NETGEAR FVX538, FVX538v2, SRX5308, Quad WAN Gigabit SSL VPN Firewall Application Note

Application Note

Configuring a Hub-and-Spoke VPN Using the NETGEAR
VPN Client

Summary

A Hub-and-Spoke VPN allows multiple sites to communicate through a central hub site.
This application note describes how to configure a Hub-and-Spoke VPN when one of the
spokes is the NETGEAR VPN client. It has been tested with the FVX538 router,
firmware version 2.x and NETGEAR ProSafe® VPN client, version 10.7.2 (Build 12).

Note: See

Hub-and-Spoke VPN for general instructions on configuration that does not

use the VPN Client.
In this configuration, there is a gateway-to-gateway VPN tunnel between FVX538 #1 and

FVX538 #2. By establishing a VPN connection to the FVX538#1, the software VPN
client gains access to Local Area Network #2 behind FVX538 #2 through FVX538 #1.

Procedure

This procedure was developed and tested using:

• NETGEAR FVX538 ProSafe VPN Firewall with version 2.x firmware

o WAN1 (10.1.1.2 ) IP address: 192.168.1.0
o WAN1 IP address subnet: 255.255.255.0
o WAN2 (10.1.2.2) IP address: 192.168.2.0

o WAN2 IP address subnet: 255.255.255.0

• NETGEAR ProSafe VPN client, version 10.7.2 (Build 12)

o IP address: 192.168.1.100

IP Address Requirements

This configuration requires advanced IP address planning. The VPN client policy needs
to address both Local Area Network #1 and Local Area Network #2 in the same client
policy profile. Therefore, the two networks must be presentable as one subnet or one
address range.

Note: You can create the IKE and VPN policies using the VPN wizard, and then modify
them. You can also create the IKE and VPN policies manually.

Configuring the Hub-and-Spoke VPN

To configure the FVX538 #1 (the Hub):

1. Create an IKE policy for VPN to FVX538 #2.

2. Create a VPN policy using the IKE policy created in Step 1. The local IP subnet is

the LAN subnet behind FVX538 #1. The remote IP subnet is the LAN subnet behind
FVX 538 #2.