1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS318N
    5. /
  5. 45
Page 221 / 414 Scroll up to view Page 216 - 220
Virtual Private Networking Using IPSec and L2TP Connections
221
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4.
Complete the settings as explained in the following table:
Table 51.
Add IKE Policy screen settings
Setting
Description
Mode Config Record
Do you want to use
Mode Config Record?
Specify whether or not the IKE policy uses a Mode Config record. For information
about how to define a Mode Config record, see
Mode Config Operation
on
page 238. Select one of the following radio buttons:
Yes
. IP addresses are assigned to remote VPN clients. You need to select a
Mode Config record from the drop-down list.
Because Mode Config functions only in Aggressive mode, selecting the Yes
radio button sets the tunnel exchange mode to Aggressive mode and disables
the Main mode. Mode Config also requires that both the local and remote
endpoints are defined by their FQDNs.
No
. Disables Mode Config for this IKE policy.
Note:
You can use an IPv6 IKE policy to assign IPv4 addresses to clients through
a Mode Config record, but you cannot assign IPv6 addresses to clients.
Select Mode
Config Record
From the drop-down list, select one of the Mode Config
records that you defined on the Add Mode Config Record
screen (see
Configure Mode Config Operation on the
Wireless VPN Firewall
on page 238).
Note:
Click the
View Selected
button to open the Selected
Mode Config Record Details pop-up screen.
General
Policy Name
A descriptive name of the IKE policy for identification and management purposes.
Note:
The name is not supplied to the remote VPN endpoint.
Direction / Type
From the drop-down list, select the connection method for the wireless VPN
firewall:
Initiator
. The wireless VPN firewall initiates the connection to the remote
endpoint.
Responder
. The wireless VPN firewall responds only to an IKE request from the
remote endpoint.
Both
. The wireless VPN firewall can both initiate a connection to the remote
endpoint and respond to an IKE request from the remote endpoint.
Exchange Mode
From the drop-down list, select the mode of exchange between the wireless VPN
firewall and the remote VPN endpoint:
Main
. This mode is slower than the Aggressive mode but more secure.
Aggressive
. This mode is faster than the Main mode but less secure.
Note:
If you specify either an FQDN or a user FQDN name as the local ID or
remote ID (see the Identifier sections later in this table), the Aggressive mode is
automatically selected.
Page 222 / 414
Virtual Private Networking Using IPSec and L2TP Connections
222
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Local
Identifier
From the drop-down list, select one of the following ISAKMP identifiers to be used
by the wireless VPN firewall, and then specify the identifier in the Identifier field:
Local Wan IP
. The WAN IP address of the wireless VPN firewall. When you
select this option, the Identifier field automatically shows the IP address of the
selected WAN interface.
FQDN
. The Internet address for the wireless VPN firewall.
User FQDN
. The email address for a local VPN client or the wireless VPN
firewall.
DER ASN1 DN
. A distinguished name (DN) that identifies the wireless VPN
firewall in the DER encoding and ASN.1 format.
Identifier
Depending on the selection of the Identifier drop-down list,
enter the IP address, email address, FQDN, or distinguished
name.
Remote
Identifier
From the drop-down list, select one of the following ISAKMP identifiers to be used
by the remote endpoint, and then specify the identifier in the Identifier field:
Remote Wan IP
. The WAN IP address of the remote endpoint. When you select
this option, the Identifier field automatically shows the IP address of the selected
WAN interface.
FQDN
. The FQDN for a remote gateway.
User FQDN
. The email address for a remote VPN client or gateway.
DER ASN1 DN
. A distinguished name (DN) that identifies the remote endpoint
in the DER encoding and ASN.1 format.
Identifier
Depending on the selection of the Identifier drop-down list,
enter the IP address, email address, FQDN, or distinguished
name.
IKE SA Parameters
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate the
security association (SA):
DES
. Data Encryption Standard (DES).
3DES
. Triple DES. This is the default algorithm.
AES-128
. Advanced Encryption Standard (AES) with a 128-bit key size.
AES-192
. AES with a 192-bit key size.
AES-256
. AES with a 256-bit key size.
Authentication
Algorithm
From the drop-down list, select one of the following two algorithms to use in the
VPN header for the authentication process:
SHA-1
. Hash algorithm that produces a 160-bit digest. This is the default
setting.
MD5
. Hash algorithm that produces a 128-bit digest.
Table 51.
Add IKE Policy screen settings (continued)
Setting
Description
Page 223 / 414
Virtual Private Networking Using IPSec and L2TP Connections
223
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Authentication Method
Select one of the following radio buttons to specify the authentication method:
Pre-shared key
. A secret that is shared between the wireless VPN firewall and
the remote endpoint.
RSA-Signature
. Uses the active self-signed certificate that you uploaded on the
Certificates screen (see
Manage VPN Self-Signed Certificates
on page 309).
The pre-shared key is masked out when you select RSA-Signature.
Pre-shared key
A key with a minimum length of 8 characters and no more
than 49 characters. Do not use a double quote (''), single
quote('), or space in the key.
Diffie-Hellman (DH)
Group
The DH Group sets the strength of the algorithm in bits. The higher the group, the
more secure the exchange. From the drop-down list, select one of the following
three strengths:
Group 1 (768 bit)
.
Group 2 (1024 bit)
. This is the default setting.
Group 5 (1536 bit)
.
Note:
Ensure that the DH Group is configured identically on both sides.
SA-Lifetime (sec)
The period in seconds for which the IKE SA is valid. When the period times out,
the next rekeying occurs. The default is 28800 seconds (8 hours).
