NETGEAR FVG318 Router Manual PDF (Setup & Configuration Guide)

Page 121 / 176 Scroll up to view Page 116 - 120

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

Advanced Virtual Private Networking

6-15

v1.0, September 2007

VPN Consortium Scenario 2: FVG318 Gateway to Gateway with

Digital Certificates

The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509

(PKIX) certificates for authentication. The network setup is identical to the one given in

Scenario 1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in Scenario 1,

with the exception that the identification is done with signatures authenticated by PKIX

certificates.

1.

Obtain a root certificate.

a.

Obtain the root certificate (that includes the public key) from a Certificate Authority (CA)

b.

Save the certificate as a text file called

trust.txt

.

2.

Install the trusted CA certificate for the Trusted Root CA.

a.

Log in to the FVG318.

b.

Select VPN > Certificates from the menu.

c.

In the

Self Certificate Requests

section, click

Browse

to locate the

trust.txt

file.

d.

Click

Upload

.

3.

Create a certificate request for the FVG318.

e.

Fill in the required fields on the Generate Self Certificate section.

•

Name. Enter a name to identify this certificate.

•

Subject. This is the name that other organizations will see as the holder (owner) of this

certificate. This should be your registered business name or official company name.

Generally, all certificates should have the same value in the Subject field.

Note:

Before completing this configuration scenario, make sure the correct Time Zone is

set on the FVG318. For instructions on this topic, see

“Configuring Your Time

Zone” on page 2-11

.

Note:

The procedure for obtaining certificates differs from a CA like Verisign

and a CA such as a Windows 2000 certificate server, which an

organization operates for providing certificates for its members. For

example, an administrator of a Windows 2000 certificate server might

provide it to you via e-mail.

WAN IP Address

LAN IP Addresses

Page 122 / 176

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

6-16

Advanced Virtual Private Networking

v1.0, September 2007

•

Hash Algorithm. Select the desired option: MD5 or SHA1.

•

Signature Algorithm. Select the desired option: DSS or RSA.

•

Signature Key Length. Select the desired option: 512, 1024, or 2048.

f.

Fill in any optional fields on the Add Self Certificate screen that may apply.

•

IP Address. If you use “IP type” in the IKE policy, you should input the IP Address

here. Otherwise, you should leave this blank.

•

Domain Name. If you have a domain name, you can enter it here. Otherwise, you

should leave this blank.

•

E-mail address. You can enter your e-mail address here.

Figure 6-10

Page 123 / 176

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

Advanced Virtual Private Networking

6-17

v1.0, September 2007

g.

Click

Generate

The FVG318 generates a pending Self Certificate Request as shown

below. Click

view

to display the data.

4.

Transmit the Self Certificate Request data to the Trusted Root CA.

a.

Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file.

b.

Give the certificate request data to the CA. In the case of a Windows 2000 internal CA,

you might simply e-mail it to the CA administrator. The procedures of a CA like Verisign

and a CA such as a Windows 2000 certificate server administrator will differ. Follow the

procedures of your CA.

5.

Receive the certificate back from the Trusted Root CA and save it as a text file.

6.

Upload the new certificate.

c.

Select the checkbox of the Self Certificate Request you want to upload.

d.

Browse to the location of the file you saved in Step 5 above that contains the certificate

from the CA.

e.

Click

Upload

button.

Figure 6-11

Note:

In the case of a Windows 2000 internal CA, the CA administrator might simply

email it to back to you. Follow the procedures of your CA. Save the certificate

you get back from the CA as a text file called

final.txt

.

Highlight, copy, and

paste this data into a

text file.

Page 124 / 176

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

6-18

Advanced Virtual Private Networking

v1.0, September 2007

f.

The “FVG318” certificate will display in the Active Self Certificates table and the pending

“FVG318” Self Certificate Request will be deleted.

7.

Associate the new certificate and the Trusted Root CA certificate on the FVG318.

a.

Create a new IKE policy called

Scenario_2

with all the same properties of

Scenario_1,

except now select the

RSA Signature

radio box instead of the Pre-shared key.

b.

Create a new VPN Auto Policy called

scenario2a

with all the same properties as

scenario1a

except that it uses the IKE policy called Scenario_2.

Now, the traffic from devices within the range of the LAN subnet addresses on FVG318 A and

Gateway B will be authenticated using the certificates rather than via a pre-shared key.

8.

Set up Certificate Revocation List (CRL) checking.

a.

Get a copy of the CRL from the CA and save it as a text file.

b.

Select VPN > Certificates from the main menu and scroll down to the

Certificate

Revocation Lists (CRL)

section.

c.

Click

Browse

to locate the CRL file.

d.

Click

Upload

. The CRL will be uploaded to the Certificate Revocation Lists (CRL) table.

Now expired or revoked certificates will not be allowed to use the VPN tunnels managed by

IKE policies which use this CA.

Note:

The procedure for obtaining a CRL differs from a CA like Verisign and a

CA such as a Windows 2000 certificate server, which an organization

operates for providing certificates for its members. Follow the procedures

of your CA.

Note:

You must update the CRLs regularly in order to maintain the validity of the

certificate-based VPN policies.

Page 125 / 176

Maintenance

7-1

v1.0, September 2007

Chapter 7

Maintenance

This chapter describes how to use the maintenance features of your ProSafe 802.11g Wireless

VPN Firewall. These features can be found by selecting Monitoring > Router Status from the main

menu of the browser interface.

Viewing VPN Firewall Router Status Information

The Router Status menu provides status and usage information. From the main menu of the

browser interface, click

Monitoring > Router Status

to view this screen.

Figure 7-1

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share