1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS114
    5. /
  5. 19
Page 91 / 212 Scroll up to view Page 86 - 90
Reference Manual for the ProSafe VPN Firewall FVS114
Advanced Virtual Private Networking
6-3
202-10098-01, April 2005
IKE Policies’ Automatic Key and Authentication Management
Click the
IKE Policies
link from the VPN section of the main menu, and then click the
Add
button
of the IKE Policies screen to display the IKE Policy Configuration menu shown in
Figure 6-2
.
Figure 6-2: IKE - Policy Configuration Menu
Page 92 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
6-4
Advanced Virtual Private Networking
202-10098-01, April 2005
The IKE Policy Configuration fields are defined in the following table.
Table 6-1.
IKE Policy Configuration fields
Field
Description
General
These settings identify this policy and determine its major characteristics.
Policy Name
The descriptive name of the IKE policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify IKE policies.
Direction/Type
This setting is used when determining if the IKE policy matches the current
traffic. The drop-down menu includes the following:
Initiator — Outgoing connections are allowed, but incoming are blocked.
Responder — Incoming connections are allowed, but outgoing are
blocked.
Both Directions — Both outgoing and incoming connections are allowed.
Remote Access — This is to allow only incoming client connections,
where the IP address of the remote client is unknown.
If Remote Access is selected, the Exchange Mode must be Aggressive,
and the Identities below (both Local and Remote) must be Name. On the
matching VPN Policy, the IP address of the remote VPN endpoint should
be set to 0.0.0.0.
Exchange Mode
Main Mode or Aggressive Mode. This setting must match the setting used
on the remote VPN endpoint.
Main Mode is slower but more secure. Also, the Identity below must be
established by IP address.
Aggressive Mode is faster but less secure. The Identity below can be by
name (host name, domain name, and e-mail address) instead of by IP
address.
Local
These parameters apply to the Local FVS114 VPN Firewall.
Local Identity Type
Use this field to identify the local FVS114. You can choose one of the
following four options from the drop-down list:
By its Internet (WAN) port IP address.
By its Fully Qualified Domain Name (FQDN) — your domain name.
By a Fully Qualified User Name — your name, E-mail address, or
other ID.
By DER ASN.1 DN — the binary DER encoding of your ASN.1 X.500
Distinguished Name.
Local Identity Data
This field lets you identify the local FVS114 by name.
Page 93 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Advanced Virtual Private Networking
6-5
202-10098-01, April 2005
VPN Policy Configuration for Auto Key Negotiation
An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN
Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Remote
These parameters apply to the target remote FVS114, VPN gateway, or
VPN client.
Remote Identity Type
Use this field to identify the remote FVS114. You can choose one of the
following four options from the drop-down list:
By its Internet (WAN) port IP address.
By its Fully Qualified Domain Name (FQDN) — your domain name.
By a Fully Qualified User Name — your name, E-mail address, or
other ID.
By DER ASN.1 DN — the binary DER encoding of your ASN.1 X.500
Distinguished Name.
Remote Identity Data
This field lets you identify the target remote FVS114 by name.
IKE SA Parameters
These parameters determine the properties of the IKE Security
Association.
Encryption Algorithm
Choose the encryption algorithm for this IKE policy:
DES is the default
3DES is more secure
Authentication Algorithm
If you enable Authentication Header (AH), this menu lets you to select from
these authentication algorithms:
MD5 — the default
SHA-1 — more secure
Authentication Method
You may select Pre-Shared Key or RSA Signature.
Pre-Shared Key
Specify the key according to the requirements of the Authentication
Algorithm you selected.
For MD5, the key length should be 16 bytes.
For SHA-1, the key length should be 20 bytes.
RSA Signature
RSA Signature requires a certificate.
Diffie-Hellman (D-H) Group
The DH Group setting determines the bit size used in the key exchange.
This must match the value used on the remote VPN gateway or client.
SA Life Time
The amount of time in seconds before the Security Association expires;
over an hour (3600) is common.
Table 6-1.
IKE Policy Configuration fields
Field
Description
Page 94 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
6-6
Advanced Virtual Private Networking
202-10098-01, April 2005
Figure 6-3: VPN - Auto Policy menu
Page 95 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Advanced Virtual Private Networking
6-7
202-10098-01, April 2005
The VPN – Auto Policy fields are defined in the following table.
Table 6-1.
VPN – Auto Policy Configuration Fields
Field
Description
General
These settings identify this policy and determine its major characteristics.
Policy Name
The descriptive name of the VPN policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify VPN policies.
IKE Policy
The existing IKE policies are presented in a drop-down list.
Note:
Create the IKE policy BEFORE creating a VPN - Auto policy.
Remote VPN Endpoint
The address used to locate the remote VPN firewall or client to which you
wish to connect. The remote VPN endpoint must have this FVS114’s Local
IP values entered as its Remote VPN Endpoint.
By its Fully Qualified Domain Name (FQDN) — your domain name.
By its IP Address.
Address Type
The address type used to locate the remote VPN firewall or client to which
you wish to connect.
By its Fully Qualified Domain Name (FQDN) — your domain name.
By its IP Address.
Address Data
The address used to locate the remote VPN firewall or client to which you
wish to connect. The remote VPN endpoint must have this FVS114’s Local
Identity Data entered as its Remote VPN Endpoint.
By its Fully Qualified Domain Name (FQDN) — your domain name.
By its IP Address.
SA Life Time
The duration of the Security Association before it expires.
Seconds — the amount of time before the SA expires. Over an hour is
common (3600).
Kbytes — the amount of traffic before the SA expires.
One of these can be set without setting the other.
IPSec PFS
If enabled, security is enhanced by ensuring that the key is changed at
regular intervals. Also, even if one key is broken, subsequent keys are no
easier to break. Each key has no relationship to the previous key.
PFS Key Group
If PFS is enabled, this setting determines the DH group bit size used in the
key exchange. This must match the value used on the remote gateway.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top