Wednesday, January 14, 2009
Netgear FVS336G Gigabit VPN
The company I work at is small, so we all have to wear different hats from time to time. Even though I am a software engineer, I find myself helping out with IT issues every once in a while. In fact, I am the official Wireless Administrator! We have made some infrastructure changes recently and I feel compelled to write about the obstacles that we encountered. This post will be the first of a two part series on the trials and tribulations of the setup and administration of Netgear products.
We recently moved offices and we took it as an opportunity to upgrade our VPN. We spent a fair amount of time comparing specifications and reading reviews. Eventually we settled on the Netgear FVS336G Gigabit VPN. It is the only unit in its class that had a built in Gigabit switch, which is nice. It claims to not need any special client software, it is an order of magnitude faster than our previous VPN and it had decent reviews on Newegg.
Once I began setting it up I immediately encountered obstacle number one. The statement that it does not need any client software is only partially true. The SSL VPN mode does not require any special software, but the IPsec VPN requires the Netgear ProSafe VPN Client. Because we require using the IPsec VPN I reluctantly went down the path of purchasing the VPN Client software.
From the buynetgear.com website it wasn't clear if the software was going to be shipped, or if it was available as a download. We really wanted to be able to buy the software and download it immediately because we needed that VPN up and running ASAP. I called Netgear to verify that I could download it. The support agent assured me that I could download it, and then she rushed me off the phone.
Well, as I quickly found out, she was wrong, you can't download it. I had to wait for it to arrive via the mail system. After many days I finally had the clients in hand and within minutes obstacle number two was discovered. Even though the Website claims that the VPN Client is Windows Vista compatible, it would not install on Vista. Through some research on the forums I discovered that the software in the box was really old, and that a much newer version exists. There is no information that I could find on the internet about how to acquire the new version, so I called Netgear a second time.
I had to get transferred several times before I finally reached a technical support person who could help me. But before he would help me I had to prove to him that I purchased the software. I actually had to forward him a receipt from my e-mail, he had no way of looking up my information. Once he was satisfied that I had purchased the software he e-mailed me a special link through a 3rd party download service so that I could acquire the latest version of the software.
The whole process was completely asinine. I don't understand why the client software isn't included with the VPN hardware! The technical support agent actually told me that the software is difficult to acquire on purpose! The reasoning is that there is no software protection built into the software so they are worried about piracy. The client software has no way of informing the user if an update is available, nor will they publish any information on the website about new updates. The only way to make sure I stay current with the software is to call Netgear every few months and ask! This was the agent's advice! Unbelievable.
Now that I was able to install the client I encountered the final obstacle. The Reference Manual is no longer in sync with the current version of the firmware. In the latest documentation it describes this crazy scheme where the users' ID should be of the 'Domain Name' form and should be constructed like "[name][XY].fvg_remote.com" where XY is a unique two digit number. Well, this functionality no longer appears to work in the latest firmware. I finally realized that the right way to configure the VPN is to use Extended Authentication where each user has a username/password managed by the hardware, which is much better. I understand why they moved away from that crazy scheme, it is completely unmanageable, the administrator would have to keep a separate spreadsheet to manage those unique two digit numbers.
Even though it was such a bear to get up and running, it has been working well. It is much much faster than our previous Symantec unit. If they made it easier to acquire the client software, had more accurate documentation, and was a little more honest in the marketing materials then I would definitely recommend the product.
Subscribe to:
Post Comments (Atom)
20 comments:
Hi, I have one of these routers coming next week to my small office. Any further thoughts after having used it a few months? Wouldn't it be possible to use a 3rd party VPN client instead of Netgear's?
Cheers!
Hi, overall we really like the VPN. It is much faster than our previous one. The only problem so far is that it seems like it needs to be rebooted every now and then, but so did our last one which was a Symantec 360.
If you use SSL, than you don't need the Netgear VPN client, but if you use IPsec, then it seems like you do. I tried using Vista's built in VPN client but it didn't have all the settings that Netgear expects, so I couldn't get it to work.
Its been one of those long days between med school exams, research and some nagging 'flu'. Was so angry today. I couldn't believe they would put a product like this out and the screw the pooch on the software. Almost identical situation. Read the reviews on Smallnet builder and Newegg which all seemed pretty good.
