NETGEAR CONFIDENTIAL FVS318v3 Cable/DSL ProSafe VPN Firewall with 8-port switch

NETGEAR CONFIDENTIAL

FVS318v3Cable/DSL ProSafe VPN Firewall with 8-port switch


Gift Box


Features

• 8 simultaneous VPN tunnels.

• 8 10/100 LAN ports.

• 10 base-T WAN port.

• Up to 168 bit 3DES encryption.

• With v2.4 firmware– Configuration Assistant– VPN Wizard


V1, V2, V3?

• Serial number prefix– V1 – FVS9– V2 – FVS1– V3 – FVS8

• There are no external difference between model.

• It is not possible to order one particular version.

• No upgrade between hardware version is available.

• Firmware of FVS318v3 is not compatible to FVS318v1 and v2.

• Firmware of FVS318 v1 and v2 is not compatible to FVS318v3.


FVS318v3

• The FVS318v3 uses a much improved, more powerful CPU.

• Faster routing and VPN throughput.

• VPN authentication using X.509 certificates.

• Remote Management using HTTPS.

• Firewall rules for inbound and outbound traffic


When will the v3 be available?

• The FVS318 will start being shipped in late Dec 2004. However, it may take up to late Feb 2005 for it to reach customer since we still have inventory of the v1/v2.

• There are several known issues with the FVS318v3 when it is released initially. A bug fix release will be available before the product reach customer. Make sure customer upgrade to the new firmware.


Connecting the FVS318


LED

• Power: The power light should turn solid green.

• Test: The test light blinks when the router is first turned on then goes off.

• Internet: The internet port light should be lit. If not, make sure the Ethernet cable is securely attached to the firewall Internet port and the modem, and the modem is power on.

• LAN: A LAN light should be lit. Green indicates our computer is communicating at 100 Mbps, amber indicates 10 Mbps. If a LAN light not lit, check that the Ethernet cable from the computer to the router is securely attached at both ends, and that the computer is turned on.


GUI


Configuration Assistant

• Automatically bring up wizard when user start browser.

• Guide user to configure internet connection.

• Automatically detect PPPoE, static IP or dynamic IP from ISP.

• No longer need to use http://192.168.0.1 to access the administrator interface.

• Support and documentation links on GUI menu.

• Click Cancel during configuration assistant will bring up the Basic Settings page. (New in v3)


Configuration Assistant - Start


Configuration Assistant - Quit


Configuration Assistant - Testing


Configuration Assistant - Detected


Configuration Assistant – Dynamic IP (DNS)


Configuration Assistant - Update


Configuration Assistant - Success


Configuration Assistant – Done


Configuration Assistant – No connection


Configuration Assistant - PPPoE








FAQ – Configuration Assistant

• If user choose to quit Configuration Assistant, the Basic Settings page will come up.

• If default home page is blank, configuration assistant won’t come up when start browser.

• The configuration assistant will only come up if the router is in factory default state.

• If configuration assistant won’t come up, it can be access from:– http://www.routerlogin.com– http://www.routerlogin.net– http://192.168.0.1


VPN – Box to Box

EthernetEthernet

INTERNET

ProSafe VPN router ProSafe VPN Router

192.168.0.0/255.255.255.0

66.126.237.201

192.168.4.0/255.255.255.0

66.126.237.204

Network A Network B

Network A Network BLocal Identifier WAN IP WAN IPRemote Identifer WAN IP WAN IPLocal subnet 192.168.0.0/24 192.168.4.0/24Remote subnet 192.168.4.0/24 192.168.0.0/24Remote VPN Endpoint 66.126.237.204 66.126.237.201Shared Key 12345678 12345678Encryption Algorithm 3DES 3DESAuthentication Algorithm SHA-1 SHA-1

