1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. DGN2200v4
    5. /
  5. 23
Page 111 / 133 Scroll up to view Page 106 - 110
Virtual Private Networking
111
N300 Wireless ADSL2+ Modem Router DGN2200v4
SLifeTime (Secs)
. The remaining soft lifetime for this SA in seconds. When the soft
lifetime becomes 0 (zero), the SA (security association) is renegotiated.
HLifeTime (Secs)
. The remaining hard lifetime for this SA in seconds. When the hard
lifetime becomes 0 (zero), the SA (security association) is terminated. (It is
reestablished if necessary.)
Deactivate a VPN Tunnel
Sometimes a VPN tunnel has to be deactivated for testing purposes. You can deactivate a
VPN tunnel from two places:
Policy table on VPN Policies screen
VPN Status screen
To use the Policy Table to deactivate a VPN tunnel:
1.
Select
Advanced > Advanced - VPN > VPN Policies
.
2.
In the Policy Table, clear the
Enable
check box for the VPN tunnel that you want to
deactivate.
3.
Click
Apply
.
To reactivate the tunnel, select the
Enable
check box and click
Apply
.
To use the VPN Status Screen to deactivate a VPN tunnel:
1.
Advanced > Advanced - VPN > VPN Status
, and click the
VPN Status
button.
The Current VPN Tunnels (SAs) screen displays:
2.
Click
Drop
for the VPN tunnel that you want to deactivate.
Page 112 / 133
Virtual Private Networking
112
N300 Wireless ADSL2+ Modem Router DGN2200v4
Delete a VPN Tunnel
To delete VPN tunnel:
1.
Select
Advanced > Advanced - VPN > VPN Policies
.
2.
Select the radio button for the VPN tunnel.
3.
Click
Delete
.
Auto Policy Example
You need to configure matching VPN settings on both VPN endpoints. The outbound VPN
settings on one end have to match to the inbound VPN settings on other end, and vice versa
Auto policy creates a typical automated Internet Key Exchange (IKE) setup. Auto Policy uses
the IKE protocol to define the authentication scheme and automatically generate the
encryption keys.
Gateway A
Gateway B
VPN Tunnel
22.23.24.25
14.15.16.17
IP:192.168.3.1
Figure 15. Example of an Auto policy for a gateway-to-gateway tunnel
Page 113 / 133
Virtual Private Networking
113
N300 Wireless ADSL2+ Modem Router DGN2200v4
Add or Edit a VPN Auto Policy
An Auto VPN policy uses the IKE (Internet Key Protocol) to exchange and negotiate
parameters for the IPSec SA (security association). Because of this negotiation, not all of the
settings on this VPN gateway have to match the settings on the remote VPN endpoint.
Where settings have to match, this requirement is indicated.
To add an Auto policy:
1.
Set the LAN IPs on each gateway to different subnets and configure each correctly for
the Internet.
2.
Select
Advanced >
Advanced - VPN > VPN Policies
and click the
Add Auto Policy
button.
3.
Specify the general settings:
In the Policy Name field, enter a unique name.
This name is not supplied to the remote VPN endpoint. It is used only to help you
manage the policies.
From the Address Type list, select
Fully Qualified Domain Name
,
Dynamic IP
Address
or
Fixed IP Address
.
You can set up multiple remote dynamic IP policies, but only one policy can be
enabled at a time.
If you want to ensure that a connection is kept open, or, if that is not possible, it is
quickly reestablished when disconnected, select the
IKE Keep Alive
check box and
fill in the Ping IP Address field.
Fill in the Ping IP Address field.
The ping IP address has to be associated with the remote endpoint. Either the WAN
or a LAN address can be used; a LAN address is preferable. This IP address is
pinged to generate some traffic for the VPN tunnel.
Page 114 / 133
Virtual Private Networking
114
N300 Wireless ADSL2+ Modem Router DGN2200v4
4.
Specify the Local LAN settings:
From the IP Address list, select
Subnet address
,
Single address
, or
Range
address
.
