NETGEAR DGN2200B Router Manual PDF (Setup & Configuration Guide)

Page 116 / 167 Scroll up to view Page 111 - 115

116

|

Chapter 8.

Virtual Private Networking

N300 Wireless ADSL2+ Modem Router DGN2200

•

HLifeTime (Secs)

. The remaining hard lifetime for this SA in seconds. When the hard

lifetime becomes 0 (zero), the SA (wecurity association) is terminated. (It is

re-established if required.)

Deactivate a VPN Tunnel

Sometimes a VPN tunnel has to be deactivated for testing purposes. You can deactivate a

VPN tunnel from two places:

•

Policy table on VPN Policies screen

•

VPN Status screen

Use the Policy Table on the VPN Policies Screen to Deactivate a VPN Tunnel

1.

Select

Advanced - VPN > VPN Policies

to display the VPN Policies screen.

2.

In the Policy Table, clear the

Enable

check box for the VPN tunnel that you want to

deactivate, and then click

Apply

. (To reactivate the tunnel, select the

Enable

check box, and

then click

Apply

.)

Page 117 / 167

Chapter 8.

Virtual Private Networking

|

117

N300 Wireless ADSL2+ Modem Router DGN2200

Use the VPN Status Screen to Deactivate a VPN Tunnel

1.

Select

Advanced - VPN > VPN Status

to display the VPN Status screen.

2.

Click

VPN Status

. The Current VPN Tunnels (SAs) screen displays:

3.

Click

Drop

for the VPN tunnel that you want to deactivate.

Page 118 / 167

118

|

Chapter 8.

Virtual Private Networking

N300 Wireless ADSL2+ Modem Router DGN2200

Delete a VPN Tunnel

1.

Select

Advanced - VPN > VPN Policies

to display the VPN Policies screen.

2.

In the Policy Table, select the radio button for the VPN tunnel to be deleted, and then click

Delete

.

Set Up VPN Tunnels in Special Circumstances

When the VPN Wizard and its VPNC defaults (see

Table

4

on page

97) are not appropriate

for your circumstances, use one of these alternatives:

•

Auto Policy

. For a typical automated Internet Key Exchange (IKE) setup, see

Use Auto

Policy to Configure VPN Tunnels

on page

118. Auto Policy uses the IKE protocol to define

the authentication scheme and automatically generate the encryption keys.

•

Manual Policy

. For a manual keying setup in which you have to specify each phase of

the connection, see

Use Manual Policy to Configure VPN Tunnels

on page

125. Manual

policy does not use IKE. Rather, you manually enter all the authentication and key

parameters. You have more control over the process; however, the process is more

complex, and there are more opportunities for errors or configuration mismatches

between your DGN2200 and the corresponding VPN endpoint gateway or client

workstation.

Use Auto Policy to Configure VPN Tunnels

You need to configure matching VPN settings on both VPN endpoints. The outbound VPN

settings on one end has to match to the inbound VPN settings on other end, and vice versa.

See

Example of Using Auto Policy

on page

122 for an example of using Auto Policy.

Configure VPN Network Connection Parameters

All VPN tunnels on the modem router require that you configure several network parameters.

This section describes those parameters and how to access them.

Page 119 / 167

Chapter 8.

Virtual Private Networking

|

119

N300 Wireless ADSL2+ Modem Router DGN2200

The most common configuration scenarios use IKE to manage the authentication and

encryption keys. The IKE protocol performs negotiations between the two VPN endpoints to

automatically generate and update the required encryption parameters.

Select

Advanced - VPN > VPN Policies

, and click the

Add Auto Policy

button to display

the VPN - Auto Policy screen:

The DGN2200 VPN tunnel network connection fields are defined in the following sections.

VPN Auto Policy General Settings

•

Policy Name

. Enter a unique name. This name is not supplied to the remote VPN

endpoint. It is used only to help you manage the policies.

•

Remote VPN Endpoint

. The remote VPN endpoint has to have this VPN gateway’s

address entered as its remote VPN endpoint.

If the remote endpoint has a dynamic IP address, select

Dynamic IP Address

. No

address data input is required. You can set up multiple remote dynamic IP policies, but

only one such policy can be enabled at a time. Otherwise, select an option (

IP address

or

domain name

) and enter the address of the remote VPN endpoint to which you want to

connect.

•

IKE Keep Alive

. If you want to ensure that a connection is kept open, or, if that is not

possible, that it is quickly re-established when a connection is lost select this check box.

Page 120 / 167

120

|

Chapter 8.

Virtual Private Networking

N300 Wireless ADSL2+ Modem Router DGN2200

The ping IP address has to be associated with the remote endpoint. You have to use the

remote LAN address. This IP address will be pinged periodically to generate traffic for the

VPN tunnel. The remote keep-alive IP address needs to be covered by the remote LAN

IP range and to correspond to a device that can respond to a ping. The range should be

made as narrow as possible to meet this objective.

VPN Auto Policy Local LAN Settings

The remote VPN endpoint needs to have these IP addresses entered as its remote

addresses.

•

Subnet Mask

. The network mask.

•

Single/Start IP Addres

s. Enter the IP address for a single address, or the starting

address for an address range. A single address setting is used when you want to make a

single server on your LAN available to remote users. A range has to be an address range

used on your LAN.

Any

. The remote VPN endpoint might be at any IP address.

•

Finish IP Address

. For an address range, enter the finish IP address. This needs to be

an address range used on your LAN.

VPN Auto Policy Remote LAN Settings

The remote VPN endpoint has to have these IP addresses entered as its local addresses.

•

IP Address

. If there is no LAN (only a single PC) at the remote endpoint, select

Single

PC - no Subnet

option. If this option is selected, no additional data is required. The

typical application is a PC running the VPN client at the remote end.

•

Single/Start IP Address

. Enter an IP address that is on the remote LAN. You can use

this setting when you want to access a server on the remote LAN.

-

For a range of addresses, enter the starting IP address. This needs to be an address

range used on the remote LAN.

-

Any

. Any outgoing traffic from the computers in the

Local IP

fields triggers an

attempted VPN connection to the remote VPN endpoint. Be sure you want this option

before selecting it.

•

Finish IP Address. Enter the finish IP address for a range of addresses. This has to be an

address range used on the remote LAN.

•

Subnet Mask. Enter the network mask.

VPN Auto Policy IKE Settings

•

Direction

. This setting is used when the modem router determines if the IKE policy

matches the current traffic. Select an option.

-

Responder only

. Incoming connections are allowed, but outgoing connections are

blocked.

-

Initiator and Responder

. Both incoming and outgoing connections are allowed.

•

Exchange Mode

. Ensure that the remote VPN endpoint is set to use Main Mode.

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share