FVS318v3 Cable/DSL ProSafe VPN Firewall with 8-port switch NETGEAR CONFIDENTIAL

FVS318v3
Cable/DSL ProSafe VPN Firewall with 8-port switch
NETGEAR CONFIDENTIAL
Gift Box
NETGEAR CONFIDENTIAL
Features
•
•
•
•
•
8 simultaneous VPN tunnels.
8 10/100 LAN ports.
10 base-T WAN port.
Up to 168 bit 3DES encryption.
With v2.4 firmware
– Configuration Assistant
– VPN Wizard
NETGEAR CONFIDENTIAL
V1, V2, V3?
• Serial number prefix
– V1 – FVS9
– V2 – FVS1
– V3 – FVS8
•
•
•
•
There are no external difference between model.
It is not possible to order one particular version.
No upgrade between hardware version is available.
Firmware of FVS318v3 is not compatible to
FVS318v1 and v2.
• Firmware of FVS318 v1 and v2 is not compatible to
FVS318v3.
NETGEAR CONFIDENTIAL
FVS318v3
• The FVS318v3 uses a much improved, more
powerful CPU.
• Faster routing and VPN throughput.
• VPN authentication using X.509 certificates.
• Remote Management using HTTPS.
• Firewall rules for inbound and outbound traffic
NETGEAR CONFIDENTIAL
When will the v3 be available?
• The FVS318 will start being shipped in late Dec
2004. However, it may take up to late Feb 2005 for it
to reach customer since we still have inventory of the
v1/v2.
• There are several known issues with the FVS318v3
when it is released initially. A bug fix release will be
available before the product reach customer. Make
sure customer upgrade to the new firmware.
NETGEAR CONFIDENTIAL
Connecting the FVS318
NETGEAR CONFIDENTIAL
LED
•
•
•
•
Power: The power light should turn solid green.
Test: The test light blinks when the router is first turned on then goes
off.
Internet: The internet port light should be lit. If not, make sure the
Ethernet cable is securely attached to the firewall Internet port and the
modem, and the modem is power on.
LAN: A LAN light should be lit. Green indicates our computer is
communicating at 100 Mbps, amber indicates 10 Mbps. If a LAN light
not lit, check that the Ethernet cable from the computer to the router is
securely attached at both ends, and that the computer is turned on.
NETGEAR CONFIDENTIAL
GUI
NETGEAR CONFIDENTIAL
Configuration Assistant
• Automatically bring up wizard when user start
browser.
• Guide user to configure internet connection.
• Automatically detect PPPoE, static IP or dynamic IP
from ISP.
• No longer need to use http://192.168.0.1 to access
the administrator interface.
• Support and documentation links on GUI menu.
• Click Cancel during configuration assistant will bring
up the Basic Settings page. (New in v3)
NETGEAR CONFIDENTIAL
Configuration Assistant - Start
NETGEAR CONFIDENTIAL
Configuration Assistant - Quit
NETGEAR CONFIDENTIAL
Configuration Assistant - Testing
NETGEAR CONFIDENTIAL
Configuration Assistant - Detected
NETGEAR CONFIDENTIAL
Configuration Assistant –
Dynamic IP (DNS)
NETGEAR CONFIDENTIAL
Configuration Assistant - Update
NETGEAR CONFIDENTIAL
Configuration Assistant - Success
NETGEAR CONFIDENTIAL
Configuration Assistant – Done
NETGEAR CONFIDENTIAL
Configuration Assistant – No connection
NETGEAR CONFIDENTIAL
Configuration Assistant - PPPoE
NETGEAR CONFIDENTIAL
Configuration Assistant - PPPoE
NETGEAR CONFIDENTIAL
Configuration Assistant - PPPoE
NETGEAR CONFIDENTIAL
Configuration Assistant - PPPoE
NETGEAR CONFIDENTIAL
FAQ – Configuration Assistant
• If user choose to quit Configuration Assistant, the
Basic Settings page will come up.
