Connecting ClearOS IPsec to Netgear
This guide covers tips for connecting ClearOS 6.x to Netgear routers. Specifically it was tested against the SRX5308 / FVX538 / FVS336G running the latest firmwares as of Jan 12, 2013.
Configuration ClearOS Side
In preparation for running the tunnel, please install the ClearOS IPSec VPN module. You must also all the IPsec traffic as an incoming firewall rule. Use the standard services pulldown menu and add 'IPsec' as the firewall rule in the Incoming firewall module.
For this example we will use invalid IP addresses for the external addresses please replace the addresses with your own. For the ClearOS side of the tunnel the network is 192.168.1.0/24. For the Netgear side the network is 10.1.1.0/24. The public WAN IP of the ClearOS server is the invalid address of 260.1.7.15 and the invalid WAN IP address of the Netgear is 302.7.3.45 for our examples.
ipsec.unmanaged.TUNNEL.conf
conn TUNNEL authby=secret auto=start left=302.7.3.45 leftsubnet=10.1.1.0/24 leftsourceip=10.1.1.1 leftid=302.7.3.45 right=260.1.7.15 rightsubnet=192.168.1.0/24 rightsourceip=192.168.1.1 rightid=260.1.7.15 keylife=1h ikelifetime=8h dpddelay=10 dpdtimeout=30 dpdaction=restart
ipsec.unmanaged.TUNNEL.secrets
260.1.7.15 302.7.3.45 : PSK "supersecretpassword"
Netgear configuration
On the Netgear side of things you will need to do the following:
- Add IKE policy.
- Call it TUNNEL (for example. you can call it something else as well).
- Set the Preshared Key to some random string up to 49 characters (for our example we used 'supersecretpassword' without the quotes).
- Enable Dead Peer Detection.
- Leave everything else at default.
Next: Create a VPN policy
- Set the policy name to TUNNEL (for example. you can call it something else as well).
- Set remote end point IP 260.1.7.15 (for our example we use this invalid IP address as discussed earlier).
- Set up the valid local and remote IPs and subnets correctly under Traffic Selection.
- Turn ON PFS key group and set to DH Group2 (1024 bit) under VPN policy.
- Select TUNNEL as the IKE policy.