NETGEAR FVS114 Router Manual PDF (Setup & Configuration Guide)

Page 171 / 212 Scroll up to view Page 166 - 170

Reference Manual for the ProSafe VPN Firewall FVS114

Virtual Private Networking

C-5

202-10098-01, April 2005

Mode

SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the

packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for

gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec

tunnel protection. A gateway is a device that monitors and manages incoming and outgoing

network traffic and routes the traffic accordingly. A host is a device that sends and receives

network traffic.

•

Transport Mode:

The transport mode IPSec implementation encapsulates only the packet’s

payload. The IP header is not changed. After the packet is processed with IPSec, the new IP

packet contains the old IP header (with the source and destination IP addresses unchanged)

and the processed packet payload. Transport mode does not shield the information in the IP

header; therefore, an attacker can learn where the packet is coming from and where it is going.

The packet diagrams in

Figure C-1

and

Figure C-2

show a packet in transport mode.

•

Tunnel Mode:

The tunnel mode IPSec implementation encapsulates the entire IP packet. The

entire packet becomes the payload of the packet that is processed with IPSec. A new IP header

is created that contains the two IPSec gateway addresses. The gateways perform the

encapsulation and decapsulation on behalf of the hosts. Tunnel mode ESP prevents an attacker

from analyzing the data and deciphering it, as well as knowing who the packet is from and

where it is going.

Note:

AH and ESP can be used in both transport mode or tunnel mode.

Figure C-3:

Original packet and packet with IPSec ESP in Tunnel mode

Page 172 / 212

Reference Manual for the ProSafe VPN Firewall FVS114

C-6

Virtual Private Networking

202-10098-01, April 2005

Key Management

IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and

the exchange of keys between parties transferring data. Using keys ensures that only the sender

and receiver of a message can access it.

IPSec requires that keys be re-created, or refreshed, frequently so that the parties can communicate

securely with each other. IKE manages the process of refreshing keys; however, a user can control

the key strength and the refresh frequency. Refreshing keys on a regular basis ensures data

confidentiality between sender and receiver.

Understand the Process Before You Begin

This appendix provides case studies on how to configure a secure IPSec VPN tunnels. This

document assumes the reader has a working knowledge of NETGEAR management systems.

NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor

interoperability. The VPN Consortium has developed specific scenarios to aid system

administrators in the often confusing process of connecting two different vendor implementations

of the IPSec standard. The case studies in this TechNote follow the addressing and configuration

mechanics defined by the VPN Consortium. Additional information regarding inter-vendor

interoperability may be found at

http://www.vpnc.org/interop.html

.

It is a good idea to gather all the necessary information required to establish a VPN before you

begin the configuration process. You should understand whether the firmware is up to date, all of

the addresses that will be necessary, and all of the parameters that need to be set on both sides. Try

to understand any incompatibilities before you begin, so that you minimize any potential

complications which may arise from normal firewall or WAN processes.

If you are not a full-time system administrator, it is a good idea to familiarize yourself with the

mechanics of a VPN as described in this appendix. Other good sources include:

•

The NETGEAR VPN Tutorial –

http://www.netgear.com/planetvpn/pvpn_2.html

•

The VPN Consortium –

http://www.vpnc.org/

•

The VPN bibliography in

“Additional Reading” on page C-11

.

Page 173 / 212

Reference Manual for the ProSafe VPN Firewall FVS114

Virtual Private Networking

C-7

202-10098-01, April 2005

VPN Process Overview

Even though IPSec is standards-based, each vendor has its own set of terms and procedures for

implementing the standard. Because of these differences, it may be a good idea to review some of

the terms and the generic processes for connecting two gateways before diving into to the

specifics.

Network Interfaces and Addresses

The VPN gateway is aptly named because it functions as a “gatekeeper” for each of the computers

connected on the Local Area Network behind it.

In most cases, each gateway will have a public facing address (WAN side) and a private facing

address (LAN side). These addresses are referred to as the network interface in documentation

regarding the construction of VPN communication.

Interface Addressing

This example uses addresses provided the VPN Consortium. However, when you set up your own

equipment, you will be using addresses specific to the devices that you are attempting to connect

via IPSec VPN.

Figure C-4:

VPN Consortium example network interface addressing

Make sure the addresses do not overlap or conflict. That is, each set of addresses should be

separate and distinct.

Gateway A

22.23.24.25

14.15.16.17

10.5.6.0/24

172.23.9.0/24

172.23.9.1

10.5.6.1

WAN IP

LAN IP

Gateway B

VPN Consortium Example

Network Interface Addressing

Page 174 / 212

Reference Manual for the ProSafe VPN Firewall FVS114

C-8

Virtual Private Networking

202-10098-01, April 2005

You need to know the subnet mask of both gateway LAN Connections. Refer to

Appendix A,

“Technical Specifications

” to gather the necessary address and subnet mask information to aid in

the configuration and troubleshooting process.

Firewalls

It is important to understand that many gateways are also firewalls. VPN tunnels cannot function

properly if firewall settings disallow all incoming traffic. Please refer to the firewall instructions

for both gateways to understand how to open specific protocols, ports, and addresses that you

intend to allow.

VPN Tunnel Between Gateways

A Security Association (SA), frequently called a tunnel, is the set of information that allows two

entities (networks, PCs, routers, firewalls, gateways) to trust each other and communicate securely

as they pass information over the Internet.

Table C-1.

WAN (Internet/public) and LAN (internal/private) addressing

Gateway

LAN or WAN

VPNC Example Address

Gateway A

LAN (Private)

10.5.6.1

Gateway A

WAN (Public)

14.15.16.17

Gateway B

LAN (Private)

22.23.24.25

Gateway B

WAN (Public)

172.23.9.1

Table C-2.

Subnet addressing

Gateway

LAN or WAN

Interface Name

Example Subnet Mask

Gateway A

LAN (Private)

Subnet Mask A

255.255.255.0

Gateway B

LAN (Private)

Subnet Mask B

255.255.255.0

Page 175 / 212

Reference Manual for the ProSafe VPN Firewall FVS114

Virtual Private Networking

C-9

202-10098-01, April 2005

Figure C-5:

VPN tunnel Security Associaton (SA)

The SA contains all the information necessary for gateway A to negotiate a secure and encrypted

communication stream with gateway B. This communication is often referred to as a “tunnel.” The

gateways contain this information so that it does not have to be loaded onto every computer

connected to the gateways.

Each gateway must negotiate its SA with another gateway using the parameters and processes

established by IPSec. As illustrated below, the most common method of accomplishing this

process is via the Internet Key Exchange (IKE) protocol which automates some of the negotiation

procedures.

Figure C-6:

IPSec Security Association (SA) negotiation

Or, you can configure your gateways using manual key exchange, which involves manually

configuring each paramter on both gateways.

1.

The IPSec software on Host A initiates the IPSec process in an attempt to communicate

with Host B.

The two computers then begin the Internet Key Exchange (IKE) process.

VPN Gateway A

VPN Gateway B

VPN Tunnel

PCs

VPN Gateway

1) Communication

request sent to VPN Gateway

2) IKE Phase I authentication

3) IKE Phase II negotiation

4) Secure data transfer

5) IPSec tunnel termination

IPSec Security Association IKE

VPN Tunnel Negotiation Steps

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share