1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS114
    5. /
  5. 21
Page 101 / 212 Scroll up to view Page 96 - 100
Reference Manual for the ProSafe VPN Firewall FVS114
Advanced Virtual Private Networking
6-13
202-10098-01, April 2005
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are strings generated using encryption and authentication schemes that cannot
be duplicated by anyone without access to the different values used in the production of the string.
They are issued by Certification Authorities (CAs) to authenticate a person or a workstation
uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities
(PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The
FVS114 is able to use certificates to authenticate users at the end points during the IKE key
exchange process.
The certificates can be obtained from a certificate server that an organization might maintain
internally or from the established public CAs. The certificates are produced by providing the
particulars of the user being identified to the CA. The information provided may include the user's
name, e-mail ID, and domain name.
Enable Authentication
Use this check box to enable or disable ESP authentication for this VPN
policy.
Authentication Algorithm
If you enable authentication, then use this menu to select the algorithm:
MD5 — the default
SHA1 — more secure
Key - In
Enter the key.
For MD5, the key should be 16 characters.
For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm Key - Out field.
Key - Out
Enter the key in the fields provided.
For MD5, the key should be 16 characters.
For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm Key - In field.
NETBIOS Enable
Check this if you wish NETBIOS traffic to be forwarded over the VPN
tunnel. The NETBIOS protocol is used by Microsoft Networking for such
features as Network Neighborhood.
Table 6-1.
VPN Manual Policy Configuration Fields
Field
Description
Page 102 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
6-14
Advanced Virtual Private Networking
202-10098-01, April 2005
Each CA has its own certificate. The certificates of a CA are added to the FVS114 and then can be
used to form IKE policies for the user. Once a CA certificate is added to the FVS114 and a
certificate is created for a user, the corresponding IKE policy is added to the FVS114. Whenever
the user tries to send traffic through the FVS114, the certificates are used in place of pre-shared
keys during initial key exchange as the authentication and key generation mechanism. Once the
keys are established and the tunnel is set up the connection proceeds according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FVS114 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FVS114 CRL regularly in order for the CA-based authentication
process to remain valid.
Walk-Through of Configuration Scenarios on the FVS114
There are a variety of configurations you might implement with the FVS114. The scenarios listed
below illustrate typical configurations you might use in your organization.
In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (
). The goal is to
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:
VPN Consortium Scenarios without any product implementation details
VPN Consortium Scenarios based on the FVS114 User Interface
The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing.
Page 103 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Advanced Virtual Private Networking
6-15
202-10098-01, April 2005
The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec. Go
to the NETGEAR Web site (
) and select VPN01L_VPN05L in the Product
Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN
Client.
VPN Consortium Scenario 1:
Gateway-to-Gateway with Preshared Secrets
The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
Figure 6-5: VPN Consortium Scenario 1
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used
for testing IPsec but is not needed for configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
Main mode
TripleDES
SHA-1
MODP group 2 (1024 bits)
pre-shared secret of “hr5xb84l6aa9r6”
SA lifetime of 28800 seconds (eight hours) with no kilobytes rekeying
Note:
Before installing the NETGEAR ProSafe VPN Client software, be sure to turn off
any virus protection or firewall software you may be running on your PC.
10.5.6.0/24
10.5.6.1
Gateway A
14.15.16.17
22.23.24.25
172.23.9.0/24
Internet
Gateway B
172.23.9.1
Page 104 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
6-16
Advanced Virtual Private Networking
202-10098-01, April 2005
The IKE Phase 2 parameters used in Scenario 1 are:
TripleDES
SHA-1
ESP tunnel mode
MODP group 2 (1024 bits)
Perfect forward secrecy for rekeying
SA lifetime of 3600 seconds (one hour) with no kilobytes rekeying
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets
FVS114 Scenario 1: FVS114 to Gateway B IKE and VPN Policies
Note
: This scenario assumes all ports are open on the FVS114. You can verify this by reviewing
the security settings as seen in the
Figure 4-2
on
page 4-4
.
Figure 6-6: LAN to LAN VPN access from an
FVS114
to an
FVS114
Use this scenario illustration and configuration screens as a model to build your configuration.
1.
Log in to the FVS114 labeled Gateway A as in the illustration.
Log in at the default address of
with the default user name of
admin
and
default password of
password
, or using whatever password and LAN address you have
chosen.
2.
Configure the WAN (Internet) and LAN IP addresses of the FVS114.
a.
From the main menu Setup section, click the
Basic Setup
link to go back to the Basic
Settings menu.
FVS114
Gateway
B
Scenario 1
14.15.16.17
22.23.24.25
WAN IP
WAN IP
172.23.9.1/24
10.5.6.1/24
LAN IP
LAN IP
Gateway
A
FVS114
Page 105 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Advanced Virtual Private Networking
6-17
202-10098-01, April 2005
Figure 6-7: FVS114 Internet IP Address menu
b.
Configure the WAN Internet Address according to the settings above and click
Apply
to
save your settings. For more information on configuring the WAN IP settings in the Basic
Settings topics, please see
“How to Manually Configure Your Internet Connection” on
page 3-11
.
WAN IP
addresses
ISP provides
these addresses

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top