86

7

7.

Virtual Private Networking

Setting up secure encrypted communications

This chapter describes how to use the virtual private networking (VPN) features of the wireless

modem router. VPN communications paths are called tunnels. VPN tunnels provide secure,

encrypted communications between your local network and a remote network or computer. See

Appendix B, NETGEAR VPN Configuration

.

This chapter is organized as follows:

•

Overview of VPN Configuration

•

Plan a VPN

•

VPN Tunnel Configuration

•

Set Up a Client-to-Gateway VPN Configuration

•

Set Up a Gateway-to-Gateway VPN Configuration

•

VPN Tunnel Control

•

Set Up VPN Tunnels in Special Circumstances

Downloaded from

www.Manualslib.com

manuals search engine

Virtual Private Networking

87

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

Overview of VPN Configuration

Two common scenarios for VPN tunnels are between a remote PC and a network gateway,

and between two or more network gateways. The N600 Wireless Dual Band Gigabit ADSL2+

Modem Router DGND3700 supports both types. It supports up to five concurrent tunnels.

Client-to-Gateway VPN Tunnels

Client-to-gateway VPN tunnels provide secure access from a remote PC, such as a

telecommuter connecting to an office network.

VPN Tunnel

Internet

PC running NETGEAR

ProSafe VPN client

Modem Router DGND3700

Figure 41. Telecommuter VPN tunnel

A VPN client access allows a remote PC to connect to your network from any location on the

Internet. The remote PC is one tunnel endpoint, running the VPN client software. The

wireless modem router on your network is the other tunnel endpoint. See

Set Up a

Client-to-Gateway VPN Configuration

on page 90 for information about how to set up this

configuration.

Gateway-to-Gateway VPN Tunnels

Gateway-to-gateway VPN tunnels provide secure access between networks, such as a

branch or home office and a main office.

VPN Tunnel

Internet

Modem Router DGND3700

Gateway A

(Home)

Modem Router DGND3700

Gateway B

(Office)

Figure 42. VPN Tunnel between networks

Downloaded from

www.Manualslib.com

manuals search engine

Virtual Private Networking

88

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

A VPN between two or more NETGEAR VPN-enabled routers is a good way to connect

branch or home offices and business partners over the Internet. VPN tunnels also enable

access to network resources across the Internet. In this case, use gateways on each end of

the tunnel to form the VPN tunnel endpoints. See

Set Up a Gateway-to-Gateway VPN

Configuration

on page 101 for information about how to set up this configuration.

Plan a VPN

When you set up a VPN, it is helpful to plan the network configuration and record the

configuration parameters on a worksheet:

Table 15.

VPN tunnel configuration worksheet

Parameter

Value to Be Entered

Field Selection

Connection Name

N/A

Pre-Shared Key

N/A

Secure Association

N/A

Main Mode

Manual Keys

Perfect Forward Secrecy

N/A

Enabled

Disabled

Encryption Protocol

N/A

DES

3DES

Authentication Protocol

N/A

MD5

SHA-1

Diffie-Hellman (DH) Group

N/A

Group 1

Group 2

Key Life in seconds

N/A

IKE Life Time in seconds

N/A

VPN Endpoint

Local IPSecID

LAN IP Address

Subnet Mask

FQDN or Gateway

IP (WAN IP Address

To set up a VPN connection, you have to configure each endpoint with specific identification

and connection information describing the other endpoint. You have to configure the

outbound VPN settings on one end to match the inbound VPN settings on other end, and vice

versa.

This set of configuration information defines a security association (SA) between the two

VPN endpoints. When planning your VPN, you should make a few choices first:

•

Will the local end be any device on the LAN, a portion of the local network (as defined by

a subnet or by a range of IP addresses), or a single PC?

•

Will the remote end be any device on the remote LAN, a portion of the remote network (as

defined by a subnet or by a range of IP addresses), or a single PC?