• If default home page is blank, configuration assistant
won’t come up when start browser.
• The configuration assistant will only come up if the
router is in factory default state.
• If configuration assistant won’t come up, it can be
access from:
– http://www.routerlogin.com
– http://www.routerlogin.net
– http://192.168.0.1
NETGEAR CONFIDENTIAL
VPN – Box to Box
Scenario: Box to Box
Network A
Network B
INTERNET
66.126.237.204
66.126.237.201
ProSafe VPN router
ProSafe VPN Router
Ethernet
Ethernet
192.168.4.0/255.255.255.0
192.168.0.0/255.255.255.0
Network A
Local Identifier
WAN IP
Remote Identifer
WAN IP
Local subnet
192.168.0.0/24
Remote subnet
192.168.4.0/24
Remote VPN Endpoint
66.126.237.204
Shared Key
12345678
Encryption Algorithm
3DES
Authentication Algorithm SHA-1
NETGEAR CONFIDENTIAL
Network B
WAN IP
WAN IP
192.168.4.0/24
192.168.0.0/24
66.126.237.201
12345678
3DES
SHA-1
VPN Wizard – Box to Box 1
NETGEAR CONFIDENTIAL
VPN Wizard – box to box 2
NETGEAR CONFIDENTIAL
VPN Wizard – box to box 3
NETGEAR CONFIDENTIAL
VPN Wizard – box to box 4
NETGEAR CONFIDENTIAL
VPN Wizard – box to box 5
NETGEAR CONFIDENTIAL
VPN Wizard – box to box 6
NETGEAR CONFIDENTIAL
VPN Wizard – box to box 7
NETGEAR CONFIDENTIAL
VPN Wizard – box to box 8
NETGEAR CONFIDENTIAL
VPN – Client to Box
Scenario: Client to Box
INTERNET
66.126.237.203
ProSafe VPN router
Remote User
VPN Client
Ethernet
192.168.1.0/255.255.255.0
Network A
Local Identifier
WAN IP
Remote Identifer
remoteClient
Local subnet
192.168.1.0/24
Remote subnet
192.168.100.1
Remote VPN Endpoint
66.126.237.203
Shared Key
12345678
Encryption Algorithm
3DES
Authentication Algorithm MD5
NETGEAR CONFIDENTIAL
Remote Client
remoteClient
WAN IP
192.168.100.1
192.168.1.0/24
0.0.0.0
12345678
3DES
MD5
VPN Wizard – Client to Box 1
NETGEAR CONFIDENTIAL
VPN Wizard – Client to Box 2
NETGEAR CONFIDENTIAL
VPN Wizard – Client to Box 3
NETGEAR CONFIDENTIAL
VPN Wizard – Client to Box 4
NETGEAR CONFIDENTIAL
VPN Wizard – Client to Box 2B
NETGEAR CONFIDENTIAL
VPN Wizard – Client to Box 3B
NETGEAR CONFIDENTIAL
VPN Wizard – Client to Box 4B
NETGEAR CONFIDENTIAL
Basic Setting - Broadband
NETGEAR CONFIDENTIAL
Basic Setting – Broadband with Login
NETGEAR CONFIDENTIAL
Security - Log
NETGEAR CONFIDENTIAL
Security - Block Site
NETGEAR CONFIDENTIAL
Security – Block Site
NETGEAR CONFIDENTIAL
Security – Block Site
NETGEAR CONFIDENTIAL
Security - Rules
NETGEAR CONFIDENTIAL
Security – Add rule
NETGEAR CONFIDENTIAL
Security – Add Services
NETGEAR CONFIDENTIAL
Security - Schedule
NETGEAR CONFIDENTIAL
Security - Email
NETGEAR CONFIDENTIAL
VPN – IKE Policy
NETGEAR CONFIDENTIAL
VPN – VPN Policy
NETGEAR CONFIDENTIAL
VPN - CAs
NETGEAR CONFIDENTIAL
VPN - Certificates
NETGEAR CONFIDENTIAL
VPN - CRL
NETGEAR CONFIDENTIAL
VPN – VPN Status
NETGEAR CONFIDENTIAL
Maintenance - Router Status
NETGEAR CONFIDENTIAL
Router Status – WAN status and Statistics
NETGEAR CONFIDENTIAL
Maintenance - Attached Devices
NETGEAR CONFIDENTIAL
Maintenance - Settings Backup
NETGEAR CONFIDENTIAL
Maintenance - Set Password
NETGEAR CONFIDENTIAL
Maintenance - Diagnostics
NETGEAR CONFIDENTIAL
Maintenance - Router Upgrade
NETGEAR CONFIDENTIAL
Advanced - Dynamic DNS
NETGEAR CONFIDENTIAL
Advanced - LAN IP Setup
NETGEAR CONFIDENTIAL
Advanced - Remote Management
NETGEAR CONFIDENTIAL
Advanced - Static Routes
NETGEAR CONFIDENTIAL
Web Support -
NETGEAR CONFIDENTIAL
Troubleshooting
NETGEAR CONFIDENTIAL
Known Issues
• When manage the router through remote
management, the interface is slow.
