Like its 802.11b FVM318 sibling, the FWAG has a built-in IPsec endpoint and also supports VPN passthrough for PPTP, IPsec and L2TP traffic. But unlike the FVM318, the endpoint is for tunnels originating or terminating on the WAN interface only. Protection for wireless LAN clients will need to be done via WEP or WPA (more on this later).
The IPsec endpoint has its good and bad points. On the plus side, it's much more configurable than the endpoints found on Linksys' popular BEFVP41 [reviewed here] and BEFSX41 [reviewed here] routers, and supports digital certificates (and a certificate revokation list) for IKE policy authentication in addition to pre-shared keys. NETGEAR also includes a couple of detailed setup examples for FWAG114-to-FWAG114 VPNs.
The main negatives are its logging and connection setup. VPN setup log messages are generally tough to decipher unless you're an expert, but I found the FWAG's tougher to decipher than those generated by Linksys' BEFSX41. Since there's no Connect button, NETGEAR suggests you try to ping a client on the opposite end of the tunnel to get things started. Once you're up, there's no way to terminate a connection (although this is more of a problem during testing than in real application).
Having recently figured out how to make WinXP's built-in IPsec client work [see this ProblemSolver for the details], I figured I'd try to get it to work its magic with the FWAG. I eventually succeeded, but only could get the tunnel going from the FWAG end and after a router reboot. And although the tunnel appeared to be working, this message in the VPN Log didn't exactly inspire confidence!
[2003-09-02 17:17:39]Something terribly wrong, trying to free alredy freed
However, I was impressed that the throughput through the tunnel averaged a respectable 1.6Mbps from the XP client to FWAG and 2.0Mbps in the reverse direction, which is well matched to most broadband connection speeds.
Tip: If you want to try your own luck at getting XP and the FWAG tunneling in harmony, here are my basic setup details:
|FWAG114 IKE Policy|
|Direction Type||Both directions|
|Local Identity Type||WAN IP address|
|Remote Identity Type||Remote WAN IP|
|IKE SA Parameters||
Encryption algorithm: 3DES
|FWAG114 VPN Auto Policy|
|IKE policy||select the policy created|
|Remote VPN endpoint||IP address|
|IPsec PFS||selected, PFS Key Group 2|
|Traffic Selector||Local IP: Subnet address
Remote IP: Single address
|ESP configuration||Enable encryption, 3DES
Enable authentication, MD5
Basic approach is mirror the settings above.
For both rules:
For the "To" rule:
For the "From" rule: