NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
train_wreck
Mar 18, 2016Luminary
FVS336Gv3 - L2TP/IPsec on Windows 10
I am in the process of testing an FVS336Gv3. I have a working site-to-site VPN with a Mikrotik device using PSK, and have another thread at the moment for instruction on how to upload cert/key for th...
- Mar 25, 2016
So I finally got this (somewhat) figured out. I will make a mention that the official Netgear support personnel with whom I'd had an open case, wanted me to create a special login for him/her and allow the person to remotely connect to my device. In a business setting (like I am in), that is a VERY dubious requst to make, in my opinion. Of course, I could not get permission from my upper management to allow this to happen. But I digress.....
I figured I would share my configuration for those who might be interested. The configuration method is not what I would call "intuitive". The instructions below are working for me with the built-in L2TP/IPsec client in Windows 7, 8, and 10. Other clients may need different settings.
Be aware that I have measured AES throughput to be around 10mbps; pretty low, by today's standards, and certainly disappointing from a $200+ device (Cisco, Ubiquiti and Mikrotik offer devices that give far better VPN throughput rates, and cost half of this device). I wouldn't want to use this device with more than 4 or 5 concurrent users, and even that many might be a stretch.... Also, this guide is for PSK authentication; I haven't gotten around to configuring X509 auth.
First, you need to create what is called a "Mode Config" under "VPN -> IPsec VPN -> Mode Config". These are actually the settings for the IPsec SA. I named mine "VPN":
The, create the IKE policy (in this case I named it "Remote"), and tell it to use the previous config. Make sure to set local and remote to FQDN, with the value of "fvs1_local.com" for Local and the IP 0.0.0.0 as the FQDN value for Remote (yes, it makes no sense. You would think that 0.0.0.0 should have Identifier Type "IP Address" selected, not "FQDN". Welcome to Netgear :). Also, make sure to select 3DES as the cipher on this screen; that is a limitation of the built-in Windows client - it must use 3DES for IKE. 3DES is used only for the IKE exchange messages; the actual IP traffic is encryped with the settings shown on the previous screen. I have noticed that even if you selected "AES-128" on the previous screen, Windows will upgrade to using AES-256. Not sure if that's a "feature" of Windows or of the Netgear device. :
Set the L2TP server settings. Make sure to choose an IP range that is NOT within the same subnet as the Netgear's LAN. I am not sure why you are required to specify an IP range both here AND on the "Mode Config" page, and I am not sure how they interact. I just made them the same.:
Add a user, specifying "L2TP User":
Finally, create a new VPN connection on Windows of type "L2TP/IPsec". By default, I had to click "Advanced Settings" and specify Pre-Shared Secret authentication; by default it is set to use certs. Make sure to use either the Netgear's WAN IP or a DNS record created for it, as the "IP Address or Hostname" field on the "General" tab:
At this point you should be able to connect. I noticed an MTU issues that was causing some websites not to load. From the Windows command line (as an Administrator), I had to run the following:
netsh int ipv4 set subinterface "Netgear" mtu=1300 store=persistent
Where "Netgear" is the name you gave to the new VPN connection in Windows. Typically, this setting should be done on the VPN server itself, rather than having to be done on each client. Unfortunately, Netgear chose not give you an option to set the tunnel MTU, and evidently left it at its default of (presumably) 1500. There is perhaps an option available to set this from the Netgear's command line; of course, there is no SSH access remotely, so command line access must be done with a DB-9 null-modem cable physically at the device.
train_wreck
Mar 23, 2016Luminary
No problem DaneA. I setup a support ticket with them.
Thanks
train_wreck
Mar 25, 2016Luminary
So I finally got this (somewhat) figured out. I will make a mention that the official Netgear support personnel with whom I'd had an open case, wanted me to create a special login for him/her and allow the person to remotely connect to my device. In a business setting (like I am in), that is a VERY dubious requst to make, in my opinion. Of course, I could not get permission from my upper management to allow this to happen. But I digress.....
I figured I would share my configuration for those who might be interested. The configuration method is not what I would call "intuitive". The instructions below are working for me with the built-in L2TP/IPsec client in Windows 7, 8, and 10. Other clients may need different settings.
Be aware that I have measured AES throughput to be around 10mbps; pretty low, by today's standards, and certainly disappointing from a $200+ device (Cisco, Ubiquiti and Mikrotik offer devices that give far better VPN throughput rates, and cost half of this device). I wouldn't want to use this device with more than 4 or 5 concurrent users, and even that many might be a stretch.... Also, this guide is for PSK authentication; I haven't gotten around to configuring X509 auth.
First, you need to create what is called a "Mode Config" under "VPN -> IPsec VPN -> Mode Config". These are actually the settings for the IPsec SA. I named mine "VPN":
The, create the IKE policy (in this case I named it "Remote"), and tell it to use the previous config. Make sure to set local and remote to FQDN, with the value of "fvs1_local.com" for Local and the IP 0.0.0.0 as the FQDN value for Remote (yes, it makes no sense. You would think that 0.0.0.0 should have Identifier Type "IP Address" selected, not "FQDN". Welcome to Netgear :). Also, make sure to select 3DES as the cipher on this screen; that is a limitation of the built-in Windows client - it must use 3DES for IKE. 3DES is used only for the IKE exchange messages; the actual IP traffic is encryped with the settings shown on the previous screen. I have noticed that even if you selected "AES-128" on the previous screen, Windows will upgrade to using AES-256. Not sure if that's a "feature" of Windows or of the Netgear device. :
Set the L2TP server settings. Make sure to choose an IP range that is NOT within the same subnet as the Netgear's LAN. I am not sure why you are required to specify an IP range both here AND on the "Mode Config" page, and I am not sure how they interact. I just made them the same.:
Add a user, specifying "L2TP User":
Finally, create a new VPN connection on Windows of type "L2TP/IPsec". By default, I had to click "Advanced Settings" and specify Pre-Shared Secret authentication; by default it is set to use certs. Make sure to use either the Netgear's WAN IP or a DNS record created for it, as the "IP Address or Hostname" field on the "General" tab:
At this point you should be able to connect. I noticed an MTU issues that was causing some websites not to load. From the Windows command line (as an Administrator), I had to run the following:
netsh int ipv4 set subinterface "Netgear" mtu=1300 store=persistent
Where "Netgear" is the name you gave to the new VPN connection in Windows. Typically, this setting should be done on the VPN server itself, rather than having to be done on each client. Unfortunately, Netgear chose not give you an option to set the tunnel MTU, and evidently left it at its default of (presumably) 1500. There is perhaps an option available to set this from the Netgear's command line; of course, there is no SSH access remotely, so command line access must be done with a DB-9 null-modem cable physically at the device.
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!