• Cannot add VPN client policy when one is active.
• LAN PC cannot ping WAN IP address.
• When WAN IP 192.168.0.1, can’t route.
NETGEAR CONFIDENTIAL
VPN Troubleshooting
Can the other VPN end point reach you?
– What is the remote VPN endpoint?
• FQDN: resolve to remote WAN IP?
• IP Address: Is IP address reachable?
• 0.0.0.0: VPN uses aggressive mode?
• Do the VPN parameters matches on both endpoints?
– What are the remote/local IKE identities?
• Do they match the remote endpoint’s local/remote IKE identities?
– What are the local/remote VPN networks?
• Do they match remote endpoint’s remote/local VPN networks?
– What is the pre-shared key?
• Does it match the remote endpoint’s pre-shared key?
– What are the encryption/authentication algorithms?
• Do they match the remote endpoint’s algorithms?
– What is the IKE mode (main/aggressive)?
• Does it match the remote endpoint’s IKE mode?
NETGEAR CONFIDENTIAL
VPN Troubleshooting Flow
VPN mode must
matches in both
remote and local
VPN policies
VPN not working
Refer to Premium
support
Y
N
Dynamic IP on
local WAN?
N
Use dynamic
DNS?
Setup dynamic
DNS
Y
Use FQDN as
local VPN
identity?
Use FQDN as
remote VPN
identity?
Y
FQDN resolve
to WAN IP?
N
Use FQDN
N
Check dynamic
DNS setting, make
sure FQDN
resolve to local
WAN IP
Y
FQDN resolve
to WAN IP?
N
Check dynamic
DNS setting, make
sure FQDN
resolve to remotel
WAN IP
Preshared key
matches?
N
Y
NETGEAR CONFIDENTIAL
VPN mode
matches
N
Use dynamic
DNS?
Y
Use FQDN
N
Y
N
Setup dynamic
DNS
N
Dynanmic IP
on remote
WAN?
Y
Y
Preshared key
must matches in
both remote and
local VPN policies
Y
Authentication
algorithim
mtaches?
N
Authentication
algorthm must
matches in both
remote and local
VPN policies
Y
Encryption
algorithm
matches?