Fill in the Single/Start IP Address field.
If you are specifying a range, fill in the Finish IP Address field.
This range must be an address range used on your LAN. For a single IP address, do
not fill in the Finish IP Address field.
The remote VPN endpoint must have these IP addresses entered as its remote
addresses.
5.
Specify the Remote LAN settings.
From the IP Address list, select
Single PC -no Subnet
,
Single address
,
Range
address
, or
Subnet address
.
If there is no LAN (only a single computer) at the remote endpoint, select the Single
PC -no Subnet option. The Single address option is typically used to access a server
on the remote LAN.
If you want to specify a range, fill in the Finish IP Address field.
This range must be an address range used on the remote LAN.
Fill in the Subnet Mask field.
The remote VPN endpoint must have these IP addresses entered as its local addresses.
6.
Specify the IKE settings:
From the Direction list, select either
Responder only
or
Initiator and Responder
.
The modem router
uses this setting to determine if the IKE policy matches the current
traffic. With the Responder only setting, incoming connections are allowed and
outgoing connections are blocked. With the Initiator and Responder setting, both
incoming and outgoing connections are allowed.
Ensure that the remote VPN endpoint is set to use Main Mode.
Select the Diffie-Hellman (DH) Group from the list.
The Diffie-Hellman algorithm is used when keys are exchanged. The DH Group
setting determines the bit size used in the exchange. This value needs to match the
value used on the remote VPN gateway.
Select the local identity type.
Select an option to match the Remote Identity Type setting on the remote VPN
endpoint.
-
WAN IP Address
.
Your Internet IP address.
-
Fully Qualified Domain Name
. Your domain name.
-
Fully Qualified User Name
. Your name, email address, or other ID.
Select the remote identity type.
Page 115 / 133
Virtual Private Networking
115
N300 Wireless ADSL2+ Modem Router DGN2200v4
Select the option that matches the Local Identity Type setting on the remote VPN
endpoint.
-
IP Address
. The Internet IP address of the remote VPN endpoint.
-
Fully Qualified Domain Nam
e. The domain name of the remote VPN endpoint.
-
Fully Qualified User Name
. The name, email address, or other ID of the remote
VPN endpoint.
7.
Specify the following parameters:
Select the encryption algorithm.
This is the encryption algorithm used for both IKE and IPSec. This setting has to
match the setting used on the remote VPN gateway. DES and 3DES are supported.
-
DES
. The Data Encryption Standard (DES) processes input data that is 64 bits
wide, encrypting these values using a 56-bit key. Faster but less secure than
3DES.
-
3DES
. (Triple DES) achieves a higher level of security by encrypting the data
three times using DES with three different, unrelated keys.
Select the authentication algorithm.
This is the authentication algorithm used for both IKE and IPSec. This setting has to
match the setting used on the remote VPN gateway. Auto, MD5, and SHA-1 are
supported. Auto negotiates with the remote VPN endpoint and is not available in
responder-only mode.
-
MD5
. 128 bits, faster but less secure.
-
SHA-1
. 160 bits, slower but more secure. This is the default.
Enter the pre-shared key.
The key has to be entered both here and on the remote VPN gateway.
Enter the SA life time value.
This value is the time interval before the SA (security association) expires. (It is
automatically reestablished as required.) While using a short time period (or data
amount) increases security, it also degrades performance. It is common to use
periods over an hour (3600 seconds) for the SA life time. This setting applies to both
IKE and IPSec SAs.
If you want enhanced security, select the
Enable IPSec PFS (Perfect Forward
Secrecy)
check box.
If this check box is selected, security is enhanced by ensuring that the key is changed
at regular intervals. Also, even if one key is broken, subsequent keys are no easier to
break. (Each key has no relationship to the previous key.)
This setting applies to both IKE and IPSec SAs. When configuring the remote
endpoint to match this setting, you might have to specify the key group used. For this
device, the key group is the same as the DH Group setting in the IKE section.
8.
Click
Apply
.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top