NETGEAR DGND3300v2 Router Manual PDF (Setup & Configuration Guide)

Page 76 / 177 Scroll up to view Page 71 - 75

Chapter 6.

Virtual Private Networking

|

76

6

6.

Virtual Private Networking

Setting up secure encrypted communications

This chapter describes how to use the virtual private networking (VPN) features of the N300

wireless modem router. VPN communications paths are called tunnels. VPN tunnels provide

secure, encrypted communications between your local network and a remote network or

computer. See

Appendix C, NETGEAR VPN Configuration

, and click the link to

Virtual Private

Networking Basics

on page

172 to learn more about VPNs.

This chapter is organized as follows:

•

Overview of VPN Configuration

on page

76

•

Planning a VPN

on page

78

•

VPN Tunnel Configuration

on page

79

•

Setting Up a Client-to-Gateway VPN Configuration

on page

80

•

Setting Up a Gateway-to-Gateway VPN Configuration

on page

90

•

VPN Tunnel Control

on page

94

•

Setting Up VPN Tunnels in Special Circumstances

on page

100

Overview of VPN Configuration

Two common scenarios for VPN tunnels are between a remote PC and a network gateway,

and between two or more network gateways. The N300 Wireless Dual Band ADSL2+

Modem Router DGND3300v2 supports both types. The N300 Wireless Dual Band ADSL2+

Modem Router DGND3300v2 supports up to five concurrent tunnels.

Downloaded from

www.Manualslib.com

manuals search engine

Page 77 / 177

Chapter 6.

Virtual Private Networking

|

77

N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 User Manual

Client-to-Gateway VPN Tunnels

Client-to-gateway VPN tunnels provide secure access from a remote PC, such as a

telecommuter connecting to an office network.

Figure 49. Telecommuter VPN Tunnel

A VPN client access allows a remote PC to connect to your network from any location on the

Internet. The remote PC is one tunnel endpoint, running the VPN client software. The N300

wireless modem router on your network is the other tunnel endpoint. See

Setting Up a

Client-to-Gateway VPN Configuration

on page

80 for information about how to set up this

configuration.

Gateway-to-Gateway VPN Tunnels

Gateway-to-gateway VPN tunnels provide secure access between networks, such as a

branch or home office and a main office.

Figure 50. VPN Tunnel between Networks

A VPN between two or more NETGEAR VPN-enabled routers is a good way to connect

branch or home offices and business partners over the Internet. VPN tunnels also enable

access to network resources across the Internet. In this case, use gateways on each end of

the tunnel to form the VPN tunnel end points. See

Setting Up a Gateway-to-Gateway VPN

Configuration

on page

90 for information about how to set up this configuration.

N300 Wireless Modem Router

DGND3300v2

VPN Tunnel

Internet

PC running NETGEAR

ProSafe VPN client

Gateway A

(Home)

Gateway B

VPN Tunnel

Internet

(Office)

N300 Wireless Modem Router

DGND3300v2

Downloaded from

www.Manualslib.com

manuals search engine

Page 78 / 177

78

|

Chapter 6.

Virtual Private Networking

N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 User Manual

Planning a VPN

When you set up a VPN, it is helpful to plan the network configuration and record the

configuration parameters on a worksheet:

To set up a VPN connection, you must configure each endpoint with specific identification and

connection information describing the other endpoint. You must configure the outbound VPN

settings on one end to match the inbound VPN settings on other end, and vice versa.

This set of configuration information defines a security association (SA) between the two

VPN endpoints. When planning your VPN, you must make a few choices first:

•

Will the local end be any device on the LAN, a portion of the local network (as defined by

a subnet or by a range of IP addresses), or a single PC?

•

Will the remote end be any device on the remote LAN, a portion of the remote network (as

defined by a subnet or by a range of IP addresses), or a single PC?

•

Will either endpoint use fully qualified domain names (FQDNs)? FQDNs supplied by

Dynamic DNS providers (see

Using a Fully Qualified Domain Name (FQDN)

on

page

154) can allow a VPN endpoint with a dynamic IP address to initiate or respond to a

tunnel request. Otherwise, the side using a dynamic IP address must always be the

initiator.

•

Which method will you use to configure your VPN tunnels?

-

The VPN Wizard using VPNC defaults (see

Table 2

)

Table 1.

