1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. DGFV338
    5. /
  5. 27
Page 131 / 212 Scroll up to view Page 126 - 130
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual
Virtual Private Networking
5-23
v1.0, April 2007
The Active Self Certificates table shows the Certificates issued to you by the various CAs
(Certification Authorities), and available for use. For each Certificate, the following data is listed:
Name
. The name you used to identify this Certificate.
Subject Name
. This is the name which other organizations will see as the Holder (owner) of
this Certificate. This should be your registered business name or official company name.
Generally, all Certificates should have the same value in the Subject field.
Serial Number
. It is a serial number maintained by the CA. It is used to identify the certificate
with in the CA.
Issuer Name.
The name of the CA which issued the Certificate.
Expiry Time
. The date on which the Certificate expires. You should renew the Certificate
before it expires.
Generating a Self Certificate Request
To use a Certificate, you must first request the certificate from the CA, then download and activate
the certificate on your system.
To request a Certificate from the CA:
1.
From the main menu under
VPN
, select the
Certificates
submenu. The Certificates screen
will display.
2.
In the
Generate Self Certificate Request,
enter the required data:
Name
– Enter a name that will identify this Certificate.
Subject
– This is the name which other organizations will see as the Holder (owner) of the
Certificate. Since this name will be seen by other organizations, you should use your
registered business name or official company name. (Using the same name, or a derivation
of the name, in the Title field would be useful.)
From the pull-down menus, select the following values:
Hash Algorithm: MD5 or SHA2.
Signature Algorithm: RSA.
Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but
may also impact performance.)
3.
Complete the Optional fields, if desired, with the following information:
IP Address
– If you have a fixed IP address, you may enter it here. Otherwise, you should
leave this field blank.
Page 132 / 212
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual
5-24
Virtual Private Networking
v1.0, April 2007
.
Domain Name
– If you have a Domain name, you can enter it here. Otherwise, you
should leave this field blank.
E-mail Address
– Enter your e-mail address in this field.
4.
Click
Generate
. A new certificate request is created and added to the
Self Certificate
requests
table.
5.
Click
View
under the
Action
column to view the request.
Figure 5-18
Page 133 / 212
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual
Virtual Private Networking
5-25
v1.0, April 2007
6.
Copy the contents of the
Data to supply to CA
text box into a file, including all of the data
contained in “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE
REQUEST---”Click
Done.
You will return to the Certificate screen and your Request details
will be displayed in the
Self Certificates Requests
table showing a Status of “Waiting for
Certificate upload”
To submit your Certificate request to a CA:
1.
Connect to the Website of the CA.
2.
Start the Self Certificate request procedure.
3.
When prompted for the requested data, copy the data from your saved data file (including “---
-BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST’).
4.
Submit the CA form. If no problems ensue, the Certificate will be issued.
Uploading a Trusted Certificate
After obtaining a new Certificate from the CA, you must upload the certificate to this device and
add it to your Trusted Certificates:
To upload your new certificate:
1.
From the main menu, under
VPN
, select
Certificates
. The Certificates screen will display.
Scroll down to the
Self Certificate Requests
section.
2.
Click
Browse
, and locate the certificate file on your PC. Select the file name in the “File to
upload” field and click
Upload
. The certificate file will be uploaded to this device.
3.
Scroll back to the
Active Self Certificates
table. The new Certificate will appear in the
Active
Self Certificates
list.
Certificates are updated by their issuing CA authority on a regular basis. You should track all of
your CAs to ensure that you have the latest version and/or that your certificate has not been
revoked. To track your CAs, you must upload the Certificate Identify for each CA to the CRL.
Managing your Certificate Revocation List (CRL)
CRL (Certificate Revocation List) files show Certificates which are active and certificates which
have been revoked, and are no longer valid. Each CA issues their own CRLs.
It is important that you keep your CRLs up-to-date. You should obtain the CRL for each CA
regularly.
The CRL table lists your active CAs and their critical release dates:
Page 134 / 212
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual
5-26
Virtual Private Networking
v1.0, April 2007
CA Identify – The official name of the CA which issued this CRL.
Last Update – The date when this CRL was released.
Next Update – The date when the next CRL will be released.
To upload a Certificate Identify to the CRL:
1.
From the main menu under VPN, select
Certificates
. The
Certificates
screen will display
showing the CRL (Certificate Revocation List) table at the bottom of the screen.
2.
Click
Browse
, and then locate the file you previously downloaded from a CA.
3.
Select the Certificate Identify file. The name will appear in the “File to upload” field. Click
Upload.
Click
Back
to return to the CRL list. The new Certificate Identify will appear in the CRL Table. If
you have a previous CA Identity from the same CA, it should now be deleted.
Extended Authentication (XAUTH) Configuration
When connecting many VPN clients to a VPN gateway router, an administrator may want a unique
user authentication method beyond relying on a single common preshared key for all clients.
Although the administrator could configure a unique VPN policy for each user, it is more
convenient for the VPN gateway router to authenticate users from a stored list of user accounts.
XAUTH provides the mechanism for requesting individual authentication information from the
user, and a local User Database or an external authentication server, such as a RADIUS server,
provides a method for storing the authentication information centrally in the local network.
XAUTH is enabled when adding or editing an IKE Policy. Two types of XAUTH are available:
Edge Device.
If this is selected, the router is used as a VPN concentrator where one or more
gateway tunnels terminate. If this option is chosen, you must specify the authentication type to
be used in verifying credentials of the remote VPN gateways: User Database, RADIUS-PAP,
or RADIUS-CHAP.
Figure 5-19
Page 135 / 212
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual
Virtual Private Networking
5-27
v1.0, April 2007
IPSec Host.
If you want authentication by the remote gateway, enter a User Name and
Password to be associated with this IKE policy. If this option is chosen, the remote gateway
must specify the user name and password used for authenticating this gateway.
Configuring XAUTH for VPN Clients
Once the XAUTH has been enabled, you must establish user accounts on the Local Database to be
authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.
To enable and configure XAUTH:
1.
Select
VPN
from the main menu and
Policies
from the submenu. The
IKE Policies
screen will
display.
2.
You can add
XAUTH
to an existing IKE Policy by clicking
Edit
adjacent to the policy to be
modified or you can create a new IKE Policy incorporating
XAUTH
by clicking
Add.
3.
In the
Extended Authentication
section check the
Edge Device
radio box to use this router as
a VPN concentrator where one or more gateway tunnels terminate. You then must specify the
authentication type to be used in verifying credentials of the remote VPN gateways. (Either the
User Database or RADIUS Client must be configured when XAUTH is enabled.)
4.
In the
Extended Authentication
section, select the
Authentication Type
from the pull-down
menu which will be used to verify user account information. Select
Edge Device
to use this router as a VPN concentrator where one or more gateway tunnels
terminate. When this option is chosen, you will need to specify the authentication type to
be used in verifying credentials of the remote VPN gateways.
User Database
to verify against the router’s user database. Users must be added
through the User Database screen (see
“User Database Configuration” on page 5-29
).
Note:
If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the
local User Database for the user credentials. If the user account is not present, the
router will then connect to a RADIUS server.
Note:
If you are modifying an existing IKE Policy to add
XAUTH
, if it is in use by a
VPN Policy, the VPN policy must be disabled before you can modify the IKE
Policy.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top