1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVL328
    5. /
  5. 17
Page 81 / 234 Scroll up to view Page 76 - 80
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Virtual Private Networking
6-11
May 2004, 202-10030-02
The VPN Manual Policy fields are defined in the following table.
Table 6-1.
VPN Manual Policy Configuration Fields
Field
Description
General
These settings identify this policy and determine its major characteristics.
Policy Name
The name of the VPN policy. Each policy should have a unique policy name.
This name is not supplied to the remote VPN Endpoint. It is used to help you
identify VPN policies.
Remote VPN Endpoint
The WAN Internet IP address or Fully Qualified Domain Name of the remote
VPN firewall or client to which you want to connect. The remote VPN endpoint
must have this FVL328’s WAN Internet IP address entered as its “Remote
VPN Endpoint.”
Traffic Selector
These settings determine if and when a VPN tunnel will be established. If
network traffic meets
all
criteria, then a VPN tunnel will be created.
Local IP
The drop-down menu allows you to configure the source IP address of the
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from your network address space. The choices
are:
ANY for all valid IP addresses in the Internet address space
Note
: Choosing ANY sends
all
traffic through the tunnel, which will eliminate
activities such as Web access.
Single IP Address
Range of IP Addresses
Subnet Address
Remote IP
The drop-down menu allows you to configure the destination IP address of the
outbound network traffic for which this VPN policy will provide security.
Usually, this address will be from the remote site's corporate network address
space. The choices are:
ANY for all valid IP addresses in the Internet address space
Note
: Choosing ANY sends
all
traffic to the WAN through the tunnel,
preventing for example, remote management or response to ping.
Single IP Address
Range of IP Addresses
Subnet Address
Page 82 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
6-12
Virtual Private Networking
May 2004, 202-10030-02
Authenticating Header
(AH) Configuration
AH specifies the authentication protocol for the VPN header. These settings
must match the remote VPN endpoint.
Note:
The “Incoming” settings must match the “Outgoing” settings on the
remote VPN endpoint, and the “Outgoing” settings must match the “Incoming”
settings on the remote VPN endpoint.
SPI - Incoming
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
SPI - Outgoing
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Incoming SPI" field.
Enable Authentication
Use this check box to enable or disable AH. Authentication is often not used,
so you can leave the check box unselected.
Authentication
Algorithm
If you enable AH, then select the authentication algorithm:
MD5 – the default
SHA1 – more secure
Enter the keys in the fields provided. For MD5, the keys should be 16
characters. For SHA-1, the keys should be 20 characters.
Key - In
Enter the keys.
For MD5, the keys should be 16 characters.
For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
Key - Out
Enter the keys in the fields provided.
For MD5, the keys should be 16 characters.
For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
Table 6-1.
VPN Manual Policy Configuration Fields
Field
Description
Page 83 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Virtual Private Networking
6-13
May 2004, 202-10030-02
Encapsulated Security
Payload (ESP)
Configuration
ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both encryption and authentication. when
you use ESP. Two ESP modes are available:
Plain ESP encryption
ESP encryption with authentication
These settings must match the remote VPN endpoint.
SPI - Incoming
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
SPI - Outgoing
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Incoming SPI" field.
Enable Encryption
Use this check box to enable or disable ESP Encryption.
Encryption
Algorithm
If you enable ESP Encryption, then select the Encryption Algorithm:
DES - the default
3DES -more secure
Key - In
Enter the key in the fields provided.
For DES, the key should be 8 characters.
For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - Out" field.
Key - Out
Enter the key in the fields provided.
For DES, the key should be 8 characters.
For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - In" field.
Table 6-1.
VPN Manual Policy Configuration Fields
Field
Description
Page 84 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
6-14
Virtual Private Networking
May 2004, 202-10030-02
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are character strings generated using encryption and authentication schemes
which cannot be duplicated by anyone without access to the different values used in the production
of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a
workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification
Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA).
The FVL328 is able to use certificates to authenticate users at the endpoints during the IKE key
exchange process.
The certificates can be obtained from a certificate server an organization might maintain internally
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, etc.
Enable Authentication
Use this check box to enable or disable ESP authentication for this VPN policy.
Authentication
Algorithm
If you enable authentication, then use this menu to select the algorithm:
MD5 – the default
SHA1 – more secure
Key - In
Enter the key.
For MD5, the key should be 16 characters.
For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
Key - Out
Enter the key in the fields provided.
For MD5, the key should be 16 characters.
For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
NetBIOS Enable
Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
The NetBIOS protocol is used by Microsoft Networking for such features as
Network Neighborhood.
Table 6-1.
VPN Manual Policy Configuration Fields
Field
Description
Page 85 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Virtual Private Networking
6-15
May 2004, 202-10030-02
A CA is part of a trust chain. A CA has a public key which is signed. The combination of the
signed public key and the private key enables the CA process to eliminate ‘man in the middle’
security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the
CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added
to the FVL328 and can then be used to form IKE policies for the user. Once a CA certificate is
added to the FVL328 and a certificate is created for a user, the corresponding IKE policy is added
to the FVL328. Whenever the user tries to send traffic through the FVL328, the certificates are
used in place of pre-shared keys during initial key exchange as the authentication and key
generation mechanism. Once the keys are established and the tunnel is set up the connection
proceeds according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FVL328 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FVL328 CRL regularly in order for the CA-based authentication
process to remain valid.
How to Use the VPN Wizard to Configure a VPN Tunnel
Follow this procedure to configure a VPN tunnel using the VPN Wizard.
Note:
The LAN IP address ranges of each VPN endpoint must be different. The connection will
fail if both are using the NETGEAR default address range of 192.168.0.x.
Note:
If you have turned NAT off, before configuring VPN IPSec tunnels you must first
open UDP port 500 for inbound traffic as explained in
“Example: Port Forwarding for
VPN Tunnels when NAT is Off” on page 5-9
.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top