N
Encryption
algorithm must
matches in both
local and remote
VPN policies
CTS
NETGEAR CONFIDENTIAL
CTS Codes: Problems
•
•
•
•
Hardware
Missing Part
Power Supply
Software
NETGEAR CONFIDENTIAL
CTS Codes – Causes - Hardware
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Can not print (Print server)
Dead on arrival
Device keep rebooting itself
LED – intermittent flashing
LED – no lights/no power
Missing Accessories
Missing Documentation
Missing Power Supply
No Connection to Modem (no light)
Non-Netgear Product
Published feature not working
Unit Dead-No Power
Wireless Signal – no signal
Wireless Signal - weak
NETGEAR CONFIDENTIAL
CTS Code – Causes – Missing Parts
• Accessory
• Power supply
NETGEAR CONFIDENTIAL
CTS Codes – Causes - Software
•
•
•
•
•
•
•
•
•
•
•
•
Advanced Feature Request
Application – AOL Optimized 9.0 does not
work
Application – Can not play online game
Application – Can not set up application server
Application – Can not use messaging services
Cannot build VPN tunnel (box-box)
Cannot build VPN tunnel (passthrough)
Cannot connect to internel
Cannot connect to ISP with PPTP connection
Cannot display secure web pages
Cannot get to AP/Router
Cannot send/receive emails.
NETGEAR CONFIDENTIAL
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cannot use VPN Client (client-box)
Crash/Lock Up
Device not detected
Dial on-demand not working
Documentation incorrect
Failed Outbound FTP Upload
Firmware – failure after update
Firmware request
ISP parameter incorrect
Modem direct connect does not work
Router hangs connection
Setting lost on device reboot
Slow internet Connection
Wireless icon – not in SysTray
Wireless icon red
CTS Codes - Resolutions
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Adjusted Antenna
Admin – Configured ISP – PPPoA
Admin – Configured ISP – PPPoE
Admin – Configured ISP – static detected
Admin – Provided password
Admin – Ran Smart Wizard
Admin – Set Port Forwarding
Attached to Existing Issue
Changed MTU setting
Checked/Replaced LAN cable
Checked/Replaced power cable
Checked/Replaced WAN cable
Configured for LAN
Configured for Other hardware
Connect hub between PC and router
Customer not willing to troubleshoot
Device tested OK – ISP Problem
Disable SPI
Disabled/Removed Software Firewall
Disconnected/Reconnected
Driver – Updated/installed Drivers
Firmware – Sent firmware/software
Firmware install – latest version
Firmware install – previous version
Incompatible
NETGEAR CONFIDENTIAL
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Connect hub between PC and router
•
Customer not willing to troubleshoot
•
Device tested OK – ISP Problem
•
Disable SPI
•
Disabled/Removed Software Firewall
•
Disconnected/Reconnected
•
Driver – Updated/installed Drivers
•
Firmware – Sent firmware/software
•
Firmware install – latest version
•
Firmware install – previous version
•
Incompatible
•
Non Netgear Issue – ie ISP Problem
•
Non-Netgear issue – customer error
•
Physical installation of device
•
Power cycle Modem/AP/Router/PC
•
Proxy server added
Reconfigured device settings – Incorrect
settings
Refer – Premium Support – accepted/referral
Refer – Premium Support – DECLINED
Refer – to KB
Refer – UNSUPPORTED – to 3rd party vendor
Release/renewed DHCP IP
Reset to factory default
RMA – DENIED – as outside warranty
conditions
RMA – DENIED – due to Power Outage
RMA – Failure after firmware upgrade
RMA – logged completed unit
RMA – logged power supply
Service Contract
Utility – Configured Printer Server Admin
Utility – Configured wireless utility
Utility – installed wireless utility
VPN – configured OTHER client (client-box)
VPN – configured Safenet Remote (client-box)
VPN – configured setup (box-box)
VPN – configured setup (pass through)
VPN – configured Win2K (box-box)
Practice Questions
NETGEAR CONFIDENTIAL
Question 1:
1. Fill out VPN parameters according to the network data
Network A
129.30.6.121
Key: 12345678
Network B
3DES
SHA-1
205.158.9.2
ProSafe VPN router
ProSafe VPN Router
Ethernet
Ethernet
10.1.2.0/255.255.255.0
192.168.1.0/255.255.255.0
Network A
Local Identifier
Remote Identifer
Local subnet
Remote subnet
Remote VPN Endpoint
Shared Key
Encryption Algorithm
Authentication Algorithm
NETGEAR CONFIDENTIAL
Network B
Questions and Answers
NETGEAR CONFIDENTIAL