Reference Manual for the ProSafe VPN Firewall FVS114

4-18

Firewall Protection and Content Filtering

202-10098-01, April 2005

Log entries are described in

Table 4-1

Log action buttons are described in

Table 4-2

Syslog

You can configure the firewall to send system logs to an external PC that is running a syslog

logging program. Enter the IP address of the logging PC and click the

Enable Syslog

check box.

Logging programs are available for Windows, Macintosh, and Linux computers.

Table 4-1.

Log entry descriptions

Field

Description

Date and Time

The date and time the log entry was recorded.

Description or

Action

The type of event and what action was taken if any.

Source IP

The IP address of the initiating device for this log entry.

Source port and

interface

The service port number of the initiating device, and whether it

originated from the LAN or WAN.

Destination

The name or IP address of the destination device or Web site.

Destination port and

interface

The service port number of the destination device, and whether it’s on

the LAN or WAN.

Table 4-2.

Log action buttons

Button

Description

Refresh

Refresh the log screen.

Clear Log

Clear the log entries.

Send Log

Email the log immediately.

Basic Virtual Private Networking

5-1

202-10098-01, April 2005

Chapter 5

Basic Virtual Private Networking

This chapter describes how to use the virtual private networking (VPN) features of the FVS114

VPN Firewall. VPN communications paths are called tunnels. VPN tunnels provide secure,

encrypted communications between your local network and a remote network or computer.

The VPN information is organized as follows:

•

“Overview of VPN Configuration” on page 5-2

provides an overview of the two most

common VPN configurations: client-to-gateway and gateway-to-gateway.

•

“Planning a VPN” on page 5-3

provides the VPN Committee (VPNC) recommended default

parameters set by the VPN Wizard.

•

“VPN Tunnel Configuration” on page 5-5

summarizes the two ways to configure a VPN

tunnel: VPN Wizard (recommended for most situations) and Advanced (see

Chapter 6,

“Advanced Virtual Private Networking

).

•

“How to Set Up a Client-to-Gateway VPN Configuration” on page 5-5

provides the steps

needed to configure a VPN tunnel between a remote PC and a network gateway using the VPN

Wizard and the NETGEAR ProSafe VPN Client.

•

“How to Set Up a Gateway-to-Gateway VPN Configuration” on page 5-20

provides the steps

needed to configure a VPN tunnel between two network gateways using the VPN Wizard.

•

“VPN Tunnel Control” on page 5-26

provides the step-by-step procedures for activating,

verifying, deactivating, and deleting a VPN tunnel once the VPN tunnel has been configured.

•

Chapter 6, “Advanced Virtual Private Networking

” provides the steps needed to configure

VPN tunnels when there are special circumstances and the VPNC recommended defaults of

the VPN Wizard are inappropriate.

•

Appendix C, “Virtual Private Networking

” discusses Virtual Private Networking (VPN)

Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and

commercially available, standards-based protocols developed for transporting data.

Reference Manual for the ProSafe VPN Firewall FVS114

5-2

Basic Virtual Private Networking

202-10098-01, April 2005

Overview of VPN Configuration

Two common scenarios for configuring VPN tunnels are between a remote personal computer and

a network gateway and between two or more network gateways. The FVS114 supports both of

these types of VPN configurations. The FVS114 VPN Firewall supports up to eight concurrent

tunnels.

Client-to-Gateway VPN Tunnels

Client-to-gateway VPN tunnels provide secure access from a remote PC, such as a telecommuter

connecting to an office network (see

Figure 5-1

).

Figure 5-1:

Client-to-gateway VPN tunnel

A VPN client access allows a remote PC to connect to your network from any location on the

Internet. In this case, the remote PC is one tunnel endpoint, running the VPN client software. The

FVS114 VPN Firewall on your network is the other tunnel endpoint. See

“How to Set Up a

Client-to-Gateway VPN Configuration” on page 5-5

to set up this configuration.

Gateway-to-Gateway VPN Tunnels

•

Gateway-to-gateway VPN tunnels provide secure access between networks, such as a branch

or home office and a main office (see

Figure 5-2

).

192.168.3.1

VPN Tunnel

FVS114

24.0.0.1

PCs

Reference Manual for the ProSafe VPN Firewall FVS114

Basic Virtual Private Networking

5-3

202-10098-01, April 2005

Figure 5-2:

Gateway-to-gateway VPN tunnel

A VPN between two or more NETGEAR VPN-enabled firewalls is a good way to connect branch

or home offices and business partners over the Internet. VPN tunnels also enable access to network

resources across the Internet. In this case, use FVS114s on each end of the tunnel to form the VPN

tunnel end points. See

“How to Set Up a Gateway-to-Gateway VPN Configuration” on page 5-20

to set up this configuration.

Planning a VPN

To set up a VPN connection, you must configure each endpoint with specific identification and

connection information describing the other endpoint. You must configure the outbound VPN

settings on one end to match the inbound VPN settings on other end, and vice versa.

This set of configuration information defines a security association (SA) between the two VPN

endpoints. When planning your VPN, you must make a few choices first:

•

Will the local end be any device on the LAN, a portion of the local network (as defined by a

subnet or by a range of IP addresses), or a single PC?

•

Will the remote end be any device on the remote LAN, a portion of the remote network (as

defined by a subnet or by a range of IP addresses), or a single PC?

•

Will either endpoint use Fully Qualified Domain Names (FQDNs)? Many DSL accounts are

provisioned with DHCP addressing, where the IP address of the WAN port can change from

time to time. Under these circumstances, configuring the WAN port with a dynamic DNS

(DynDNS) service provider simplifies the configuration task. When DynDNS is configured on

the WAN port, configure the VPN using FDQN.

VPN Gateway A

VPN Gateway B

VPN Tunnel

PCs

PCs

Reference Manual for the ProSafe VPN Firewall FVS114

5-4

Basic Virtual Private Networking

202-10098-01, April 2005

FQDNs supplied by Dynamic DNS providers can allow a VPN endpoint with a dynamic IP

address to initiate or respond to a tunnel request. Otherwise, the side using a dynamic IP

address must always be the initiator.

•

What method will you use to configure your VPN tunnels?

—

The VPN Wizard using VPNC defaults (see

Table 5-1

)

—

Advanced methods (see

Chapter 6, “Advanced Virtual Private Networking

”)

•

What level of IPSec VPN encryption will you use?

—

DES — The Data Encryption Standard (DES) processes input data that is 64 bits wide,

encrypting these values using a 56 bit key. Faster but less secure than 3DES.

—

3DES — 3DES (Triple DES) achieves a higher level of security by encrypting the data

three times using DES with three different, unrelated keys.

—

AES — AES (Advanced Encryption Standard) is the optimal choice for security

conscience organizations, but the hardware at each end of the tunnel must support it.

•

What level of authentication will you use?

—

MDS — 128 bits, faster but less secure.

—

SHA-1 — 160 bits, slower but more secure.

Table 5-1.

Parameters recommended by the VPNC and used in the VPN Wizard

Parameter

Factory Default

Secure Association

Main Mode

Authentication Method

Pre-shared Key

Encryption Method

3DES

Authentication Protocol

SHA-1

Diffie-Hellman (DH) Group

Group 2 (1024 bit)

Key Life

8 hours

IKE Life Time

24 hours

NETBIOS

Enabled

Note:

NETGEAR publishes additional interoperability scenarios with various gateway

and client software products.