NETGEAR DGND3700v2 Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

NETGEAR

DGND3700v2

Page 111 / 185 Scroll up to view Page 106 - 110

Virtual Private Networking

111

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

Click

VPN Status

. The Current VPN Tunnels (SAs) screen displays:

Click

Drop

for the VPN tunnel that you want to deactivate.

Delete a VPN Tunnel



To delete a VPN tunnel:

On the main menu, select

VPN Policies

to display the VPN Policies screen. In the

Policy Table, select the radio button for the VPN tunnel to be deleted, and then click

Delete

Set Up VPN Tunnels in Special Circumstances

When the VPN Wizard and its VPNC defaults (see

Table 16

on page 89) are not appropriate

for your circumstances, use one of these alternatives:

•

Auto Policy

. For a typical automated Internet Key Exchange (IKE) setup, see

Use Auto

Policy to Configure VPN Tunnels

on page 112. Auto Policy uses the IKE protocol to

define the authentication scheme and automatically generate the encryption keys.

•

Manual Policy

. For a manual keying setup in which you have to specify each phase of

the connection, see

Use Manual Policy to Configure VPN Tunnels

on page 119. Manual

Policy does not use IKE. Rather, you manually enter all the authentication and key

Downloaded from

www.Manualslib.com

manuals search engine

Page 112 / 185

Virtual Private Networking

112

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

parameters. You have more control over the process; however, the process is more

complex, and there are more opportunities for errors or configuration mismatches

between your N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 and

the corresponding VPN endpoint gateway or client workstation.

Use Auto Policy to Configure VPN Tunnels

You need to configure matching VPN settings on both VPN endpoints. The outbound VPN

settings on one end has to match to the inbound VPN settings on other end, and vice versa.

For an example of using Auto Policy, see

Example of Using Auto Policy

on page 116.

Configure VPN Network Connection Parameters

All VPN tunnels on the wireless modem router require that you configure several network

parameters. This section describes those parameters and how to access them.

The most common configuration scenarios use IKE to manage the authentication and

encryption keys. The IKE protocol performs negotiations between the two VPN endpoints to

automatically generate and update the required encryption parameters.

From the main menu, select

VPN Policies

, and then click the

Add Auto Policy

button to

display the VPN - Auto Policy screen:

Downloaded from

www.Manualslib.com

manuals search engine

Page 113 / 185

Virtual Private Networking

113

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

The DGND3700 VPN tunnel network connection fields are defined in the following table.

Table 19.

VPN - Auto Policy screen settings

Fields and Settings

Description

General

Policy Name

Enter a unique name. This name is not supplied to the remote VPN

endpoint. It is used only to help you manage the policies.

Remote VPN

Endpoint

• The remote VPN endpoint has to have this VPN’s gateway address

entered as its remote VPN endpoint.

• If the remote endpoint has a dynamic IP address, select

Dynamic IP

Address

. No address data input is required. You can set up multiple

remote dynamic IP policies, but only one such policy can be enabled

at a time. Otherwise, select an option (

IP address

domain name

)

and enter the address of the remote VPN endpoint to which you want

to connect.

IKE Keep Alive

• If you want to ensure that a connection is kept open, or, if that is not

possible, that it is quickly reestablished when disconnected, select

this check box.

• The ping IP address has to be associated with the remote endpoint.

The remote LAN address has to be used. This IP address will be

pinged periodically to generate traffic for the VPN tunnel. The remote

keep-alive IP address has to be covered by the remote LAN IP range

and has to correspond to a device that can respond to ping. The

range should be made as narrow as possible to meet this objective.

Local LAN

The remote VPN

endpoint has to

have these IP

addresses entered

as its remote

addresses.

Subnet Mask

The network mask.

Single/Start IP

Address

•

Enter the IP address for a single address, or the starting address for

an address range. A single address setting is used when you want to

make a single server on your LAN available to remote users. A range

must be an address range used on your LAN.

•

Any

. The remote VPN endpoint can be at any IP address.

Finish IP Address

For an address range, enter the finish IP address. This must be an

address range used on your LAN.

Remote LAN

The remote VPN

endpoint has to

have these IP

addresses entered

as its local

addresses.

IP Address

Single PC - no Subnet

. Select this option if there is no LAN (only a

single PC) at the remote endpoint. If this option is selected, no

additional data is required. The typical application is a PC running the

VPN client at the remote end.

Single/Start IP

Address

• Enter an IP address that is on the remote LAN. You can use this

setting when you want to access a server on the remote LAN.

• For a range of addresses, enter the starting IP address. This has to

be an address range used on the remote LAN.

•

Any

. Any outgoing traffic from the computers in the

Local IP

fields

triggers an attempted VPN connection to the remote VPN endpoint.

Be sure you want this option before selecting it.

Finish IP Address

Enter the finish IP address for a range of addresses. This has to be an

address range used on the remote LAN.

Subnet Mask

Enter the network mask.

