Page 86 / 185 Scroll up to view Page 81 - 85
86
7
7.
Virtual Private Networking
Setting up secure encrypted communications
This chapter describes how to use the virtual private networking (VPN) features of the wireless
modem router. VPN communications paths are called tunnels. VPN tunnels provide secure,
encrypted communications between your local network and a remote network or computer. See
Appendix B, NETGEAR VPN Configuration
.
This chapter is organized as follows:
Overview of VPN Configuration
Plan a VPN
VPN Tunnel Configuration
Set Up a Client-to-Gateway VPN Configuration
Set Up a Gateway-to-Gateway VPN Configuration
VPN Tunnel Control
Set Up VPN Tunnels in Special Circumstances
Downloaded from
www.Manualslib.com
manuals search engine
Page 87 / 185
Virtual Private Networking
87
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
Overview of VPN Configuration
Two common scenarios for VPN tunnels are between a remote PC and a network gateway,
and between two or more network gateways. The N600 Wireless Dual Band Gigabit ADSL2+
Modem Router DGND3700 supports both types. It supports up to five concurrent tunnels.
Client-to-Gateway VPN Tunnels
Client-to-gateway VPN tunnels provide secure access from a remote PC, such as a
telecommuter connecting to an office network.
VPN Tunnel
Internet
PC running NETGEAR
ProSafe VPN client
Modem Router DGND3700
Figure 41. Telecommuter VPN tunnel
A VPN client access allows a remote PC to connect to your network from any location on the
Internet. The remote PC is one tunnel endpoint, running the VPN client software. The
wireless modem router on your network is the other tunnel endpoint. See
Set Up a
Client-to-Gateway VPN Configuration
on page 90 for information about how to set up this
configuration.
Gateway-to-Gateway VPN Tunnels
Gateway-to-gateway VPN tunnels provide secure access between networks, such as a
branch or home office and a main office.
VPN Tunnel
Internet
Modem Router DGND3700
Gateway A
(Home)
Modem Router DGND3700
Gateway B
(Office)
Figure 42. VPN Tunnel between networks
Downloaded from
www.Manualslib.com
manuals search engine
Page 88 / 185
Virtual Private Networking
88
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
A VPN between two or more NETGEAR VPN-enabled routers is a good way to connect
branch or home offices and business partners over the Internet. VPN tunnels also enable
access to network resources across the Internet. In this case, use gateways on each end of
the tunnel to form the VPN tunnel endpoints. See
Set Up a Gateway-to-Gateway VPN
Configuration
on page 101 for information about how to set up this configuration.
Plan a VPN
When you set up a VPN, it is helpful to plan the network configuration and record the
configuration parameters on a worksheet:
Table 15.
VPN tunnel configuration worksheet
Parameter
Value to Be Entered
Field Selection
Connection Name
N/A
Pre-Shared Key
N/A
Secure Association
N/A
Main Mode
Manual Keys
Perfect Forward Secrecy
N/A
Enabled
Disabled
Encryption Protocol
N/A
DES
3DES
Authentication Protocol
N/A
MD5
SHA-1
Diffie-Hellman (DH) Group
N/A
Group 1
Group 2
Key Life in seconds
N/A
IKE Life Time in seconds
N/A
VPN Endpoint
Local IPSecID
LAN IP Address
Subnet Mask
FQDN or Gateway
IP (WAN IP Address
To set up a VPN connection, you have to configure each endpoint with specific identification
and connection information describing the other endpoint. You have to configure the
outbound VPN settings on one end to match the inbound VPN settings on other end, and vice
versa.
This set of configuration information defines a security association (SA) between the two
VPN endpoints. When planning your VPN, you should make a few choices first:
Will the local end be any device on the LAN, a portion of the local network (as defined by
a subnet or by a range of IP addresses), or a single PC?
Will the remote end be any device on the remote LAN, a portion of the remote network (as
defined by a subnet or by a range of IP addresses), or a single PC?