The FVS336G as a router works decently and the firmware seems manageable with supported updates. Received the Prosafe VPN05L 5 client pack about a month ago and went to install today. After requesting it specifically for vista.. Of courses, it wont even install in vista. The support section said that it would auto update - right... Called in for tech support and some guy in India going through the script hangs up on me after waiting 20 minutes.
So tried another client http://www.shrew.net but being an opensrc VPN grasshopper learning to wax on, I haven't been able to get it working. Anywayz, if a wave of pitty or compassion comes over y'all and you might find any detailed config notes for dummies or a working client kicking around please email me or pm bishop.dire at hotmail. thanks and good luck.
Figured I would provide an update. Still have not been able to configure VPN successfully but did manage to receive a new client from Netgear, after registering product and ticket.. yeah! Useful Links below:
Telephone Support: http://kb.netgear.com/app/answers/detail/a_id/984
I guess depends on what time of day. One time Philippines?, India and North America. Twice professional and gave me ticket and name etc to register product and the other time just hung up on me.
Netgear Online Support Request REGISTRATION: https://my.netgear.com/registration/login.aspx used this to enter ticket and get free email support, but they wanted me to pay as well to get support.. no way.
Cool firmware emulator: http://firmware.netgear-forum.com/index.php?act=interface
BullS#$%# update product instructions for Vista: http://kb.netgear.com/app/answers/detail/a_id/50/session/L2F2LzEvc2lkL0x6TmJpTUFq
Good PreSales Forum Interesting: http://forum1.netgear.com/search.php?searchid=3394740
Interesting Config Info for VPN: http://www.vpncasestudy.com/
SMalletnetBuilder page 3-4 has config notes: http://www.smallnetbuilder.com/content/view/30280/51/
Basically Netgear sends you two files on time limited 3rd party DL service an uninstaller to clear out old VPN drivers and an installer which seems like Safenet's older v10.8.3 client..for xp32 and supposed to works with vista32
http://biz.safenet-inc.com/prod/software/index.asp
As i said.. i havn't been able to configure anything yet so will see. :(
PS. btw has this irritating issue about not being able to remotely log in to administer through WAN ports (remotely from internet) . Probably disabled as default security measure. But irritation to test remote access. To re-enable WAN logon or just goto users tab and find the admin or create a new admit level account user and edit click the profiles button beside the listed user. Then two check box options come up "DENY Logon from WAN Inerface" (uncheck). See Pg 154 manual "Setting User Login Policies"
Goodluck, y'all.
Hello,
I am glad to hear that you were finally able to download the latest software. I have 10.8.3 as well. Since I wrote the orginal post I found another annoyance. The software is not 64-bit compatible. I had to waste an afternoon rebuilding a machine to go back to 32-bit. Anyway, good luck with getting the rest of the VPN configured!
My company just changed to use NetGear FVS336G also. I have no luck on finding the 3rd IPSec VPN client either. I tried the TheGreenBow and open vpn-client. They are not working with FVS336G. Would anyone know any 3rd-party vpn client that will work with FVS336G?
We bought one and have had good results so far. We wanted the load-balancing, mainly, but have used the VPN a bit. The LAN groups feature is the main way to accomplish load balancing, by assigning some clients to one WAN port and some to the other WAN port. Nothing too fancy but did the trick for our small office. Also, have tested the failover from WAN1 to WAN2, takes about 30 seconds to kick in, but worked. Took a minute or two for it to go back to using WAN1 after the connection was restored. We were having a weird problem with some kind of error about the "domain" when logging in to the router admin page, but that hasn't appeared since disabling SSL-VPN.
For Mac we have successfully used the 3rd party IP Securitas client, so yes it is possible to do IPSEC VPN with non-netgear clients. IP Securitas came with a built in profile for another Netgear model, I used that as a starting point.
In the Netgear forums (available only to registered router owners) there are a few very active users that have posted lots of FAQs and walkthrough type documents that can be semi-helpful.
In basic testing I did get the Shrew Soft client to work okay, based on the settings I used for IP Securitas.
One thing you have to make sure of is that the IP addresses used inside your VPN's LAN are in a different subnet than the remote network from which you are connecting. If they are both the common 192.168.1.x the connection fails. Make up a number like 192.168.123.x or something more exotic like 10.111.222.x to use within your LAN (the one you're connecting to via VPN) to reduce the possibility of collision. There are ways around this -- using MODECONFIG to send network configuration info to client -- but that's the simplest way.