Scenario: Box to Box


VPN Wizard – Box to Box 1


VPN Wizard – box to box 2














VPN – Client to Box

Ethernet

INTERNET

ProSafe VPN router

192.168.1.0/255.255.255.0

66.126.237.203

Remote UserVPN Client

Network A Remote ClientLocal Identifier WAN IP remoteClientRemote Identifer remoteClient WAN IPLocal subnet 192.168.1.0/24 192.168.100.1Remote subnet 192.168.100.1 192.168.1.0/24Remote VPN Endpoint 66.126.237.203 0.0.0.0Shared Key 12345678 12345678Encryption Algorithm 3DES 3DESAuthentication Algorithm MD5 MD5

Scenario: Client to Box


VPN Wizard – Client to Box 1








VPN Wizard – Client to Box 2B






Basic Setting - Broadband


Basic Setting – Broadband with Login


Security - Log


Security - Block Site


Security – Block Site


Security – Block Site


Security - Rules


Security – Add rule


Security – Add Services


Security - Schedule


Security - Email


VPN – IKE Policy


VPN – VPN Policy


VPN - CAs


VPN - Certificates


VPN - CRL


VPN – VPN Status


Maintenance - Router Status


Router Status – WAN status and Statistics


Maintenance - Attached Devices


Maintenance - Settings Backup


Maintenance - Set Password


Maintenance - Diagnostics


Maintenance - Router Upgrade


Advanced - Dynamic DNS


Advanced - LAN IP Setup


Advanced - Remote Management


Advanced - Static Routes


Web Support -


Troubleshooting


Known Issues

• When manage the router through remote management, the interface is slow.

• Cannot add VPN client policy when one is active.

• LAN PC cannot ping WAN IP address.

• When WAN IP 192.168.0.1, can’t route.


VPN Troubleshooting

Can the other VPN end point reach you?– What is the remote VPN endpoint?

• FQDN: resolve to remote WAN IP?• IP Address: Is IP address reachable?• 0.0.0.0: VPN uses aggressive mode?

• Do the VPN parameters matches on both endpoints?– What are the remote/local IKE identities?

• Do they match the remote endpoint’s local/remote IKE identities?

– What are the local/remote VPN networks?• Do they match remote endpoint’s remote/local VPN networks?

– What is the pre-shared key?• Does it match the remote endpoint’s pre-shared key?

– What are the encryption/authentication algorithms?• Do they match the remote endpoint’s algorithms?

– What is the IKE mode (main/aggressive)?• Does it match the remote endpoint’s IKE mode?


VPN Troubleshooting FlowVPN not working

Dynamic IP onlocal WAN?

Dynanmic IPon remote

WAN?

Check dynamicDNS setting, make

sure FQDNresolve to local

WAN IP

Use FQDN

Setup dynamicDNS

VPN mode mustmatches in bothremote and local

VPN policies

Preshared keymust matches inboth remote and

local VPN policies

Encryptionalgorithm mustmatches in bothlocal and remote

VPN policies

Authenticationalgorthm must

matches in bothremote and local

VPN policies

Y

N

Y

Y

N Y Y

N

Y

N

Use dynamicDNS?

Use FQDN aslocal VPNidentity?

Use dynamicDNS?

Use FQDN asremote VPN

identity?

FQDN resolveto WAN IP?

Preshared keymatches?

FQDN resolveto WAN IP?

Authenticationalgorithimmtaches?

Check dynamicDNS setting, make

sure FQDNresolve to remotel

WAN IP

Setup dynamicDNS

Use FQDN

Encryptionalgorithmmatches?

VPN modematches

N

N

Y

N

Y Y

N

N

N

N

Y

N

Refer to Premiumsupport

Y


CTS


CTS Codes: Problems

• Hardware

• Missing Part

• Power Supply

• Software


CTS Codes – Causes - Hardware

• Can not print (Print server)Can not print (Print server)

• Dead on arrivalDead on arrival

• Device keep rebooting itselfDevice keep rebooting itself

• LED – intermittent flashingLED – intermittent flashing

• LED – no lights/no powerLED – no lights/no power

• Missing AccessoriesMissing Accessories

• Missing DocumentationMissing Documentation

• Missing Power SupplyMissing Power Supply

• No Connection to Modem (no light)No Connection to Modem (no light)

