1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS318N
    5. /
  5. 48
Page 236 / 414 Scroll up to view Page 231 - 235
Virtual Private Networking Using IPSec and L2TP Connections
236
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
first against a local user database (if RADIUS-PAP is enabled) and then by relaying the
information to a central authentication server such as a RADIUS server.
Note:
Even though you can configure RADIUS servers with IPv4
addresses only, the servers can be used for authentication,
authorization, and accounting of both IPv4 and IPv6 users.
To configure primary and backup RADIUS servers:
1.
Select
VPN > IPSec VPN > RADIUS Client
.
The RADIUS Client screen displays:
Figure 142.
2.
Complete the settings as explained in the following table:
Table 55.
RADIUS Client screen settings
Setting
Description
Primary RADIUS Server
To enable and configure the primary RADIUS server, select the
Yes
radio button, and then enter the
settings for the three fields to the right. The default setting is that the No radio button is selected.
Primary Server IP Address
The IPv4 address of the primary RADIUS server.
Secret Phrase
A shared secret phrase to authenticate the transactions between the client
and the primary RADIUS server. The same secret phrase needs to be
configured on both the client and the server.
Page 237 / 414
Virtual Private Networking Using IPSec and L2TP Connections
237
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3.
Click
Apply
to save your settings.
Note:
You can select the RADIUS authentication protocol (PAP or CHAP)
on the Edit IKE Policy screen or Add IKE Policy screen (see
Configure XAUTH for VPN Clients
on page 234).
Assign IPv4 Addresses to Remote Users (Mode Config)
To simplify the process of connecting remote VPN clients to the wireless VPN firewall, use
the Mode Config feature to automatically assign IPv4 addresses to remote users, including a
network access IP address, subnet mask, WINS server, and DNS address. Remote users
are given IP addresses available in a secured network space so that remote users appear as
seamless extensions of the network.
Primary Server NAS
Identifier
The primary Network Access Server (NAS) identifier that needs to be present
in a RADIUS request.
Note:
The wireless VPN firewall functions as an NAS, allowing network
access to external users after verification of their authentication information.
In a RADIUS transaction, the NAS needs to provide some NAS identifier
information to the RADIUS server. Depending on the configuration of the
RADIUS server, the wireless VPN firewall’s IP address might be sufficient as
an identifier, or the server might require a name, which you need to enter in
this field.
Backup RADIUS Server
To enable and configure the backup RADIUS server, select the
Yes
radio button, and then enter the
settings for the three fields to the right. The default setting is that the No radio button is selected.
Backup Server IP Address
The IPv4 address of the backup RADIUS server.
Secret Phrase
A shared secret phrase to authenticate the transactions between the client
and the backup RADIUS server. The same secret phrase needs to be
configured on both the client and the server.
Backup Server NAS
Identifier
The backup Network Access Server (NAS) identifier that needs to be present
in a RADIUS request.
Note:
See the note earlier in this table for the Primary Server NAS Identifier.
Connection Configuration
Time out period
The period in seconds that the wireless VPN firewall waits for a response from
a RADIUS server. The default setting is 30 seconds.
Maximum Retry Counts
The maximum number of times that the wireless VPN firewall attempts to
connect to a RADIUS server. The default setting is 4 retry counts.
Table 55.
RADIUS Client screen settings (continued)
Setting
Description
Page 238 / 414
Virtual Private Networking Using IPSec and L2TP Connections
238
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
You can use the Mode Config feature in combination with an IPv6 IKE policy to assign IPv4
addresses to clients, but you cannot assign IPv6 addresses to clients.
Mode Config Operation
After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the
remote user with a VPN client) requests the IP configuration settings such as the IP address,
subnet mask, WINS server, and DNS address from the wireless VPN firewall. The Mode
Config feature allocates an IP address from the configured IP address pool and activates a
temporary IPSec policy, using the information that is specified in the Traffic Tunnel Security
Level section of the Mode Config record (on the Add Mode Config Record screen that is
shown in
Figure 144
on page 239).
Note:
After configuring a Mode Config record, you need to manually
configure an IKE policy and select the newly created Mode Config
record from the Select Mode Config Record drop-down list (see
Configure Mode Config Operation on the Wireless VPN Firewall
on
page 238). You do not need to make changes to any VPN policy.
Note:
An IP address that is allocated to a VPN client is released only after
the VPN client has gracefully disconnected or after the SA liftetime
for the connection has timed out.
Configure Mode Config Operation on the Wireless VPN
Firewall
To configure Mode Config on the wireless VPN firewall, first create a Mode Config record,
and then select the Mode Config record for an IKE policy.
To configure Mode Config on the wireless VPN firewall:
1.
Select
VPN > IPSec VPN > Mode Config
.
The Mode Config screen displays:
Figure 143.
Page 239 / 414
Virtual Private Networking Using IPSec and L2TP Connections
239
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
As an example, the screen shows two Mode Config records with the names EMEA Sales
and NA Sales:
For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool
(172.16.200.1 through 172.16.200.99) are shown.
For NA Sales, a first pool (172.25.100.50 through 172.25.100.99), a second pool
(172.25.210.1 through 172.25.210.99), and a third pool (172.25.220.80 through
172.25.220.99) are shown.
2.
Under the List of Mode Config Records table, click the
Add
table button. The Add Mode
Config Record screen displays:
Figure 144.
Page 240 / 414
Virtual Private Networking Using IPSec and L2TP Connections
240
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3.
Complete the settings as explained in the following table:
Table 56.
Add Mode Config Record screen settings
Setting
Description
Client Pool
Record Name
A descriptive name of the Mode Config record for identification and management
purposes.
First Pool
Assign at least one range of IP pool addresses in the First Pool fields to enable the
wireless VPN firewall to allocate these to remote VPN clients. The Second Pool and
Third Pool fields are optional. To specify any client pool, enter the starting IP
address for the pool in the Starting IP field, and enter the ending IP address for the
pool in the Ending IP field.
Note:
No IP pool should be within the range of the local network IP addresses. Use
a different range of private IP addresses such as 172.16.xxx.xx.
Second Pool
Third Pool
WINS Server
If there is a WINS server on the local network, enter its IP address in the Primary
field. You can enter the IP address of a second WINS server in the Secondary field.
DNS Server
Enter the IP address of the DNS server that is used by remote VPN clients in the
Primary field. You can enter the IP address of a second DNS server in the
Secondary field.
Traffic Tunnel Security Level
Note:
Generally, the default settings work well for a Mode Config configuration.
PFS Key Group
Select this check box to enable Perfect Forward Secrecy (PFS), and then select a
Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the strength
of the algorithm in bits. The higher the group, the more secure the exchange. From
the drop-down list, select one of the following three strengths:
• Group 1 (768 bit)
Group 2 (1024 bit)
. This is the default setting.
• Group 5 (1536 bit)
SA Lifetime
The lifetime of the security association (SA) is the period or the amount of
transmitted data after which the SA becomes invalid and needs to be renegotiated.
From the drop-down list, select how the SA lifetime is specified:
Seconds
. In the SA Lifetime field, enter a period in seconds. The minimum value
is 300 seconds. The default setting is 3600 seconds.
KBytes
. In the SA Lifetime field, enter a number of kilobytes. The minimum value
is 1920000 KB.
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate the
security association (SA):
None
. No encryption.
DES
. Data Encryption Standard (DES).
3DES
. Triple DES. This is the default algorithm.
AES-128
. Advanced Encryption Standard (AES) with a 128-bit key size.
AES-192
. AES with a 192-bit key size.
AES-256
. AES with a 256-bit key size.

Rate

4.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top