1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVL328
    5. /
  5. 15
Page 71 / 234 Scroll up to view Page 66 - 70
Virtual Private Networking
6-1
May 2004, 202-10030-02
Chapter 6
Virtual Private Networking
This chapter describes how to use the virtual private networking (VPN) features of the FVL328
Firewall. VPN tunnels provide secure, encrypted communications between your local network and
a remote network or computer. See also
“How to Use the VPN Wizard to Configure a VPN
Tunnel” on page 6-15
.
Overview of FVL328 Policy-Based VPN Configuration
The FVL328 uses state-of-the-art firewall and security technology to facilitate controlled and
actively monitored VPN connectivity. Since the FVL328 strictly conforms to Internet Engineering
Task Force (IETF) standards, it is interoperable with devices from major network equipment
vendors.
Figure 6-1:
Secure access through
FVL328
VPN routers
Using Policies to Manage VPN Traffic
You create policy definitions to manage VPN traffic on the FVL328. There are two kinds of
policies:
FVL328 VPN Firewall
FVL328 VPN Firewall
VPN tunnels
encrypt data
Telecommuter with
client software
Page 72 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
6-2
Virtual Private Networking
May 2004, 202-10030-02
IKE Policies
: Define the authentication scheme and automatically generate the encryption
keys. As an alternative option, to further automate the process, you can create an Internet Key
Exchange
(
IKE) policy which uses a trusted certificate authority to provide the authentication
while the IKE policy still handles the encryption.
VPN Policies
: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you
can create a VPN policy which does not use an IKE policy but in which you manually enter all
the authentication and key parameters.
Since the VPN Auto policies require IKE policies, you must define the IKE policy first. The
FVL328 also allows you to manually input the authentication scheme and encryption key values.
VPN Manual policies manage the keys according to settings you select and do not use IKE
policies.
In order to establish secure communication over the Internet with the remote site you need to
configure matching VPN parameters on both the local and remote sites. The outbound VPN
parameters on one end must match to the inbound VPN parameters on other end, and vice versa.
When the network traffic enters into the FVL328 from the LAN network interface, if there is no
VPN policy found for a type of network traffic, then that traffic passes through without any
change. However, if the traffic is selected by a VPN policy, then the Internet Protocol security
IPSec authentication and encryption rules will be applied to it as defined in the VPN policy.
By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy
table. You can change the priority by selecting the VPN policy from the policy table and clicking
Move.
Using Automatic Key Management
The most common configuration scenarios will use IKE policies to automatically manage the
authentication and encryption keys. Based on the IKE policy, some parameters for the VPN tunnel
are generated automatically. The IKE protocols perform negotiations between the two VPN
endpoints to automatically generate required parameters.
Some organizations will use an IKE policy with a Certificate Authority (CA) to perform
authentication. Typically, CA authentication is used in large organizations which maintain their
own internal CA server. This requires that each VPN gateway have a certificate and trust
certificate root from the CA. Using CAs reduces the amount of data entry required on each VPN
endpoint.
Page 73 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Virtual Private Networking
6-3
May 2004, 202-10030-02
IKE Policies’ Automatic Key and Authentication Management
Click the IKE Policies link from the VPN section of the main menu, and then click the Add button
of the IKE Policies screen to display the IKE Policy Configuration menu shown in
Figure 6-2
.
Figure 6-2:
IKE - Policy Configuration Menu
Page 74 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
6-4
Virtual Private Networking
May 2004, 202-10030-02
The IKE Policy Configuration fields are defined in the following table.
Table 6-1.
IKE Policy Configuration Fields
Field
Description
General
These settings identify this policy and determine its major characteristics.
Policy Name
The descriptive name of the IKE policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify IKE policies.
Direction/Type
This setting is used when determining if the IKE policy matches the current
traffic. The drop-down menu includes the following:
Initiator – Outgoing connections are allowed, but incoming are blocked.
Responder – Incoming connections are allowed, but outgoing are
blocked.
Both Directions – Both outgoing and incoming connections are allowed.
Remote Access – This is to allow only incoming client connections,
where the IP address of the remote client is unknown.
If Remote Access is selected, the “Exchange Mode” MUST be
“Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST
be “Name.” On the matching VPN Policy, the IP address of the remote
VPN endpoint should be set to 0.0.0.0.
Exchange Mode
Main Mode or Aggressive Mode. This setting must match the setting used
on the remote VPN endpoint.
Main Mode is slower but more secure.
Aggressive Mode is faster but less secure.
Local
These parameters apply to the Local FVL328 firewall.
Local Identity Type
Use this field to identify the local FVL328. You can choose one of the
following four options from the drop-down list:
By its Internet (WAN) port IP address.
By its Fully Qualified Domain Name (FQDN) – your domain name.
By a Fully Qualified User Name – your name, E-mail address, or
other ID.
By DER ASN.1 DN – the binary Distinguished Encoding Rules (DER)
encoding of your ASN.1 X.500 Distinguished Name.
Local Identity Data
This field lets you identify the local FVL328 by name.
Page 75 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Virtual Private Networking
6-5
May 2004, 202-10030-02
Remote
These parameters apply to the target remote FVL328 firewall, VPN
gateway, or VPN client.
Remote Identity Type
Use this field to identify the remote FVL328. You can choose one of the
following four options from the drop-down list:
By its Internet (WAN) port IP address.
By its Fully Qualified Domain Name (FQDN) – your domain name.
By a Fully Qualified User Name – your name, E-mail address, or
other ID.
By DER ASN.1 DN – the binary DER encoding of your ASN.1 X.500
Distinguished Name.
Remote Identity Data
This field lets you identify the target remote FVL328 by name.
IKE SA Parameters
These parameters determine the properties of the IKE Security
Association.
Encryption Algorithm
Choose the encryption algorithm for this IKE policy:
• DES
3DES is more secure and is the default
Authentication Algorithm
If you enable Authentication Headers (AH), this menu lets you select from
these authentication algorithms:
MD5 –- less secure
SHA-1 – more secure (default)
Authentication Method
You can select Pre-Shared Key or RSA Signature.
Pre-Shared Key
Specify the key according to the requirements of the Authentication
Algorithm you selected.
For MD5, the key length should be 16 bytes.
For SHA-1, the key length should be 20 bytes.
RSA Signature
RSA Signature requires a certificate.
Diffie-Hellman (DH) Group
The Diffie-Hellman groups are MODP Oakley Groups 1 and 2. The DH
Group setting determines the size of the key used in the key exchange.
This must match the value used on the remote VPN gateway or client.
Select Group 1 (768 bit) or Group 2 (1024 bit).
SA Life Time
The amount of time in seconds before the Security Association expires;
over an hour (3600) is common.
Table 6-1.
IKE Policy Configuration Fields
Field
Description

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top