1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. DGND3300v2
    5. /
  5. 21
Page 101 / 177 Scroll up to view Page 96 - 100
Chapter 6.
Virtual Private Networking
|
101
N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 User Manual
Manual Policy
. For a manual keying setup in which you must specify each phase of the
connection, see
Using Manual Policy to Configure VPN Tunnels
on page
109. Manual
policy does not use IKE. Rather, you manually enter all the authentication and key
parameters. You have more control over the process; however, the process is more
complex, and there are more opportunities for errors or configuration mismatches
between your N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 and the
corresponding VPN endpoint gateway or client workstation.
Using Auto Policy to Configure VPN Tunnels
You need to configure matching VPN settings on both VPN endpoints. The outbound VPN
settings on one end must match to the inbound VPN settings on other end, and vice versa.
For an example of using Auto Policy, see
Example of Using Auto Policy
on page
106.
Configuring VPN Network Connection Parameters
All VPN tunnels on the N300 wireless modem router require that you configure several
network parameters. This section describes those parameters and how to access them.
The most common configuration scenarios use IKE to manage the authentication and
encryption keys. The IKE protocol performs negotiations between the two VPN endpoints to
automatically generate and update the required encryption parameters.
Downloaded from
www.Manualslib.com
manuals search engine
Page 102 / 177
102
|
Chapter 6.
Virtual Private Networking
N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 User Manual
From the main menu, select
VPN Policies
, and then click the
Add Auto Policy
button to
display the VPN - Auto Policy screen:
Downloaded from
www.Manualslib.com
manuals search engine
Page 103 / 177
Chapter 6.
Virtual Private Networking
|
103
N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 User Manual
The DGND3300v2 VPN tunnel network connection fields are defined in the following table.
Table 5.
VPN - Auto Policy Screen Settings
Fields and Settings
Description
General
Policy Name
Enter a unique name. This name is not supplied to the remote VPN
endpoint. It is used only to help you manage the policies.
Remote VPN
Endpoint
• The remote VPN endpoint must have this VPN’s gateway address
entered as its remote VPN endpoint.
• If the remote endpoint has a dynamic IP address, select
Dynamic IP
Address
. No address data input is required. You can set up multiple
remote dynamic IP policies, but only one such policy can be enabled
at a time. Otherwise, select an option (
IP address
or
domain name
)
and enter the address of the remote VPN endpoint to which you want
to connect.
IKE Keep Alive
• If you want to ensure that a connection is kept open, or, if that is not
possible, that it is quickly reestablished when disconnected, select
this check box.
• The ping IP address must be associated with the remote endpoint.
The remote LAN address must be used. This IP address will be
pinged periodically to generate traffic for the VPN tunnel. The remote
keep-alive IP address must be covered by the remote LAN IP range
and must correspond to a device that can respond to ping. The range
should be made as narrow as possible to meet this objective.
Local LAN
The remote VPN
endpoint must
have these IP
addresses entered
as its remote
addresses.
Subnet Mask
The network mask.
Single/Start IP
Address
Enter the IP address for a single address, or the starting address for
an address range. A single address setting is used when you want to
make a single server on your LAN available to remote users. A range
must be an address range used on your LAN.
Any
. The remote VPN endpoint can be at any IP address.
Finish IP Address
For an address range, enter the finish IP address. This must be an
address range used on your LAN.
Remote LAN
The remote VPN
endpoint must
have these IP
addresses entered
as its local
addresses.
IP Address
Single PC - no Subnet
. Select this option if there is no LAN (only a
single PC) at the remote endpoint. If this option is selected, no
additional data is required. The typical application is a PC running the
VPN client at the remote end.
Single/Start IP
Address
• Enter an IP address that is on the remote LAN. You can use this
setting when you want to access a server on the remote LAN.
• For a range of addresses, enter the starting IP address. This must be
an address range used on the remote LAN.
Any
. Any outgoing traffic from the computers in the Local IP fields
triggers an attempted VPN connection to the remote VPN endpoint.
Be sure you want this option before selecting it.
Finish IP Address
Enter the finish IP address for a range of addresses. This must be an
address range used on the remote LAN.
Subnet Mask
Enter the network mask.
Downloaded from
www.Manualslib.com
manuals search engine
Page 104 / 177
104
|
Chapter 6.
Virtual Private Networking
N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 User Manual
IKE
Direction
This setting is used when the router determines if the IKE policy
matches the current traffic. Select an option.
Responder only
. Incoming connections are allowed, but outgoing
connections are blocked.
Initiator and Responder
. Both incoming and outgoing connections
are allowed.
Exchange Mode
Ensure that the remote VPN endpoint is set to use Main Mode.