Downloaded from

www.Manualslib.com

manuals search engine

Virtual Private Networking

89

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

•

Will either endpoint use fully qualified domain names (FQDNs)? FQDNs supplied by

Dynamic DNS providers (see

Use a Fully Qualified Domain Name (FQDN)

on page 163)

can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel

request. Otherwise, the side using a dynamic IP address has to always be the initiator.

•

Which method will you use to configure your VPN tunnels?

-

The VPN Wizard using VPNC defaults (see the following table)

-

The typical automated Internet Key Exchange (IKE) setup (see

Use Auto Policy to

Configure VPN Tunnels

on page 112)

-

A manual keying setup in which you have to specify each phase of the connection

(see

Use Manual Policy to Configure VPN Tunnels

on page 119)

Table 16.

Parameters recommended by the VPNC and used in the VPN Wizard

Parameter

Factory Default Setting

Secure Association

Main Mode

Authentication Method

Pre-Shared Key

Encryption Method

3DES

Authentication Protocol

SHA-1

Diffie-Hellman (DH) Group

Group 2 (1024 bit)

Key Life

8 hours

IKE Life Time

1 hour

•

What level of IPSec VPN encryption will you use?

-

DES

. The Data Encryption Standard (DES) processes input data that is 64 bits wide,

encrypting these values using a 56-bit key. Faster but less secure than 3DES.

-

3DES

. Triple DES achieves a higher level of security by encrypting the data three

times using DES with three different, unrelated keys.

•

What level of authentication will you use?

-

MDS

. 128 bits, faster but less secure.

-

SHA-1

. 160 bits, slower but more secure.

VPN Tunnel Configuration

There are two tunnel configurations and three ways to configure them:

•

Use the VPN Wizard to configure a VPN tunnel (recommended for most situations):

-

See

Set Up a Client-to-Gateway VPN Configuration

on page 90.

-

See

Set Up a Gateway-to-Gateway VPN Configuration

on page 101.

•

When the VPN Wizard and its VPNC defaults (see

Table 16

on page 89) are not

appropriate for your special circumstances, but you want to automate the Internet Key

Exchange (IKE) setup, see

Use Auto Policy to Configure VPN Tunnels

on page 112.

Downloaded from

www.Manualslib.com

manuals search engine

Virtual Private Networking

90

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

•

When the VPN Wizard and its VPNC defaults (see

Table 16

on page 89) are not

appropriate for your special circumstances and you have to specify each phase of the

connection, see

Use Manual Policy to Configure VPN Tunnels

on page 119. You

manually enter all the authentication and key parameters. You have more control over the

process; however, the process is more complex, and there are more opportunities for

errors or configuration mismatches between your N600 Wireless Dual Band Gigabit

ADSL2+ Modem Router DGND3700 and the corresponding VPN endpoint gateway or

client workstation.

Set Up a Client-to-Gateway VPN Configuration

Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN client and a

network gateway involves two steps, described in the following sections:

•

Step 1: Configure the Client-to-Gateway VPN Tunnel

on page 90 describes how to use

the VPN Wizard to configure the VPN tunnel between the remote PC and network

gateway.

•

Step 2: Configure the NETGEAR ProSafe VPN Client

on page 93 shows how to configure

the NETGEAR ProSafe VPN client endpoint.

VPN tunnel

Internet

PC running NETGEAR

ProSafe VPN client

22.23.24.25

0.0.0.0

IP: 192.168.3.1

Figure 43. Wireless Modem Router DGND3700 client-to-gateway VPN tunnel

Step 1: Configure the Client-to-Gateway VPN Tunnel

This section describes using the VPN Wizard to set up the VPN tunnel using the VPNC

default parameters listed in

Table 16

on page 89. If you have special requirements not

covered by these VPNC-recommended parameters, see

Set Up VPN Tunnels in Special

Circumstances

on page 111 for information about how to set up the VPN tunnel.

Downloaded from

www.Manualslib.com

manuals search engine