• Non-Netgear ProductNon-Netgear Product

• Published feature not workingPublished feature not working

• Unit Dead-No PowerUnit Dead-No Power

• Wireless Signal – no signalWireless Signal – no signal

• Wireless Signal - weakWireless Signal - weak


CTS Code – Causes – Missing Parts

• Accessory

• Power supply


CTS Codes – Causes - Software

• Advanced Feature Request

• Application – AOL Optimized 9.0 does not work

• Application – Can not play online game

• Application – Can not set up application server

• Application – Can not use messaging services

• Cannot build VPN tunnel (box-box)

• Cannot build VPN tunnel (passthrough)

• Cannot connect to internel

• Cannot connect to ISP with PPTP connection

• Cannot display secure web pages

• Cannot get to AP/Router

• Cannot send/receive emails.

• Cannot use VPN Client (client-box)

• Crash/Lock Up

• Device not detected

• Dial on-demand not working

• Documentation incorrect• Failed Outbound FTP Upload• Firmware – failure after update• Firmware request• ISP parameter incorrect• Modem direct connect does not work• Router hangs connection• Setting lost on device reboot• Slow internet Connection• Wireless icon – not in SysTray• Wireless icon red


CTS Codes - Resolutions

• Adjusted Antenna

• Admin – Configured ISP – PPPoA

• Admin – Configured ISP – PPPoE

• Admin – Configured ISP – static detected

• Admin – Provided password

• Admin – Ran Smart Wizard

• Admin – Set Port Forwarding

• Attached to Existing Issue

• Changed MTU setting

• Checked/Replaced LAN cable

• Checked/Replaced power cable

• Checked/Replaced WAN cable

• Configured for LAN

• Configured for Other hardware

• Connect hub between PC and router

• Customer not willing to troubleshoot

• Device tested OK – ISP Problem

• Disable SPI

• Disabled/Removed Software Firewall

• Disconnected/Reconnected

• Driver – Updated/installed Drivers

• Firmware – Sent firmware/software

• Firmware install – latest version

• Firmware install – previous version

• Incompatible

• Connect hub between PC and router• Customer not willing to troubleshoot• Device tested OK – ISP Problem• Disable SPI• Disabled/Removed Software Firewall• Disconnected/Reconnected• Driver – Updated/installed Drivers• Firmware – Sent firmware/software• Firmware install – latest version• Firmware install – previous version• Incompatible• Non Netgear Issue – ie ISP Problem• Non-Netgear issue – customer error• Physical installation of device• Power cycle Modem/AP/Router/PC• Proxy server added• Reconfigured device settings – Incorrect• settings• Refer – Premium Support – accepted/referral• Refer – Premium Support – DECLINED• Refer – to KB• Refer – UNSUPPORTED – to 3rd party vendor• Release/renewed DHCP IP• Reset to factory default

• RMA – DENIED – as outside warranty• conditions• RMA – DENIED – due to Power Outage• RMA – Failure after firmware upgrade• RMA – logged completed unit• RMA – logged power supply• Service Contract• Utility – Configured Printer Server Admin• Utility – Configured wireless utility• Utility – installed wireless utility• VPN – configured OTHER client (client-box)• VPN – configured Safenet Remote (client-box)• VPN – configured setup (box-box)• VPN – configured setup (pass through)• VPN – configured Win2K (box-box)


Practice Questions


Question 1:

Network A Network BLocal IdentifierRemote IdentiferLocal subnetRemote subnetRemote VPN EndpointShared KeyEncryption AlgorithmAuthentication Algorithm

EthernetEthernet

ProSafe VPN router ProSafe VPN Router

192.168.1.0/255.255.255.0

129.30.6.121

10.1.2.0/255.255.255.0

205.158.9.23DESSHA-1

Key: 12345678Network A

Network B

1. Fill out VPN parameters according to the network data


Questions and Answers

Documents

NETGEAR CONFIDENTIAL FVS318v3 Cable/DSL ProSafe VPN Firewall with 8-port switch