NETGEAR FVS114 Router Manual PDF (Setup & Configuration Guide)

Page 86 / 212 Scroll up to view Page 81 - 85

Reference Manual for the ProSafe VPN Firewall FVS114

5-30

Basic Virtual Private Networking

202-10098-01, April 2005

•

Click

Clear Log

to delete all log entries.

3.

Click

VPN Status

(

Figure 5-37

) to get the Current VPN Tunnels (SAs) screen (

Figure 5-38

).

Figure 5-38:

Current VPN Tunnels (SAs) screen

This page lists the following data for each active VPN Tunnel.

•

SPI

—each SA has a unique SPI (Security Parameter Index) for traffic in each direction.

For Manual key exchange, the SPI is specified in the Policy definition. For Automatic key

exchange, the SPI is generated by the IKE protocol.

•

Policy Name

—the name of the VPN policy associated with this SA.

•

Remote Endpoint

—the IP address on the remote VPN Endpoint.

•

Action

—the action will be either a

Drop

or a

Connect

button.

•

SLifeTime (Secs)

—the remaining Soft Lifetime for this SA in seconds. When the Soft

Lifetime becomes zero, the SA (Security Association) will re-negotiated.

•

HLifeTime (Secs)

—the remaining Hard Lifetime for this SA in seconds. When the Hard

Lifetime becomes zero, the SA (Security Association) will be terminated. (It will be

re-established if required.)

Deactivating a VPN Tunnel

Sometimes a VPN tunnel must be deactivated for testing purposes. There are two ways to

deactivate a VPN tunnel:

•

Policy table on VPN Policies page

•

VPN Status page

Using the Policy Table on the VPN Policies Page to Deactivate a VPN Tunnel

To use the VPN Policies page to deactivate a VPN tunnel, perform the following steps:

1.

Log in to the VPN Firewall.

2.

Click on

VPN Policies

under VPN to get the VPN Policies screen below (

Figure 5-39

).

Page 87 / 212

Reference Manual for the ProSafe VPN Firewall FVS114

Basic Virtual Private Networking

5-31

202-10098-01, April 2005

Figure 5-39:

VPN Policies

3.

Clear the Enable check box for the VPN tunnel you want to deactivate and click

Apply

. (To

reactivate the tunnel, check the Enable box and click

Apply

.)

Using the VPN Status Page to Deactivate a VPN Tunnel

To use the VPN Status page to deactivate a VPN tunnel, perform the following steps:

1.

Log in to the VPN Firewall.

2.

Click

VPN Status

under VPN to get the VPN Status/Log screen (

Figure 5-40

).

Figure 5-40:

VPN Status/Log screen

Page 88 / 212

Reference Manual for the ProSafe VPN Firewall FVS114

5-32

Basic Virtual Private Networking

202-10098-01, April 2005

3.

Click

VPN Status

(

Figure 5-40

) to get the Current VPN Tunnels (SAs) screen (

Figure 5-41

).

Click

Drop

for the VPN tunnel you want to deactivate.

Figure 5-41:

Current VPN Tunnels (SAs) screen

Deleting a VPN Tunnel

To delete a VPN tunnel:

1.

Log in to the VPN Firewall.

2.

Click

VPN Policies

under VPN to display the VPN Policies screen (

Figure 5-42

). Select the

radio button for the VPN tunnel to be deleted and click the

Delete

button.

Figure 5-42:

VPN Policies

Note:

When NETBIOS is enabled (which it is in the VPNC defaults implemented by

the VPN Wizard), automatic traffic will reactivate the tunnel. To prevent reactivation

from happening, either disable NETBIOS or disable the policy for the tunnel (see

“Using the Policy Table on the VPN Policies Page to Deactivate a VPN Tunnel” on page

5-30

).

Page 89 / 212

Advanced Virtual Private Networking

6-1

202-10098-01, April 2005

Chapter 6

Advanced Virtual Private Networking

This chapter describes how to use the advanced virtual private networking (VPN) features of the

FVS114 VPN Firewall. See

Chapter 5, “Basic Virtual Private Networking

” for a description on

how to use the basic VPN features.

Overview of FVS114 Policy-Based VPN Configuration

The FVS114 uses state-of-the-art firewall and security technology to facilitate controlled and

actively monitored VPN connectivity. Since the FVS114 strictly conforms to IETF standards, it is

interoperable with devices from major network equipment vendors.

Figure 6-1: Secure access through FVS114 VPN firewalls

FVS114 VPN Firewall

PCs

Page 90 / 212

Reference Manual for the ProSafe VPN Firewall FVS114

6-2

Advanced Virtual Private Networking

202-10098-01, April 2005

Using Policies to Manage VPN Traffic

You create policy definitions to manage VPN traffic on the FVS114. There are two kinds of

policies:

•

IKE Policies

: Define the authentication scheme and automatically generate the encryption

keys. As an alternative option, to further automate the process, you can create an IKE policy

that uses a trusted certificate authority to provide the authentication while the IKE policy still

handles the encryption.

•

VPN Policies

: Apply the IKE policy to specific traffic that requires a VPN tunnel. Or, you can

create a VPN policy that does not use an IKE policy but in which you manually enter all the

authentication and key parameters.

Since VPN policies use IKE policies, you define the IKE policy first. The FVS114 also allows you

to manually input the authentication scheme and encryption key values. In the case of manual key

management there will not be any IKE policies.

In order to establish secure communication over the Internet with the remote site you need to

configure matching VPN policies on both the local and remote FVS114 VPN Firewalls. The

outbound VPN policy on one end must match to the inbound VPN policy on other end, and vice

versa.

When the network traffic enters into the FVS114 from the LAN network interface, if there is no

VPN policy found for a type of network traffic, then that traffic passes through without any

change. However, if the traffic is selected by a VPN policy, then the IPSec authentication and

encryption rules are applied to it as defined in the VPN policy.

By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy

table.

Using Automatic Key Management

The most common configuration scenarios will use IKE policies to automatically manage the

authentication and encryption keys. Based on the IKE policy, some parameters for the VPN tunnel

are generated automatically. The IKE protocols perform negotiations between the two VPN

endpoints to automatically generate required parameters.

Some organizations will use an IKE policy with a Certificate Authority (CA) to perform

authentication. Typically, CA authentication is used in large organizations that maintain their own

internal CA server. This requires that each VPN gateway have a certificate from the CA. Using

CAs reduces the amount of data entry required on each VPN endpoint.

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share