1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. DGN2200B
    5. /
  5. 25
Page 121 / 167 Scroll up to view Page 116 - 120
Chapter 8.
Virtual Private Networking
|
121
N300 Wireless ADSL2+ Modem Router DGN2200
Diffie-Hellman (DH) Group
. The Diffie-Hellman algorithm is used when keys are
exchanged. The DH Group setting determines the bit size used in the exchange. This
value needs to match the value used on the remote VPN gateway.
Local Identity Type
. Select an option to match the Remote Identity Ty
pe
setting on the
remote VPN endpoint.
-
WAN IP Address
.
Your Internet IP address.
-
Fully Qualified Domain Name
. Your domain name.
Fully Qualified User Name
. Your name, e-mail address, or other ID.
Local Identity Data
. Enter the data for the local identity type that you selected. (If WAN
IP Address is selected, no input is required.)
Remote Identity Type
. Select the option that matches the Local Identity Type setting on
the remote VPN endpoint.
-
IP Address
. The Internet IP address of the remote VPN endpoint.
-
Fully Qualified Domain Nam
e. The domain name of the remote VPN endpoint.
-
Fully Qualified User Name
. The name, email address, or other ID of the remote VPN
endpoint.
Remote Identity Data
. Enter the data for the remote identity type that you selected. If IP
Address is selected, no input is required.
VPN Auto Policy Parameters
Encryption Algorithm
. The encryption algorithm used for both IKE and IPSec. This
setting has to match the setting used on the remote VPN gateway. DES and 3DES are
supported.
-
DES
. The Data Encryption Standard (DES) processes input data that is 64 bits wide,
encrypting these values using a 56-bit key. Faster but less secure than 3DES.
-
3DES
. (Triple DES) achieves a higher level of security by encrypting the data three
times using DES with three different, unrelated keys.
Authentication Algorithm
. The authentication algorithm used for both IKE and IPSec.
This setting has to match the setting used on the remote VPN gateway. Auto, MD5, and
SHA-1 are supported. Auto negotiates with the remote VPN endpoint and is not available
in responder-only mode.
-
MD5
. 128 bits, faster but less secure.
-
SHA-1
. 160 bits, slower but more secure. This is the default.
Pre-shared Key
. The key has to be entered both here and on the remote VPN gateway.
SA Life Time
. The time interval before the SA (security association) expires. (It is
automatically reestablished as required.) While using a short time period (or data amount)
increases security, it also degrades performance. It is common to use periods over an
hour (3600 seconds) for the SA life time. This setting applies to both IKE and IPSec SAs.
Enable IPSec PFS (Perfect Forward Secrecy)
.
If this check box is selected, security is
enhanced by ensuring that the key is changed at regular intervals. Also, even if one key is
broken, subsequent keys are no easier to break. (Each key has no relationship to the
previous key.)
Page 122 / 167
122
|
Chapter 8.
Virtual Private Networking
N300 Wireless ADSL2+ Modem Router DGN2200
This setting applies to both IKE and IPSec SAs. When configuring the remote endpoint to
match this setting, you might have to specify the key group used. For this device, the key
group is the same as the DH Group setting in the IKE section.
Example of Using Auto Policy
Gateway A
Gateway B
VPN Tunnel
Internet
22.23.24.25
14.15.16.17
IP:192.168.3.1
Figure 22. Auto Policy
The following settings are assumed for this example:.
Table 7.
Gateway-to-Gateway VPN Tunnel Configuration Worksheet
Parameter
Value to Be Entered
Field Selection
Connection Name
GtoG
N/A
Pre-Shared Key
12345678
N/A
Secure Association
N/A
Main Mode
Manual Keys
Perfect Forward secrecy
N/A
Enabled
Disabled
Encryption Protocol
N/A
DES
3DES
Authentication Protocol
N/A
MD5
SHA-1
Diffie-Hellman (DH) Group
N/A
Group 1
Group 2
Key Life in seconds
28800 (8 hours)
N/A
IKE Life Time in seconds
3600 (1 hour)
N/A
VPN Endpoint
Local IPSecID
LAN IP Address
Subnet Mask
FQDN or Gateway
IP (WAN IP Address
Gateway_A
GW_A
192.168.0.1
255.255.255.0
14.15.16.17
Gateway_B
GW_B
192.168.3.1
255.255.255.0
22.23.24.25
To use Auto Policy:
1.
Set the LAN IPs on each modem router to different subnets and configure each correctly
for the Internet.
Page 123 / 167
Chapter 8.
Virtual Private Networking
|
123
N300 Wireless ADSL2+ Modem Router DGN2200
2.
Select
Advanced - VPN > VPN Policies
and click the
Add Auto Policy
button.
The VPN Auto Policy screen displays:
3.
Enter these policy settings:
Auto Policy Field
Description
General
Policy Name
GtoG
Remote VPN Endpoint
Address Type
Fixed
Remote VPN Endpoint
Address Data
22.23.24.25
Local LAN
Use the default settings.
Remote LAN
IP Address
Select
Subnet address
from the drop-down list.
Start IP Address
192.168.3.1
Subnet Mask
255.255.255.0
Page 124 / 167
124
|
Chapter 8.
Virtual Private Networking
N300 Wireless ADSL2+ Modem Router DGN2200
4.
Click
Apply
. The VPN Policies screen displays:
5.
Repeat these steps for the DGN2200 on LAN B. Pay special attention to the following
network settings:
General, Remote Address Data (for example, 14.15.16.17)
Remote LAN, Start IP Address
-
IP Address (for example, 192.168.0.1)
-
Subnet Mask (for example, 255.255.255.0)
-
Pre-shared Key (for example, 12345678)
6.
Use the VPN Status screen to activate the VPN tunnel:
Note:
The VPN Status screen is only one of three ways to active a VPN
tunnel. See
Activate a VPN Tunnel
on page
112 for information
about the other ways.
IKE
Direction
Initiator and Responder
Exchange Mode
Main Mode
Diffie-Hellman (DH) Group
Group 2 (1024 Bit)
Local Identity Type
Use the default setting.
Remote Identity Type
Use the default setting.
Parameters
Encryption Algorithm
3DES
Authentication Algorithm
MD5
Pre-shared Key
12345678
Auto Policy Field
Description
Page 125 / 167
Chapter 8.
Virtual Private Networking
|
125
N300 Wireless ADSL2+ Modem Router DGN2200
a.
Select
VPN > VPN Status
to display the VPN Status/Log screen. Then click
VPN
Status
to display the Current VPN Tunnels (SAs) screen:
b.
Click
Connect
for the VPN tunnel that you want to activate. Review the VPN
Status/Log screen (
Figure
a
on page
111) to verify that the tunnel is connected.
Use Manual Policy to Configure VPN Tunnels
As an alternative to IKE, you can use manual keying, in which you need to specify each
phase of the connection. A manual VPN policy requires all settings for the VPN tunnel to be
manually input at each end (both VPN endpoints).

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top