1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS114
    5. /
  5. 36
Page 176 / 212 Scroll up to view Page 171 - 175
Reference Manual for the ProSafe VPN Firewall FVS114
C-10
Virtual Private Networking
202-10098-01, April 2005
2.
IKE Phase I.
a.
The two parties negotiate the encryption and authentication algorithms to use in the IKE
SAs.
b.
The two parties authenticate each other using a predetermined mechanism, such as
preshared keys or digital certificates.
c.
A shared master key is generated by the Diffie-Hellman Public key algorithm within the
IKE framework for the two parties. The master key is also used in the second phase to
derive IPSec keys for the SAs.
3.
IKE Phase II.
a.
The two parties negotiate the encryption and authentication algorithms to use in the IPSec
SAs.
b.
The master key is used to derive the IPSec keys for the SAs. Once the SA keys are created
and exchanged, the IPSec SAs are ready to protect user data between the two VPN
gateways.
4.
Data transfer.
Data is transferred between IPSec peers based on the IPSec parameters and
keys stored in the SA database.
5.
IPSec tunnel termination.
IPSec SAs terminate through deletion or by timing out.
VPNC IKE Security Parameters
Remember that both gateways must have the identical parameters set for the process to work
correctly. The settings shown below follow the examples given for Scenario 1 of the VPN
Consortium.
VPNC IKE Phase I Parameters
The IKE Phase 1 parameters used:
Main mode
TripleDES
SHA-1
MODP group 1
pre-shared secret of "hr5xb84l6aa9r6"
SA lifetime of 28800 seconds (eight hours)
Page 177 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Virtual Private Networking
C-11
202-10098-01, April 2005
VPNC IKE Phase II Parameters
The IKE Phase 2 parameters used in Scenario 1 are:
TripleDES
SHA-1
ESP tunnel mode
MODP group 1
Perfect forward secrecy for rekeying
SA lifetime of 28800 seconds (one hour)
Testing and Troubleshooting
Once you have completed the VPN configuration steps you can use PCs, located behind each of
the gateways, to ping various addresses on the LAN-side of the other gateway.
You can troubleshoot connections using the VPN status and log details on the Netgear gateway to
determine if IKE negotiation is working. Common problems encountered in setting up VPNs
include:
Parameters may be configured differently on Gateway A and Gateway B.
Two LANs set up with similar or overlapping addressing schemes.
So many required configuration parameters mean errors such as mistyped information or
mismatched parameter selections on either side are more likely to happen.
Additional Reading
Building and Managing Virtual Private Networks
, Dave Kosiur, Wiley & Sons; ISBN:
0471295264
Firewalls and Internet Security: Repelling the Wily Hacker
, William R. Cheswick and Steven
M. Bellovin, Addison-Wesley; ISBN: 0201633574
VPNs A Beginners Guide
, John Mains, McGraw Hill; ISBN: 0072191813
[FF98] Floyd, S., and Fall, K., Promoting the Use of End-to-End Congestion Control in the
Internet. IEEE/ACM Transactions on Networking, August 1999.
Page 178 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
C-12
Virtual Private Networking
202-10098-01, April 2005
Relevant RFCs listed numerically:
[RFC 791]
Internet Protocol DARPA Internet Program Protocol Specification
, Information
Sciences Institute, USC, September 1981.
[RFC 1058]
Routing Information Protocol
, C Hedrick, Rutgers University, June 1988.
[RFC 1483]
Multiprotocol Encapsulation over ATM Adaptation Layer 5
, Juha Heinanen,
Telecom Finland, July 1993.
[RFC 2401] S. Kent, R. Atkinson,
Security Architecture for the Internet Protocol
, RFC 2401,
November 1998.
[RFC 2407] D. Piper,
The Internet IP Security Domain of Interpretation for ISAKMP
,
November 1998.
[RFC 2474] K. Nichols, S. Blake, F. Baker, D. Black,
Definition of the Differentiated Services
Field (DS Field) in the IPv4 and IPv6 Headers
, December 1998.
[RFC 2475] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss,
An
Architecture for Differentiated Services
, December 1998.
[RFC 2481] K. Ramakrishnan, S. Floyd,
A Proposal to Add Explicit Congestion Notification
(ECN) to IP
, January 1999.
[RFC 2408] D. Maughan, M. Schertler, M. Schneider, J. Turner,
Internet Security Association
and Key Management Protocol (ISAKMP)
.
[RFC 2409] D. Harkins, D.Carrel,
Internet Key Exchange
(IKE) protocol.
[RFC 2401] S. Kent, R. Atkinson,
Security Architecture for the Internet Protocol
.
Page 179 / 212
Preparing Your Network
D-1
202-10098-01, April 2005
Appendix D
Preparing Your Network
This appendix describes how to prepare your network to connect to the Internet through the
FVS114 ProSafe VPN Firewall and how to verify the readiness of broadband Internet service from
an Internet service provider (ISP).
Preparing Your Computers for TCP/IP Networking
Computers access the Internet using a protocol called TCP/IP (Transmission Control Protocol/
Internet Protocol). Each computer on your network must have TCP/IP installed and selected as its
networking protocol. If a Network Interface Card (NIC) is already installed in your PC, then TCP/
IP is probably already installed as well.
Most operating systems include the software components you need for networking with TCP/IP:
Windows
®
95 or later includes the software components for establishing a TCP/IP network.
Windows 3.1 does not include a TCP/IP component. You need to purchase a third-party TCP/
IP application package such as NetManage Chameleon.
Macintosh Operating System 7 or later includes the software components for establishing a
TCP/IP network.
All versions of UNIX or Linux include TCP/IP components. Follow the instructions provided
with your operating system or networking software to install TCP/IP on your computer.
Note:
If an ISP technician configured your computer during the installation of a
broadband modem, or if you configured it using instructions provided by your ISP, you
may need to copy the current configuration information for use in the configuration of
your firewall. Write down this information before reconfiguring your computers. Refer
to
“Obtaining ISP Configuration Information for Windows Computers” on page D-19
or
“Obtaining ISP Configuration Information for Macintosh Computers” on page D-20
for further information.
Page 180 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
D-2
Preparing Your Network
202-10098-01, April 2005
In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC
must also have certain other IP configuration information such as a subnet mask (netmask), a
domain name server (DNS) address, and a default gateway address. In most cases, you should
install TCP/IP so that the PC obtains its specific network configuration information automatically
from a DHCP server during bootup. For a detailed explanation of the meaning and purpose of
these configuration items, refer to “
Appendix B, “Network, Routing, and Firewall Basics
.”
The FVS114 VPN Firewall is shipped preconfigured as a DHCP server. The firewall assigns the
following TCP/IP configuration information automatically when the PCs are rebooted:
PC or workstation IP addresses—192.168.0.2 through 192.168.0.254
Subnet mask—255.255.255.0
Gateway address (the firewall)—192.168.0.1
These addresses are part of the IETF-designated private address range for use in private networks.
Configuring Windows 95, 98, and Me for TCP/IP Networking
As part of the PC preparation process, you need to manually install and configure TCP/IP on each
networked PC. Before starting, locate your Windows CD; you may need to insert it during the
TCP/IP installation process.
Install or Verify Windows Networking Components
To install or verify the necessary components for IP networking:
1.
On the Windows taskbar, click the
Start
button, point to Settings, and then click
Control
Panel
.
2.
Double-click the
Network
icon.
The Network window opens, which displays a list of installed components:

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top