|
|||||||||||||||||||||
VPNs
The FVS336G first and foremost is a VPN device, with the ability to support up to 25 IPSec and 10 SSL VPN tunnels simultaneously. Either the SSL or IPsec tunnels can be used for remote access and there are enough IPsec tunnels to support multiple gateway-to-gateway secure links.
This a different approach than taken by the recently reviewed Linksys RVL200, which is primarily a VPN gateway with SSL tunnels for remote access and a single IPSec tunnel for connection back to a central corporate gateway.
IPSec tunnels are created via Site-to-Site configurations or via NETGEAR’s VPN Client software, as they were with the FVS124G [reviewed] or FVX538 [reviewed]. The SSL VPN tunnels are a newer addition, enabling VPN connectivity without the hassles of licensing, installing, and configuring client software.
IPSec Site-to-Site tunnels set up quickly on the FVS336G. I had no problem connecting the FVS336G to a SonicWALL TZ190W over the public Internet. Using the NETGEAR VPN Wizard, I created a VPN Policy as follows and depicted in Figure 3:
- Select Gateway for tunnel type.
- Enter a name and password in the Connection Name and pre-shared key fields. In the example below, I entered "VPN to Other Site" as my Connection Name and "mypassword" as the pre-shared key.
- Enter WAN IP address or domain names for each endpoint, such as "othersite.domain.com" and "thissite.domain.com" as below. IP addresses are a more stable means of endpoint identification if you're using ISP services with static IP addresses. I have some additional comments later in this review on using domain names instead of IP addresses for VPNs.
- Enter the subnet and mask of the remote network. (IMPORTANT: The remote network is the network on the other end of the tunnel, and it should be a different subnet than the local network.) In the example in Figure 3, I entered 192.168.1.0 and 255.255.255.0. Clicking Apply saves the new policy.
Figure 3: IPSec VPN Wizard
Using the VPN Wizard to create a VPN Policy automatically creates a corresponding IKE (Internet Key Exchange) Policy with the same name. I've found changing the Local and Remote Identifier Type fields to Local WAN IP and Remote WAN IP works best, even when using domain names instead of static IPs. Notice in Figure 4 how the Identifier Types are then grayed out.
Figure 4: Internet Key Exchange Policy configuration
Once the VPN and IKE Policies are built, they can be edited. For example, encryption can be changed from 3DES to AES-256 if desired. Note that Main Mode for Phase 1 and Perfect Forward Secrecy (PFS) for Phase 2 are automatically selected using the VPN Wizard. These options need to match on the far end for the tunnel to come up.
The options to configure Local and Remote Identifiers in my experience create more opportunity for configuration mismatches. Keep in mind that tunnel security is already established through a pre-shared key.
I have had better success creating Site-to-Site tunnels between different brand routers with these two fields blank. I find getting a tunnel established with basic settings and then experimenting with additional settings later is a more efficient and less frustrating approach.
I experimented with a variety of encryption settings, and was pleased that 3DES and AES-256 encryption both worked well with the FVS336G. I had a little problem with AES-256 encryption and the FVX538, but no problems with the FVS336G.
VPN Latency issues detected on the FVX538 also seem to be resolved with the FVS336G. I've updated Table 2 from our FVX538 review to include latency times for the FVS336G. As you can see, the latency issues we experienced in November with the FVX538 are not present in the FVS336G.
| Path | WAN-WAN | LAN-LAN VPN |
|---|---|---|
| RV042-TZ190W | 9ms | 11ms |
| TZ190W-RV042 | 16ms | 16ms |
| FVX538-TZ190W | 9ms | 36ms |
| TZ190W-FVX538 | 16ms | 33ms |
| FVS336G-TZ190W | 9ms | 9ms |
| TZ190W-FVS336G | 16ms | 16ms |
Table 2: Latency times
I noticed my NETGEAR-SonicWALL Site-to-Site VPN tunnel dropped several times over the course of my testing. I traced the problem to the fact that my ISP had changed my WAN IP, yet the NETGEAR dynamic DNS client hadn't updated the domain name service. So, the domain name for the WAN interface on the NETGEAR end of the Site-to-Site tunnel was no longer mapped to the correct WAN IP and the connection dropped.
I reported this issue to NETGEAR, and they're looking into it. Of course, using static IP addresses on both ends of the tunnel eliminates this issue.
User reviews
Average user rating from: 3 user(s)
NOTE! Please post product reviews from actual experience only.
Questions, review comments and opinions about products not based on actual use will not be published.
Windows 7 64bit SSL VPN Support
These routers do support SSL VPN with WIndows 7 64 bit. I don't recall the exact date, but I know I've used them with Windows 7 prior to December 2011. I don't remember where I found these details, but here's how to make it work:
- Check the firmware version in the unit to ensure it supports Windows 7, if not update firmware to one that does.
- Install the Microsoft Visual C++ 2005 Redistributable Package (x64) on machines that you wish to use SSL VPN. http://www.microsoft.com/en-us/download/details.aspx?id=21254
- Use the 64 bit Version of Internet Explorer
- Add the URL to trusted sites of Internet Explorer, and set the trusted sites security level to Low in order to allow the Active X Control that gets download to install. ( I think you can move this setting back up after it installs the first time )
VPN DOES NOT SUPPORT 64 BIT WINDOWS
Additionally the shipped vpn software only has 1 license, so it cannot be used on more tha one comptuer, and it does not support 64 bit vista or win7 at all. Nowhere does Netgear specify this, and anyone pointing this out on the forums gets their thread locked and ignored.
Do not buy this thing if you are planning on using VPN.
Easy setup, but some minor annoyances
This gateway was very easy to set up - very little configuration needed, and it certainly had more horsepower than the consumer grade gateway I had. Configuring the VPN, once I figured out how to set one up for iPhone/iPad was relatively straightforwards.
However, as of 9/19/2011, there is an issue with the gateway where, if you disconnect your VPN session, memory of that VPN session is kept behind for ~5 minutes. If you try to reconnect your session during that window, you will reconnect, but be unable to pass traffic. This isn't so bad for laptop users who typically have large windows of time in between disconnect/reconnect, but with the iOS devices, the screen lock will disconnect your VPN session, making this very annoying. I've submitted a feature request to Netgear.
Additionally, the bandwidth Metering is nice, but could use some more fleshing out in the reports it gives.
Rackmount hardware would have been a nice option, since this is NetGear's business line. (Blue/Gray box!)
The v2 version does not have the integrated power supply(one more wall-wart to install -boo!), and has the ports up front instead (yay!). - be careful of this when ordering off Amazon - you will be sent the v2.
Related Items:
Netgear announces dual-WAN SSL / IPsec gatewaySlideshow: Netgear FVS336G ProSafe Dual WAN Gigabit Firewall
An Old Standby Reborn: NETGEAR FVS318G Reviewed
NETGEAR FVS318N ProSafe Wireless-N 8-port Gigabit VPN Firewall Reviewe
NETGEAR FVX538 ProSafe VPN Firewall 200 Review: Strong Promise, Disapp