Downloaded from

www.Manualslib.com

manuals search engine

Page 114 / 185

Virtual Private Networking

114

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

IKE

Direction

This setting is used when the router determines if the IKE policy

matches the current traffic. Select an option.

•

Responder only

. Incoming connections are allowed, but outgoing

connections are blocked.

•

Initiator and Responder

. Both incoming and outgoing connections

are allowed.

Exchange Mode

Ensure that the remote VPN endpoint is set to use

Main Mode

Diffie-Hellman

(DH) Group

The Diffie-Hellman algorithm is used when keys are exchanged. The

DH Group setting determines the bit size used in the exchange. This

value has to match the value used on the remote VPN gateway.

Local Identity Type

Select an option to match the Remote Identity Type setting on the

remote VPN endpoint.

•

WAN IP Address

. Your Internet IP address.

•

Fully Qualified Domain Name

. Your domain name.

•

Fully Qualified User Name

. Your name, email address, or other ID.

Local Identity Data

Enter the data for the local identity type that you selected. (If WAN IP

Address is selected, no input is required.)

Remote Identity

Type

Select the option that matches the

Local Identity Type

setting on the

remote VPN endpoint.

•

IP Address

. The Internet IP address of the remote VPN endpoint.

•

Fully Qualified Domain Nam

e. The domain name of the remote

VPN endpoint.

•

Fully Qualified User Name

. The name, email address, or other ID of

the remote VPN endpoint.

Remote Identity

Data

Enter the data for the remote identity type that you selected. If IP

Address is selected, no input is required.

Parameters

Encryption

Algorithm

The encryption algorithm used for both IKE and IPSec. This setting has

to match the setting used on the remote VPN gateway. DES and 3DES

are supported.

•

DES

. The Data Encryption Standard (DES) processes input data that

is 64 bits wide, encrypting these values using a 56-bit key. Faster but

less secure than 3DES.

•

3DES

. (Triple DES) achieves a higher level of security by encrypting

the data three times using DES with three different, unrelated keys.

Authentication

Algorithm

The authentication algorithm used for both IKE and IPSec. This setting

must match the setting used on the remote VPN gateway. Auto, MD5,

and SHA-1 are supported. Auto negotiates with the remote VPN

endpoint and is not available in responder-only mode.

•

MD5

. 128 bits, faster but less secure.

•

SHA-1

. 160 bits, slower but more secure. This is the default.

Pre-shared Key

The key has to be entered both here and on the remote VPN gateway.

Table 19.

VPN - Auto Policy screen settings

(continued)

Fields and Settings

Description

Downloaded from

www.Manualslib.com

manuals search engine

Page 115 / 185

Virtual Private Networking

115

N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700

Parameters

(Continued)

SA Life Time

The time interval before the SA (security association) expires. (It is

automatically reestablished as required.) While using a short time

period (or data amount) increases security, it also degrades

performance. It is common to use periods over an hour (3600 seconds)

for the SA life-time. This setting applies to both IKE and IPSec SAs.

Enable IPSec PFS

(Perfect Forward

Secrecy)

• If this check box is selected, security is enhanced by ensuring that

the key is changed at regular intervals. Also, even if one key is

broken, subsequent keys are no easier to break. (Each key has no

relationship to the previous key.)

• This setting applies to both IKE and IPSec SAs. When configuring

the remote endpoint to match this setting, you might have to specify

the key group used. For this device, the key group is the same as the

DH Group setting in the IKE section.

General

Policy Name

Enter a unique name to identify this policy. This name is not supplied to

the remote VPN endpoint. It is used only to help you manage the

policies.

Remote VPN

Endpoint

• The remote VPN endpoint has to have this VPN gateway’s address

entered as its remote VPN endpoint.

• If the remote endpoint has a dynamic IP address, select

Dynamic IP

address

. No address data input is required. You can set up multiple

remote dynamic IP policies, but only one such policy can be enabled

at a time. Otherwise, select an option (

IP address

domain name

)

and enter the address of the remote VPN endpoint to which you want

to connect.

IKE Keep Alive

• If you want to ensure that a connection is kept open, or, if that is not

possible, that it is quickly reestablished when disconnected, select

this check box.

• The ping IP address has to be associated with the remote endpoint.

The remote LAN address has to be used. This IP address will be

pinged periodically to generate traffic for the VPN tunnel. The remote

keep-alive IP address has to be covered by the remote LAN IP range

and has to correspond to a device that can respond to ping. The

range should be made as narrow as possible to meet this objective.

Local LAN

The remote VPN

endpoint has to

have these IP

addresses entered

as its remote

addresses.

Subnet Mask

Enter the network mask.

Single/Start IP

Address

•

Enter the IP address for a single address, or the starting address for

an address range. A single address setting is used when you want to

make a single server on your LAN available to remote users. A range

has to be an address range used on your LAN.

•

Any

. The remote VPN endpoint might be at any IP address.

Table 19.

VPN - Auto Policy screen settings

(continued)

Fields and Settings

Description

Downloaded from

www.Manualslib.com

manuals search engine

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share