Enable Dead Peer
Detection
Note:
See also
Configure Keep-Alives
and Dead Peer
Detection
on
page 253.
Select a radio button to specify whether or not Dead Peer Detection (DPD) is
enabled:
Yes
. This feature is enabled. When the wireless VPN firewall detects an IKE
connection failure, it deletes the IPSec and IKE SA and forces a reestablishment
of the connection. You need to specify the detection period in the Detection
Period field and the maximum number of times that the wireless VPN firewall
attempts to reconnect in the Reconnect after failure count field.
No
. This feature is disabled. This is the default setting.
Detection Period
The period in seconds between consecutive
DPD R-U-THERE messages, which are sent only when the
IPSec traffic is idle.
Reconnect after
failure count
The maximum number of DPD failures before the wireless
VPN firewall tears down the connection and then attempts to
reconnect to the peer. The default is 3 failures.
Table 51.
Add IKE Policy screen settings (continued)
Setting
Description
Page 224 / 414
Virtual Private Networking Using IPSec and L2TP Connections
224
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
5.
Click
Apply
to save your settings. The IKE policy is added to the List of IKE Policies table.
To edit an IKE policy:
1.
Select
VPN > IPSec VPN
. The IPSec VPN submenu tabs display with the IKE Policies
screen for IPv4 in view (see
Figure 137
on page 218).
2.
Specify the IP version for which you want to edit an IKE policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step 3
.
IPv6
. Select the
IPv6
radio button. The IKE Policies screen for IPv6 displays.
3.
In the List of IKE Policies table, click the
Edit
table button to the right of the IKE policy that
you want to edit. The Edit IKE Policy screen displays. This screen shows the same fields as
the Add IKE Policy screen (see
Figure 138
on page 220).
4.
Modify the settings that you wish to change (see the previous table).
Extended Authentication
XAUTH Configuration
Note:
For more
information about
XAUTH and its
authentication modes,
see
Configure XAUTH
for VPN Clients
on
page 234.
Select one of the following radio buttons to specify whether or not Extended
Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify
user account information:
None
. XAUTH is disabled. This the default setting.
Edge Device
. The wireless VPN firewall functions as a VPN concentrator on
which one or more gateway tunnels terminate. The authentication modes that
are available for this configuration are User Database, RADIUS PAP, or RADIUS
CHAP.
IPSec Host
. The wireless VPN firewall functions as a VPN client of the remote
gateway. In this configuration the wireless VPN firewall is authenticated by a
remote gateway with a user name and password combination.
Authentication
Type
For an Edge Device configuration, from the drop-down list,
select one of the following authentication types:
User Database
. XAUTH occurs through the wireless VPN
firewall’s user database. You can add users on the Add
User screen (see
User Database Configuration
on
page 235).
Radius PAP
. XAUTH occurs through RADIUS Password
Authentication Protocol (PAP). The local user database is
first checked. If the user account is not present in the local
user database, the wireless VPN firewall connects to a
RADIUS server. For more information, see
RADIUS Client
and Server Configuration
on page 235.
Radius CHAP
. XAUTH occurs through RADIUS Challenge
Handshake Authentication Protocol (CHAP). For more
information, see
RADIUS Client and Server Configuration
on page 235.
Username
The user name for XAUTH.
Password
The password for XAUTH.
Table 51.
Add IKE Policy screen settings (continued)
Setting
Description
Page 225 / 414
Virtual Private Networking Using IPSec and L2TP Connections
225
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
5.
Click
Apply
to save your changes. The modified IKE policy is displayed in the List of IKE
Policies table.
Manage VPN Policies
You can create two types of VPN policies. When you use the VPN Wizard to create a VPN
policy, only the Auto method is available.
Manual
. You manually enter all settings (including the keys) for the VPN tunnel on the
wireless VPN firewall and on the remote VPN endpoint. No third-party server or
organization is involved.
Auto
. Some settings for the VPN tunnel are generated automatically through the use of
the IKE (Internet Key Exchange) Protocol to perform negotiations between the two VPN
endpoints (the local ID endpoint and the remote ID endpoint). You still need to manually
enter all settings on the remote VPN endpoint (unless the remote VPN endpoint also has
a VPN Wizard).
In addition, a certification authority (CA) can also be used to perform authentication (see
Manage Digital Certificates for VPN Connections
on page 306). For gateways to use a CA to
perform authentication, each VPN gateway needs to have a certificate from the CA. For each
certificate, there is both a public key and a private key. The public key is freely distributed,
and is used by any sender to encrypt data intended for the receiver (the key owner). The
receiver then uses its private key to decrypt the data (without the private key, decryption is
impossible). The use of certificates for authentication reduces the amount of data entry that is
required on each VPN endpoint.
VPN Policies Screen
The VPN Policies screen allows you to add additional policies—either Auto or Manual—and
to manage the VPN policies already created. You can edit policies, enable or disable policies,
or delete them entirely. These are the rules for VPN policy use:
Traffic covered by a policy is automatically sent through a VPN tunnel.
When traffic is covered by two or more policies, the first matching policy is used. (In this
situation, the order of the policies is important. However, if you have only one policy for
each remote VPN endpoint, then the policy order is not important.)
The VPN tunnel is created according to the settings in the security association (SA).
The remote VPN endpoint needs to have a matching SA; otherwise, it refuses the
connection.
To access the VPN Policies screen, select
VPN > IPSec VPN > VPN Policies
.
In the upper
right of the screen, the IPv4 radio button is selected by default. The VPN Policies screen
displays the IPv4 settings. (The following figure shows some examples.) To display the IPv6
settings on the IKE Policies screen, select the
IPv6
radio button.

Rate

4.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top