1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVG318
    5. /
  5. 23
Page 111 / 176 Scroll up to view Page 106 - 110
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
Advanced Virtual Private Networking
6-5
v1.0, September 2007
Policy Name
The descriptive name of the VPN policy. Each policy should have a
unique policy name. This name is not supplied to the remote VPN
endpoint. It is only used to help you identify VPN policies.
Policy Type:
A policy can be generated automatically or manually: To create an Auto
VPN Policy, you must first create an IKE policy and then add the
corresponding Auto Policy for that IKE Policy.
Manual
: All settings (including the keys) for the VPN tunnel are
manually input for each end point. No 3rd party server or organization
is involved.
Auto
: Some parameters for the VPN tunnel are generated
automatically. This requires using the IKE (Internet Key Exchange)
protocol to perform negotiations between the 2 VPN Endpoints.
Remote End Point:
The IP address or Internet name (FQDN) of the remote gateway or client
PC. Conversely, the remote VPN endpoint must have the FVG318 local
IP values entered as it’s Remote VPN Endpoint.
NetBIOS
If enabled, it will allow NetBIOS broadcast to travel over the VPN tunnel
Traffic Selection
The IP addresses on both the remote and local sides that will be part of
the tunnel. They can be either a single IP address, several IP addresses
in a range, or an entire subnet.
Local IP
The drop-down menu allows you to configure the source IP address of
the outbound network traffic for which this VPN policy will provide
security.
Usually, this address is from your network address space. The choices
are:
ANY for all valid IP addresses in the Internet address space
Single IP Address
Range of IP Addresses
Subnet Address
Remote IP
The drop-down menu allows you to configure the destination IP address
of the outbound network traffic for which this VPN policy will provide
security. Usually, this address is from the remote site's corporate network
address space. The choices are:
ANY for all valid IP addresses in the Internet address space
Single IP Address
Range of IP Addresses
Subnet Address
Table 6-1.
VPN Manual and Auto Policy Configuration Fields (continued)
Field
Description
Page 112 / 176
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
6-6
Advanced Virtual Private Networking
v1.0, September 2007
Manual Policy Parameters
The Manual Policy creates an SA (Security Association) based on static
inputs
SPI-Incoming; SPI-Outgoing
Takes a hexadecimal value between 3 and 8 characters; for example:
0x1234
Encryption Algorithm:
The algorithm used to encrypt the data:
Encryption Key-In
: Encryption key of the inbound policy. The length of
the key depends on the algorithm chosen. The length is in characters
as follows:
DES – 8 characters
3DES – 24 characters
AES-128 – 16 characters
AES-192 – 24 characters
AES-256 – 32 characters
Encryption Key-Out:
Encryption key of the outbound policy. The
length of the key depends on the algorithm chosen. Lengths for the
outbound policy encryption key are the same as for the inbound policy.
Integrity Algorithm:
Algorithm used to verify the integrity of the data.
Integrity Key-In
: The integrity key (for Encapsulated Security Payload
(ESP) with encryption mode) for the inbound policy and depends on
the algorithm chosen:
MD5 – 16 characters
SHA-1 – 20 characters
Integrity Key-Out:
The integrity key (for ESP with encryption mode)
for the outbound policy and depends on the algorithm chosen. Lengths
are the same as for the inbound mode.
Auto Policy Parameters
SA Life Time
The duration of the Security Association before it expires.
Seconds — the amount of time before the SA expires. Over an hour is
common (3600).
Kbytes — the amount of traffic before the SA expires.
One of these can be set without setting the other.
Encryption Algorithm
The encryption algorithm used to encrypt the data:
DES – the default
3DES – more secure
Integrity Algorithm
Algorithm used to verify the integrity of the data. The choices are:
MD5 – the default
SHA1 – more secure
Table 6-1.
VPN Manual and Auto Policy Configuration Fields (continued)
Field
Description
Page 113 / 176
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
Advanced Virtual Private Networking
6-7
v1.0, September 2007
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are strings generated using encryption and authentication schemes that cannot
be duplicated by anyone without access to the different values used in the production of the string.
They are issued by Certification Authorities (CAs) to authenticate a person or a workstation
uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities
(PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The
FVG318 is able to use certificates to authenticate users at the end points during the IKE key
exchange process (see.
The certificates can be obtained from a certificate server that an organization might maintain
internally or from the established public CAs. The certificates are produced by providing the
particulars of the user being identified to the CA. The information provided may include the user's
name, e-mail ID, and domain name.
Each CA has its own certificate. The certificates of a CA are added to the FVG318 and then can be
used to form IKE policies for the user. Once a CA certificate is added to the FVG318 and a
certificate is created for a user, the corresponding IKE policy is added to the FVG318. Whenever
the user tries to send traffic through the FVG318, the certificates are used in place of pre-shared
keys during initial key exchange as the authentication and key generation mechanism. Once the
keys are established and the tunnel is set up the connection proceeds according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
PFS Key Group
Perfect Forward Secrecy (PFS) improves security. While this is slower, it
will ensure that a Diffie-Hellman exchange is performed for every phase
2 negotiation.
DH Group 1 (768 bit)
DH Group 2 (1024 bit)
DH Group 5 (1536 bit)
Select IKE Policy
The existing IKE policies are presented a drop-down list. You can also
click
view selected
to review the settings of the selected IKE policy. This
IKE policy will define the characteristics of phase 1 negotiation.
Note:
You must create the IKE policy before creating a VPN Auto Policy.
Table 6-1.
VPN Manual and Auto Policy Configuration Fields (continued)
Field
Description
Page 114 / 176
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
6-8
Advanced Virtual Private Networking
v1.0, September 2007
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FVG318 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FVG318 CRL regularly in order for the CA-based authentication
process to remain valid.
VPN Configuration Scenarios on the FVG318
There are a variety of configurations you might implement with the FVG318. The scenarios listed
below illustrate typical configurations you might use in your organization.
In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (
). The goal is to
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:
VPN Consortium Scenarios without any product implementation details
VPN Consortium Scenarios based on the FVG318 User Interface
The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing.
The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go
to the NETGEAR Web site (
) and select VPN01L_VPN05L in the Product
Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN
Client.
Note:
Before installing the NETGEAR ProSafe VPN Client software, be sure to turn off
any virus protection or firewall software you may be running on your PC.
Page 115 / 176
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual
Advanced Virtual Private Networking
6-9
v1.0, September 2007
VPN Consortium Scenario 1:
Gateway-to-Gateway with Preshared Secrets
The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A’s LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B’s WAN (Internet)
interface has the address 22.23.24.25. Gateway B’s LAN interface address, 172.23.9.1, can be
used for testing IPsec but is not needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
Main mode
TripleDES
SHA-1
MODP group 2 (1024 bits)
pre-shared secret of “hr5xb84l6aa9r6”
SA lifetime of 28800 seconds (eight hours) with no kilobytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
TripleDES
SHA-1
ESP tunnel mode
MODP group 2 (1024 bits)
Perfect forward secrecy for rekeying
SA lifetime of 3600 seconds (one hour) with no kilobytes rekeying
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets
Figure 6-4

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top