Diffie-Hellman
(DH) Group
The Diffie-Hellman algorithm is used when keys are exchanged. The
DH Group setting determines the bit size used in the exchange. This
value must match the value used on the remote VPN gateway.
Local Identity Type
Select an option to match the Remote Identity Type setting on the
remote VPN endpoint.
WAN IP Address
. Your Internet IP address.
Fully Qualified Domain Name
. Your domain name.
Fully Qualified User Name
. Your name, email address, or other ID.
Local Identity Data
Enter the data for the local identity type that you selected. (If
WAN IP
Address
is selected, no input is required.)
Remote Identity
Type
Select the option that matches the Local Identity Type setting on the
remote VPN endpoint.
IP Address
. The Internet IP address of the remote VPN endpoint.
Fully Qualified Domain Nam
e. The domain name of the remote
VPN endpoint.
Fully Qualified User Name
. The name, email address, or other ID of
the remote VPN endpoint.
Remote Identity
Data
Enter the data for the remote identity type that you selected. If
IP
Address
is selected, no input is required.
Parameters
Encryption
Algorithm
The encryption algorithm used for both IKE and IPSec. This setting
must match the setting used on the remote VPN gateway. DES and
3DES are supported.
DES
. The Data Encryption Standard (DES) processes input data that
is 64 bits wide, encrypting these values using a 56-bit key. Faster but
less secure than 3DES.
3DES
. (Triple DES) achieves a higher level of security by encrypting
the data three times using DES with three different, unrelated keys.
Authentication
Algorithm
The authentication algorithm used for both IKE and IPSec. This setting
must match the setting used on the remote VPN gateway. Auto, MD5,
and SHA-1 are supported. Auto negotiates with the remote VPN
endpoint and is not available in responder-only mode.
MD5
. 128 bits, faster but less secure.
SHA-1
. 160 bits, slower but more secure. This is the default.
Pre-shared Key
The key must be entered both here and on the remote VPN gateway.
Table 5.
VPN - Auto Policy Screen Settings
(Continued)
Fields and Settings
Description
Downloaded from
www.Manualslib.com
manuals search engine
Page 105 / 177
Chapter 6.
Virtual Private Networking
|
105
N300 Wireless Dual Band ADSL2+ Modem Router DGND3300v2 User Manual
Parameters
(Continued)
SA Life Time
The time interval before the SA (security association) expires. (It is
automatically reestablished as required.) While using a short time
period (or data amount) increases security, it also degrades
performance. It is common to use periods over an hour (3600 seconds)
for the SA life-time. This setting applies to both IKE and IPSec SAs.
Enable IPSec PFS
(Perfect Forward
Secrecy)
• If this check box is selected, security is enhanced by ensuring that
the key is changed at regular intervals. Also, even if one key is
broken, subsequent keys are no easier to break. (Each key has no
relationship to the previous key.)
• This setting applies to both IKE and IPSec SAs. When configuring
the remote endpoint to match this setting, you might have to specify
the key group used. For this device, the key group is the same as the
DH Group setting in the IKE section.
General
Policy Name
Enter a unique name to identify this policy. This name is not supplied to
the remote VPN endpoint. It is used only to help you manage the
policies.
Remote VPN
Endpoint
• The remote VPN endpoint must have this VPN gateway's address
entered as its remote VPN endpoint.
• If the remote endpoint has a dynamic IP address, select
Dynamic IP
address
. No address data input is required. You can set up multiple
remote dynamic IP policies, but only one such policy can be enabled
at a time. Otherwise, select an option (
IP address
or
domain name
)
and enter the address of the remote VPN endpoint to which you want
to connect.
IKE Keep Alive
• If you want to ensure that a connection is kept open, or, if that is not
possible, that it is quickly reestablished when disconnected, select
this check box.
• The ping IP address must be associated with the remote endpoint.
The remote LAN address must be used. This IP address will be
pinged periodically to generate traffic for the VPN tunnel. The remote
keep-alive IP address must be covered by the remote LAN IP range
and must correspond to a device that can respond to ping. The range
should be made as narrow as possible to meet this objective.
Local LAN
The remote VPN
endpoint must
have these IP
addresses entered
as its remote
addresses.
Subnet Mask
Enter the network mask.
Single/Start IP
Address
Enter the IP address for a single address, or the starting address for
an address range. A single address setting is used when you want to
make a single server on your LAN available to remote users. A range
must be an address range used on your LAN.
Any
. The remote VPN endpoint might be at any IP address.
Table 5.
VPN - Auto Policy Screen Settings
(Continued)
Fields and Settings
Description
Downloaded from
www.Manualslib.com
manuals search engine

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top