glad to hear that you were finally able to download the latest software. I have 10.8.3 as well. Since I wrote the orginal post I found another annoyance. The software is not 64-bit compatible. I had to waste an afternoon rebuilding a machine to go back to 32-bit. Anyway, good luck with getting the rest of the VPN configured!

Billy said...

My company just changed to use NetGear FVS336G also. I have no luck on finding the 3rd IPSec VPN client either. I tried the TheGreenBow and open vpn-client. They are not working with FVS336G. Would anyone know any 3rd-party vpn client that will work with FVS336G?

atonaldenim said...

We bought one and have had good results so far. We wanted the load-balancing, mainly, but have used the VPN a bit. The LAN groups feature is the main way to accomplish load balancing, by assigning some clients to one WAN port and some to the other WAN port. Nothing too fancy but did the trick for our small office. Also, have tested the failover from WAN1 to WAN2, takes about 30 seconds to kick in, but worked. Took a minute or two for it to go back to using WAN1 after the connection was restored. We were having a weird problem with some kind of error about the "domain" when logging in to the router admin page, but that hasn't appeared since disabling SSL-VPN.

For Mac we have successfully used the 3rd party IP Securitas client, so yes it is possible to do IPSEC VPN with non-netgear clients. IP Securitas came with a built in profile for another Netgear model, I used that as a starting point.

In the Netgear forums (available only to registered router owners) there are a few very active users that have posted lots of FAQs and walkthrough type documents that can be semi-helpful.

In basic testing I did get the Shrew Soft client to work okay, based on the settings I used for IP Securitas.

One thing you have to make sure of is that the IP addresses used inside your VPN's LAN are in a different subnet than the remote network from which you are connecting. If they are both the common 192.168.1.x the connection fails. Make up a number like 192.168.123.x or something more exotic like 10.111.222.x to use within your LAN (the one you're connecting to via VPN) to reduce the possibility of collision. There are ways around this -- using MODECONFIG to send network configuration info to client -- but that's the simplest way.

Here is the ShrewSoft config file that I believe works for our VPN config, minus the sensitive parts. Our VPN is basically set up as the VPN Wizard defaults.

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:30
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:3600
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:client-addr-auto:1
s:client-auto-mode:disabled
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:fvs_remote.com
s:ident-server-data:fvs_local.com
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-list-include:192.168.2.0 / 255.255.255.0

atonaldenim said...

I should clarify that this config uses a single pre-shared key for authentication, not the individual usernames mentioned in the original post.

Also, the 192.168.2.0 address refers to the LAN subnet. That was crucial to tell Shrew Soft to send any traffic destined for that subnet through the VPN.

eelco2k said...

thegreenbow works well with the netgear fvs336G. just start the vpn wizard. setup a vpn client.

there are a lot of settings in thegreenbow but if they match correctly, you will be able te get the ipsec vpn working. Unfortunatelly i didn't find a solution to add a vpn-client to active directory server behind the fvs336G router. It has something to do with multicast and GRE protocol. i used wireshark to monitor the packages. and saw that it broadcasts to the other ip range. so it never reaches netgear router ip range. for example: vpn-client: 192.168.1.2. multicast packet 192.168.1.255. netgear fvs336g uses ip-range 10.0.0.1 and active directory server 10.0.0.2 so it broadcasts to 10.0.0.255.

Serge said...

Thanks for the feed!
Run into the same problems connecting Vista to the company network thru FVS336G VPN, still struggling...
Just found out there is a Vista compatible version of NetGear VPN Client. The full name is "NETGEAR ProSafe VPN Client Version 10.8.0 (Build 20)".
As opposed to earlier versions, it installs on Vista without errors. Now testing...

J.T. said...

Hi,

As this blog post ranks highly for fvs336g related vpn client queries, let me add my experiences.

I have a Powerbook myself and setting up Equinox VPNTracker was an absolute breeze. Now my colleague with his Win XP laptop needed access too so after Googling around and finding this post, we opted for TheGreenBow. I also used the VPN Casestudy for it as a reference.

After about 4 hours, it dawned on me that you have to flip the remote and local ID. So on the router, you set local ID to say fvs_local.com and remote ID to say fvs_remote.com then on your client, your local is fvs_remote.com and your remote ID is fvs_local.com

The bloody VPN logs on the fvs336g won't help you with this so I thought I'd post it.

Mary said...

MPLS networks are often referred to as MPLS VPN because they are inherently virtually private. Connections to the network tend to be through dedicated private lines, such as T1 or Ethernet.


VPN

Mary said...
This comment has been removed by the author.