Downloaded from
www.Manualslib.com
manuals search engine
Page 89 / 185
Virtual Private Networking
89
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
Will either endpoint use fully qualified domain names (FQDNs)? FQDNs supplied by
Dynamic DNS providers (see
Use a Fully Qualified Domain Name (FQDN)
on page 163)
can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel
request. Otherwise, the side using a dynamic IP address has to always be the initiator.
Which method will you use to configure your VPN tunnels?
-
The VPN Wizard using VPNC defaults (see the following table)
-
The typical automated Internet Key Exchange (IKE) setup (see
Use Auto Policy to
Configure VPN Tunnels
on page 112)
-
A manual keying setup in which you have to specify each phase of the connection
(see
Use Manual Policy to Configure VPN Tunnels
on page 119)
Table 16.
Parameters recommended by the VPNC and used in the VPN Wizard
Parameter
Factory Default Setting
Secure Association
Main Mode
Authentication Method
Pre-Shared Key
Encryption Method
3DES
Authentication Protocol
SHA-1
Diffie-Hellman (DH) Group
Group 2 (1024 bit)
Key Life
8 hours
IKE Life Time
1 hour
What level of IPSec VPN encryption will you use?
-
DES
. The Data Encryption Standard (DES) processes input data that is 64 bits wide,
encrypting these values using a 56-bit key. Faster but less secure than 3DES.
-
3DES
. Triple DES achieves a higher level of security by encrypting the data three
times using DES with three different, unrelated keys.
What level of authentication will you use?
-
MDS
. 128 bits, faster but less secure.
-
SHA-1
. 160 bits, slower but more secure.
VPN Tunnel Configuration
There are two tunnel configurations and three ways to configure them:
Use the VPN Wizard to configure a VPN tunnel (recommended for most situations):
-
See
Set Up a Client-to-Gateway VPN Configuration
on page 90.
-
See
Set Up a Gateway-to-Gateway VPN Configuration
on page 101.
When the VPN Wizard and its VPNC defaults (see
Table 16
on page 89) are not
appropriate for your special circumstances, but you want to automate the Internet Key
Exchange (IKE) setup, see
Use Auto Policy to Configure VPN Tunnels
on page 112.
Downloaded from
www.Manualslib.com
manuals search engine
Page 90 / 185
Virtual Private Networking
90
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
When the VPN Wizard and its VPNC defaults (see
Table 16
on page 89) are not
appropriate for your special circumstances and you have to specify each phase of the
connection, see
Use Manual Policy to Configure VPN Tunnels
on page 119. You
manually enter all the authentication and key parameters. You have more control over the
process; however, the process is more complex, and there are more opportunities for
errors or configuration mismatches between your N600 Wireless Dual Band Gigabit
ADSL2+ Modem Router DGND3700 and the corresponding VPN endpoint gateway or
client workstation.
Set Up a Client-to-Gateway VPN Configuration
Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN client and a
network gateway involves two steps, described in the following sections:
Step 1: Configure the Client-to-Gateway VPN Tunnel
on page 90 describes how to use
the VPN Wizard to configure the VPN tunnel between the remote PC and network
gateway.
Step 2: Configure the NETGEAR ProSafe VPN Client
on page 93 shows how to configure
the NETGEAR ProSafe VPN client endpoint.
VPN tunnel
Internet
PC running NETGEAR
ProSafe VPN client
22.23.24.25
0.0.0.0
IP: 192.168.3.1
Figure 43. Wireless Modem Router DGND3700 client-to-gateway VPN tunnel
Step 1: Configure the Client-to-Gateway VPN Tunnel
This section describes using the VPN Wizard to set up the VPN tunnel using the VPNC
default parameters listed in
Table 16
on page 89. If you have special requirements not
covered by these VPNC-recommended parameters, see
Set Up VPN Tunnels in Special
Circumstances
on page 111 for information about how to set up the VPN tunnel.
Downloaded from
www.Manualslib.com
manuals search engine

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top