Here is the ShrewSoft config file that I believe works for our VPN config, minus the sensitive parts. Our VPN is basically set up as the VPN Wizard defaults.
n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:network-natt-port:4500
n:network-natt-rate:30
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:0
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:3600
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:client-addr-auto:1
s:client-auto-mode:disabled
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk
s:ident-client-type:fqdn
s:ident-server-type:fqdn
s:ident-client-data:fvs_remote.com
s:ident-server-data:fvs_local.com
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-list-include:192.168.2.0 / 255.255.255.0
I should clarify that this config uses a single pre-shared key for authentication, not the individual usernames mentioned in the original post.
Also, the 192.168.2.0 address refers to the LAN subnet. That was crucial to tell Shrew Soft to send any traffic destined for that subnet through the VPN.
thegreenbow works well with the netgear fvs336G. just start the vpn wizard. setup a vpn client.
there are a lot of settings in thegreenbow but if they match correctly, you will be able te get the ipsec vpn working. Unfortunatelly i didn't find a solution to add a vpn-client to active directory server behind the fvs336G router. It has something to do with multicast and GRE protocol. i used wireshark to monitor the packages. and saw that it broadcasts to the other ip range. so it never reaches netgear router ip range. for example: vpn-client: 192.168.1.2. multicast packet 192.168.1.255. netgear fvs336g uses ip-range 10.0.0.1 and active directory server 10.0.0.2 so it broadcasts to 10.0.0.255.
Thanks for the feed!
Run into the same problems connecting Vista to the company network thru FVS336G VPN, still struggling...
Just found out there is a Vista compatible version of NetGear VPN Client. The full name is "NETGEAR ProSafe VPN Client Version 10.8.0 (Build 20)".
As opposed to earlier versions, it installs on Vista without errors. Now testing...
Hi,
As this blog post ranks highly for fvs336g related vpn client queries, let me add my experiences.
I have a Powerbook myself and setting up Equinox VPNTracker was an absolute breeze. Now my colleague with his Win XP laptop needed access too so after Googling around and finding this post, we opted for TheGreenBow. I also used the VPN Casestudy for it as a reference.
After about 4 hours, it dawned on me that you have to flip the remote and local ID. So on the router, you set local ID to say fvs_local.com and remote ID to say fvs_remote.com then on your client, your local is fvs_remote.com and your remote ID is fvs_local.com
The bloody VPN logs on the fvs336g won't help you with this so I thought I'd post it.
MPLS networks are often referred to as MPLS VPN because they are inherently virtually private. Connections to the network tend to be through dedicated private lines, such as T1 or Ethernet.
VPN
Nice review of VPN router.
top10-bestvpn.com
Cool review of router.
Great post.Nice blog about routers and VPN clients.
Good work.
10webhostingservice
This is such a great resource that you are providing and you give it away for free. I love seeing the blog that understands the value. Im glad to have found this post as its such an interesting one! I am always on the lookout for quality posts and articles so i suppose im lucky to have found this! I hope you will be adding more in the future… for any kind of netgear support you can call us 0800-090-3240 or visit netgear phone number uk.
Thanks for providing the nice resource for Netgear Router customer review, it is really nice and helpful to me. I need this type of blog and I’m so lucky to find out your blog. For any customer support help about netgear router contact 0800-090-3220 or visit the website Netgear Help Number UK
If you are using a Wireless Canon Printer then there is a higher possibility that you will face more communication issues than a normal printer user. For any sort of error or communication problem, you can connect with Printer experts of 08081782624 Canon Printer Phone Support Number UK.
when a client purchases the Netgear Router, they are additionally ensured amazingly predominant nature of specialized help gave viably by our Netgear Troubleshooting group. If you need Negear Nighthawk Router Setup then you can visit us.
How to Troubleshoot Home WiFi and Router Issues?
How to Check Your Nighthawk Router for Malware?
AN ALL-INCLUSIVE GUIDE TO RESET NETGEAR NIGHTHAWK AC1750 ROUTER
Netgear Nighthawk X4 AC2350 R7500 Router Setup Guide
Is the Nighthawk AC1900 WiFi Router Best for Online Gaming?
Can't Access Netgear Nighthawk Router Login Page?
Can't Log In to Netgear Router? Here's the Solution
WiFi Devices Can't Detect Netgear Extender Network Name
AC1900 Netgear Extender Internet Disconnecting Issue?
https://wifihelp.weebly.com/
Post a Comment