VPN Hands On
The FVS336Gv3 has more VPN options than the original model. PPTP and L2TP tunnels are now supported, which enables remotely connecting hand-held devices and MacOS devices. For example, I was able to set up a PPTP tunnel between the FVS336Gv3 and my iPhone 5s.
To set up PPTP tunnels on the FVS336Gv3, check the box to enable the PPTP server, create a range of IP addresses (outside the LAN subnet) for the VPN clients, select authentication method (I selected MSCHAPv2), select encryption method (I selected MPPE-128) and create a user with PPTP permissions. Note, I initially tried MPPE-40 encryption, but the tunnel didn't come up until I changed the encryption method to MPPE-128.
On a Windows 8.1 PC, go to Control Panel, Network and Sharing Center, select Set Up a Connection or Network, Connect to a Workplace and Use my Internet connection (VPN). Then enter the IP/FQDN of the FVS' WAN interface and click create. On an iPhone 5s, go to Settings, VPN, Add VPN Configuration, then enter the IP/FQDN of the FVS, your username and password, and click save.
I found that PPTP tunnels on the FVS336Gv3 are full tunnels, which means all client traffic, including Internet traffic routes through the VPN tunnel. The gallery has screenshots of my config on the FVS, on my PC, on my iPhone, and the FVS status page with the PPTP tunnel up.
The setup for an L2TP tunnel is almost the same as the PPTP tunnel. To set up an L2TP tunnel on the FVS336Gv3, check the box to enable the L2TP server, create another range of IP addresses (outside the LAN subnet and outside the range used for PPTP) for the VPN clients, select authentication method (I selected MSCHAPv2) and create a user with L2TP permissions.
Configuring an L2TP tunnel on Windows is exactly the same as a PPTP tunnel, as Windows will automatically detect whether the tunnel is PPTP or L2TP. As I observed with PPTP tunnels, L2TP tunnels on the FVS336Gv3 are also full tunnels. The below screenshot shows the active L2TP tunnel on the FVS336Gv3.
L2TP Tunnel Status
The FVS336Gv3 will support up to 10 simultaneous SSL VPN tunnels. Configuration for SSL VPN tunnels on the the FVS336v3 can be done with a wizard or manually. I found the FVS336v3's SSL wizard confusing, so I manually entered my configurations. Below is a screenshot of my FVS configs for an SSL VPN tunnel.
FVS336Gv3 SSL Setup
As I've mentioned in previous reviews, I prefer SSL VPN tunnels over IPsec, PPTP, and L2TP for remote PC VPN tunnels as SSL tunnels are simpler than IPsec, but more secure than PPTP and L2TP. Further, I like using SSL VPN tunnels in split mode, which typically provides better client network performance.
However, I found establishing an SSL VPN tunnel to be more challenging and limited on the FVS336v3 than I had hoped. I believe it has something to do with the Windows Virtual Passage SSL adapter, screenshot below, which is used by some Cisco and NETGEAR routers for SSL VPNs.
Virtual Passage Adaptor
SSL VPNs with the FVS336v3 use a browser connection to set up the tunnel. NETGEAR's spec sheet says IE9 and IE10 for 32 and 64 bit Windows, Firefox 27 and Safari 5.1.7 for MAC OSX 10.6+, and Firefox 12 for Ubuntu Linux are supported browsers. I was able to get an SSL VPN to work with IE11 on a 32 bit Windows 7 PC.
To get an SSL VPN working on Windows, you need to add the WAN IP/FQDN of the FVS to your trusted sites list in IE and run IE in Admin Mode to install and run the SSL VPN adapter. My working SSL VPN connection is shown in the FVS status screen below.
SSL Tunnel Status
As mentioned previously, both NETGEAR and Cisco use this adapter for their SSL VPN solutions and forums on both websites have multiple comments. I was unable to get the NETGEAR Virtual Passage adapter to work on a 64 bit Windows 8.1 PC with IE11. I didn't get an error message, just no response when clicking the Connect or Uninstall icons shown in the screenshot below.
SSL Tunnel Login Screen
IPsec Client to Site
The NETGEAR FVS336Gv3 spec sheet indicates the FVS336Gv3 supports up to 25 simultaneous IPsec VPN tunnels. The FVS comes with one 30 day evaluation license for NETGEAR's ProSafe VPN Client Lite . It's Windows only and based on TheGreenBow VPN Client. I had no problem installing the software on a 64 bit Windows 7 PC I've used for testing other IPsec VPN clients.
I set up the software with the default values 3DES, SHA-1 and DH2 for Phase 1 (IKE Policy) and 3DES, SHA-1, and DH2 with PFS for Phase 2 (VPN Policy). I assigned a Local ID of doug.com and Remote ID of snb.com for the Local and Remote identifiers. I used a pre-shared key for the encryption key.
There is an IPsec configuration wizard on the FVS336v3, but I input my configuration manually. I set up the FVS with the same values as I used on the client. With my configuration input in the software and router, the tunnel connected right away. Images of the client software, client and FVS configs, and the established tunnel are shown in the gallery.
IPsec Site to Site
I also tested a Site to Site VPN between the FVS336v3 and the Linksys LRT224. Manually setting up a Site-to-Site IPsec tunnel is pretty straightforward, as long as you use the same Phase 1 and Phase 2 values on both routers. I used the same Phase 1 and Phase 2 values as I did for the Client to Site VPN and the tunnel came right up. My configs and a screenshot of the established tunnel are shown in the gallery.