Choice of VPN approaches.

Well if the Netgear/Netgear Client setup is questionable, is it more likely the router or the client softare?  I'd like to keep the router if possible but would surely consider a different client program.

I would question the router personally.  I have an FVS318 that I used with a network the would need to be restarted and clients would fail.  I moved to another brand and this issue no longer persists.

Agreed.. that router is fine for general use but leaves much to be desired for client VPN

How about RV042?

This is more of a consumer type device.  If you are looking for inexpensive Sonicwall TZ 215 or the watchguard WatchGuard XTM 3 Series or WatchGuard XTM 2 Series

You want to make sure that the device can handle the internal traffic as well as the external. especially the unsolicited traffic that can over run cheaper units.

Agree with Mike. You should be looking at something more business centric. Sonicwall is a popular option.

Cisco RV models are strong devices and not consumer machines. They will have a small business environment. So also will Juniper Netscreen.

All of the reviews that I have found and read about this device despite that it is a links re-branded with Cisco labeling. They complain about the VPN dropping wile in use.  Those who rate the device high don't appear to be using the VPN portion. I do agree that the juniper units work very well. I have at least two of them in clients offices currently.

I have a Cisco RV325 in my home office (and RV042G  before that). Site to Site tunnels stay up for months on end. I have been doing this for years now. I connect mostly to Juniper with a couple of other RVxx units. I keep firmware upgraded.

Thanks folks.  

The VPN will be client-to-site so the client software will always be a question.  I followed up on John Hurst's recommendation for NCP Secure Entry at $144ea.  Other comments?

I have plenty of experience with site-to-site but much less with client-to-site with RV0xx and some with Juniper Networks SSG and SRX.  So, one question about the client-to-site setups.  With the current Netgear, (in addition to the remote subnet where the client resides), and unlike site-to-site VPNs, there's a subnet for the clients that's set up in the VPN router that's different from the central LAN subnet.  Then each client manually self-specifies an IP address on that 3rd subnet.
In some sense (e.g. Windows firewall) it would be simpler if the subnet of the client machines VPN IP addresses were in the central LAN subnet.  
So, am I missing something here?  What's the notion of this 3rd subnet (in the broadest sense)?  Is it necessary for it to differ from the central LAN subnet?

Any of the Cisco and Juniper units I have used (ten years now) support both client to site and site to site.

NCP Secure Entry is not cheap, but is simply best of breed and includes NAT Traversal and this trumps cheaper ways.

If you choose to spend 144.00 e.a for the NCP why not spend 600.00 total for a firewall with IPSec and it includes the client with the device. Most of your higher end (mainstream manufacturers not automatically expensive ) units include a client for free if you purchase the devices. I currently have 10 building and 1800 users over the last 15 years using firewall provided clients for VPN. The devices were upgraded from sonic wall 2040 firewalls to watchguard XTM devices for the added features.  What John is proposing is an acceptable answer but is it the complete solution.  You may want to look a little further just to be sure.  Again, I am not taking shots at John I agree that his solution will satisfy the task I just want to make sure this is the complete solution that you are looking for.

Multiple licenses for NCP are under $100 for 10 licenses.

Why use a third party software for a firewall when you can get a client with the same manufacturer.  You will never have the he said she said between vendors.  You always have the potential of the firewall taking a needed update the the client doesn't support until you upgrade the client. Watchguard will upgrade the client during the connection if there is a change in the firmware that is not compatible.  You can also setup client sign in and they can setup the VPN on their own without the needed help of IT.  Its a client side website built into the watchguard over SSL and after the user logs in to the site there is a button to click and the client is downloaded directly to the machine.  I deployed 200 clients without having to touch a single system.

Any VPN client application I have used from the Hardware vendor fails at NAT Traversal. I have client affected by that and they willing purchase NCP because it saves time for expensive people. That is why in a nutshell. You get what you pay for.

John,

You have used , in my opinion, inexpensive hardware that is used for very small (3 to 5) users offices.  I am just making suggestions to satisfy  the needs of Fred Marshall who posted the question. I agreed with you that Juniper makes a quality device.  I am not a fan of netgear or Linksys (re-branded) cisco lower end devices.  These are my opinions about the solution and I am sure the solution you provided will satisfy the need but again is it the complete solution.  Thank for taking the time to provide insight and offering your knowledge for free. This is why I use this site and find it a great resource.

 Fred Marshall,

I have marked your question as a good one and feel this is an issue a lot of IT consultants/IT Leads deal with on a regular basis.  What is the best for the dollar you are spending.  Good luck with what ever you decide and may the solution you choose be the proper one to satisfy your needs. Please post your choices and experiences for other struggling with these choices.

Good Luck.

Cisco RVxx are good to the 10 user level and very robust. I also (check above) recommended Juniper Netscreen (good to 50 and above) and Juniper are also very robust.

I never used free Cisco VPN software. I used paid Juniper Netscreen software (roughly half as expensive as NCP) and it could not handle NAT traversal (hotel rooms if the reader does not understand the implications). I also used SafeNet for Vista by SoftRemote (Juniper supplier in 2008). This was 2x the cost of NCP and could not handle NAT Traversal. My Nokia CS-18 Internet key uses NAT Traversal by design, so this aspect is critical.

People can always do what they wish. I use what works.

What about the subnet question folks?

there's a subnet for the clients that's set up in the VPN router that's different from the central LAN subnet.

With Juniper Netscreen, I think you can have more than one subnet at a site.  For RV042 (that you are very familiar with, I think it just has one subnet in a site. I would have to check and I am not near one for several days. But I think it is just one.

I'm referring to the IP address for the client which is not in the central LAN subnet.
And, I'm not referring to any VLANs or equivalent that may be set up on the central router.

I just installed the Netgear ProSafe VPN Client on a Windows 7 machine and it connected to the Netgear FVS336Gv2 right away.  
However, a Windows 10 system on the same network with the Windows 7 machine above, didn't work.  Same configurations in both.....
So, it's not the local remote routers, it's not the Windows firewall (if Win7 and Win10 would be equal), it's something else

But what could that be???

You are saying the Netgear Prosafe VPN client does not work on a Windows 10 machine. Is that correct?  

So then the Netgear VPN client is not Windows 10 compatible.

John Hurst:  Yes, one could reach that conclusion.

However, I now have 3 Windows 10 machines.
- two of them don't connect at all.
- one of them does connect but has problems of dropouts and that's the one I started on.
So, even that's not consistent....
The results suggest that it *can* work on Windows 10 but when it does there are either weaknesses or, as yet, unknown tweaks needed.
Forum correspondence with Netgear suggests there is hope but hasn't gone beyond "try this / try that".

All good comments.  Thanks!

In the end we updated the FVS336Gv2 firmware and it appears that the latest two versions of the Netgear client work with it.

I still don't know why there's a separate subnet... But, I suspect it's for the *remote* IP for the connected clients as seen by the central site router.  It's easy to miss this in the mess of things to be configured.

Thanks for the update and I was happy to help.

Fred,

Clad to see everything worked out for you.  Good call on the firmware and a fix for your needs.