VPN Tunnel Configuration Worksheet

Parameter

Value to Be Entered

Field Selection

Connection Name

N/A

Pre-Shared Key

N/A

Secure Association

N/A

Main Mode

Manual Keys

Perfect Forward Secrecy

N/A

Enabled

Disabled

Encryption Protocol

N/A

DES

3DES

Authentication Protocol

N/A

MD5

SHA-1

Diffie-Hellman (DH) Group

N/A

Group 1

Group 2

Key Life in seconds

N/A

IKE Life Time in seconds

N/A

VPN Endpoint

Local IPSecID

LAN IP Address

Subnet Mask

FQDN or Gateway

IP (WAN IP Address

Downloaded from

www.Manualslib.com

manuals search engine

Page 79 / 177

Chapter 6.

Virtual Private Networking

|

79

N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 User Manual

-

The typical automated Internet Key Exchange (IKE) setup (see

Using Auto Policy to

Configure VPN Tunnels

on page

101)

-

A manual keying setup in which you must specify each phase of the connection (see

Using Manual Policy to Configure VPN Tunnels

on page

109)

•

What level of IPSec VPN encryption will you use?

-

DES

. The Data Encryption Standard (DES) processes input data that is 64 bits wide,

encrypting these values using a 56-bit key. Faster but less secure than 3DES.

-

3DES

. Triple DES achieves a higher level of security by encrypting the data three

times using DES with three different, unrelated keys.

•

What level of authentication will you use?

-

MDS

. 128 bits, faster but less secure.

-

SHA-1

. 160 bits, slower but more secure.

VPN Tunnel Configuration

There are two tunnel configurations and three ways to configure them:

•

Use the VPN Wizard to configure a VPN tunnel (recommended for most situations):

-

See

Setting Up a Client-to-Gateway VPN Configuration

on page

80.

-

See

Setting Up a Gateway-to-Gateway VPN Configuration

on page

90.

•

See

Using Auto Policy to Configure VPN Tunnels

on page

101 when the VPN Wizard and

its VPNC defaults (see

Table

2

on page

79) are not appropriate for your special

circumstances, but you want to automate the Internet Key Exchange (IKE) setup.

•

See

Using Manual Policy to Configure VPN Tunnels

on page

109 when the VPN Wizard

and its VPNC defaults (see

Table

2

on page

79) are not appropriate for your special

circumstances and you must specify each phase of the connection. You manually enter

all the authentication and key parameters. You have more control over the process;

however, the process is more complex, and there are more opportunities for errors or

Table 2.

Parameters Recommended by the VPNC and Used in the VPN Wizard

Parameter

Factory Default Setting

Secure Association

Main Mode

Authentication Method

Pre-Shared Key

Encryption Method

3DES

Authentication Protocol

SHA-1

Diffie-Hellman (DH) Group

Group 2 (1024 bit)

Key Life

8 hours

IKE Life Time

1 hour

Downloaded from

www.Manualslib.com

manuals search engine

Page 80 / 177

80

|

Chapter 6.

Virtual Private Networking

N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 User Manual

configuration mismatches between your N300 Wireless Dual Band ADSL2+ Modem

Router DGND3300v2 and the corresponding VPN endpoint gateway or client workstation.

Setting Up a Client-to-Gateway VPN Configuration

Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN client and a

network gateway involves two steps, described in the following sections:

•

Step 1: Configure the Client-to-Gateway VPN Tunnel

on page

80 describes how to use

the VPN Wizard to configure the VPN tunnel between the remote PC and network

gateway.

•

Step 2: Configure the NETGEAR ProSafe VPN Client

on page

83 shows how to configure

the NETGEAR ProSafe VPN client endpoint.

Figure 51. N300 Wireless Modem Router DGND3300v2 Client-to-Gateway VPN Tunnel

Step 1: Configure the Client-to-Gateway VPN Tunnel

This section describes using the VPN Wizard to set up the VPN tunnel using the VPNC

default parameters listed in

Table

2

on page

79. If you have special requirements not covered

by these VPNC-recommended parameters, see

Setting Up VPN Tunnels in Special

Circumstances

on page

100 for information about how to set up the VPN tunnel.

The following worksheet identifies the parameters used in this procedure. For a blank

worksheet, see

Planning a VPN

on page

78.

Table 3.

VPN Tunnel Configuration Worksheet

Parameter

Value to Be Entered

Field Selection

Connection Name

RoadWarrior

N/A

Pre-Shared Key

12345678

N/A

Secure Association

N/A

Main Mode

Manual Keys

Perfect Forward secrecy

N/A

Enabled

Disabled

Encryption Protocol

N/A

DES

3DES

VPN tunnel

Internet

PC running NETGEAR

ProSafe VPN client

22.23.24.25

0.0.0.0

IP: 192.168.3.1

Downloaded from

www.Manualslib.com

manuals search engine

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share