Page 56 / 212 Scroll up to view Page 51 - 55
Reference Manual for the ProSafe VPN Firewall FVS114
4-18
Firewall Protection and Content Filtering
202-10098-01, April 2005
Log entries are described in
Table 4-1
Log action buttons are described in
Table 4-2
Syslog
You can configure the firewall to send system logs to an external PC that is running a syslog
logging program. Enter the IP address of the logging PC and click the
Enable Syslog
check box.
Logging programs are available for Windows, Macintosh, and Linux computers.
Table 4-1.
Log entry descriptions
Field
Description
Date and Time
The date and time the log entry was recorded.
Description or
Action
The type of event and what action was taken if any.
Source IP
The IP address of the initiating device for this log entry.
Source port and
interface
The service port number of the initiating device, and whether it
originated from the LAN or WAN.
Destination
The name or IP address of the destination device or Web site.
Destination port and
interface
The service port number of the destination device, and whether it’s on
the LAN or WAN.
Table 4-2.
Log action buttons
Button
Description
Refresh
Refresh the log screen.
Clear Log
Clear the log entries.
Send Log
Email the log immediately.
Page 57 / 212
Basic Virtual Private Networking
5-1
202-10098-01, April 2005
Chapter 5
Basic Virtual Private Networking
This chapter describes how to use the virtual private networking (VPN) features of the FVS114
VPN Firewall. VPN communications paths are called tunnels. VPN tunnels provide secure,
encrypted communications between your local network and a remote network or computer.
The VPN information is organized as follows:
“Overview of VPN Configuration” on page 5-2
provides an overview of the two most
common VPN configurations: client-to-gateway and gateway-to-gateway.
“Planning a VPN” on page 5-3
provides the VPN Committee (VPNC) recommended default
parameters set by the VPN Wizard.
“VPN Tunnel Configuration” on page 5-5
summarizes the two ways to configure a VPN
tunnel: VPN Wizard (recommended for most situations) and Advanced (see
Chapter 6,
“Advanced Virtual Private Networking
).
“How to Set Up a Client-to-Gateway VPN Configuration” on page 5-5
provides the steps
needed to configure a VPN tunnel between a remote PC and a network gateway using the VPN
Wizard and the NETGEAR ProSafe VPN Client.
“How to Set Up a Gateway-to-Gateway VPN Configuration” on page 5-20
provides the steps
needed to configure a VPN tunnel between two network gateways using the VPN Wizard.
“VPN Tunnel Control” on page 5-26
provides the step-by-step procedures for activating,
verifying, deactivating, and deleting a VPN tunnel once the VPN tunnel has been configured.
Chapter 6, “Advanced Virtual Private Networking
” provides the steps needed to configure
VPN tunnels when there are special circumstances and the VPNC recommended defaults of
the VPN Wizard are inappropriate.
Appendix C, “Virtual Private Networking
” discusses Virtual Private Networking (VPN)
Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and
commercially available, standards-based protocols developed for transporting data.
Page 58 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
5-2
Basic Virtual Private Networking
202-10098-01, April 2005
Overview of VPN Configuration
Two common scenarios for configuring VPN tunnels are between a remote personal computer and
a network gateway and between two or more network gateways. The FVS114 supports both of
these types of VPN configurations. The FVS114 VPN Firewall supports up to eight concurrent
tunnels.
Client-to-Gateway VPN Tunnels
Client-to-gateway VPN tunnels provide secure access from a remote PC, such as a telecommuter
connecting to an office network (see
Figure 5-1
).
Figure 5-1:
Client-to-gateway VPN tunnel
A VPN client access allows a remote PC to connect to your network from any location on the
Internet. In this case, the remote PC is one tunnel endpoint, running the VPN client software. The
FVS114 VPN Firewall on your network is the other tunnel endpoint. See
“How to Set Up a
Client-to-Gateway VPN Configuration” on page 5-5
to set up this configuration.
Gateway-to-Gateway VPN Tunnels
Gateway-to-gateway VPN tunnels provide secure access between networks, such as a branch
or home office and a main office (see
Figure 5-2
).
192.168.3.1
VPN Tunnel
FVS114
24.0.0.1
PCs
Page 59 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Basic Virtual Private Networking
5-3
202-10098-01, April 2005
Figure 5-2:
Gateway-to-gateway VPN tunnel
A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch
or home offices and business partners over the Internet. VPN tunnels also enable access to network
resources across the Internet. In this case, use FVS114s on each end of the tunnel to form the VPN
tunnel end points. See
“How to Set Up a Gateway-to-Gateway VPN Configuration” on page 5-20
to set up this configuration.
Planning a VPN
To set up a VPN connection, you must configure each endpoint with specific identification and
connection information describing the other endpoint. You must configure the outbound VPN
settings on one end to match the inbound VPN settings on other end, and vice versa.
This set of configuration information defines a security association (SA) between the two VPN
endpoints. When planning your VPN, you must make a few choices first:
Will the local end be any device on the LAN, a portion of the local network (as defined by a
subnet or by a range of IP addresses), or a single PC?
Will the remote end be any device on the remote LAN, a portion of the remote network (as
defined by a subnet or by a range of IP addresses), or a single PC?
Will either endpoint use Fully Qualified Domain Names (FQDNs)? Many DSL accounts are
provisioned with DHCP addressing, where the IP address of the WAN port can change from
time to time. Under these circumstances, configuring the WAN port with a dynamic DNS
(DynDNS) service provider simplifies the configuration task. When DynDNS is configured on
the WAN port, configure the VPN using FDQN.
VPN Gateway A
VPN Gateway B
VPN Tunnel
PCs
PCs
Page 60 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
5-4
Basic Virtual Private Networking
202-10098-01, April 2005
FQDNs supplied by Dynamic DNS providers can allow a VPN endpoint with a dynamic IP
address to initiate or respond to a tunnel request. Otherwise, the side using a dynamic IP
address must always be the initiator.
What method will you use to configure your VPN tunnels?
The VPN Wizard using VPNC defaults (see
Table 5-1
)
Advanced methods (see
Chapter 6, “Advanced Virtual Private Networking
”)
What level of IPSec VPN encryption will you use?
DES — The Data Encryption Standard (DES) processes input data that is 64 bits wide,
encrypting these values using a 56 bit key. Faster but less secure than 3DES.
3DES — 3DES (Triple DES) achieves a higher level of security by encrypting the data
three times using DES with three different, unrelated keys.
AES — AES (Advanced Encryption Standard) is the optimal choice for security
conscience organizations, but the hardware at each end of the tunnel must support it.
What level of authentication will you use?
MDS — 128 bits, faster but less secure.
SHA-1 — 160 bits, slower but more secure.
Table 5-1.
Parameters recommended by the VPNC and used in the VPN Wizard
Parameter
Factory Default
Secure Association
Main Mode
Authentication Method
Pre-shared Key
Encryption Method
3DES
Authentication Protocol
SHA-1
Diffie-Hellman (DH) Group
Group 2 (1024 bit)
Key Life
8 hours
IKE Life Time
24 hours
NETBIOS
Enabled
Note:
NETGEAR publishes additional interoperability scenarios with various gateway
and client software products.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top