1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS318N
    5. /
  5. 49
Page 241 / 414 Scroll up to view Page 236 - 240
Virtual Private Networking Using IPSec and L2TP Connections
241
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4.
Click
Apply
to save your settings. The new Mode Config record is added to the List of Mode
Config Records table.
Continue the Mode Config configuration procedure by configuring an IKE policy.
5.
Select
VPN > IPSec VPN
. The IPSec VPN submenu tabs display with the IKE Policies
screen in view (see
Figure 137
on page 218).
6.
Under the List of IKE Policies table, click the
Add
table button. The Add IKE Policy screen
displays the IPv4 settings (see the next screen).
7.
Specify the IP version for which you want to add an IKE policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step 8
.
IPv6
. Select the
IPv6
radio button. The Add IKE Policy screen for IPv6 displays. This
screen is identical to the Add IKE Policy screen for IPv4 (see the next screen).
Note:
You can configure an IPv6 IKE policy to assign IPv4 addresses to
clients, but you cannot assign IPv6 addresses to clients.
Integrity Algorithm
From the drop-down list, select one of the following two algorithms to be used in the
VPN header for the authentication process:
SHA-1
. Hash algorithm that produces a 160-bit digest. This is the default setting.
MD5
. Hash algorithm that produces a 128-bit digest.
Local IP Address
The local IP address to which remote VPN clients have access. If you do not
specify a local IP address, the wireless VPN firewall’s default LAN IP address is
used (by default, 192.168.1.1).
Local Subnet Mask
The local subnet mask. Typically, this is 255.255.255.0.
Note:
If you do not specify a local IP address, you do not need to specify a subnet
either.
Table 56.
Add Mode Config Record screen settings (continued)
Setting
Description
Page 242 / 414
Virtual Private Networking Using IPSec and L2TP Connections
242
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 145.
8.
On the Add IKE Policy screen, complete the settings as explained in the following table.
Page 243 / 414
Virtual Private Networking Using IPSec and L2TP Connections
243
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note:
The IKE policy settings that are explained in the following table are
specifically for a Mode Config configuration.
Table 51
on page 221
explains the general IKE policy settings.
Table 57.
Add IKE Policy screen settings for a Mode Config configuration
Setting
Description
Mode Config Record
Do you want to use
Mode Config Record?
Select the
Yes
radio button.
Note:
Because Mode Config functions only in Aggressive mode, selecting the Yes
radio button sets the tunnel exchange mode to Aggressive mode. Mode Config
also requires that both the local and remote endpoints are defined by their FQDNs.
Select Mode
Config Record
From the drop-down list, select the Mode Config record that
you created in
Step 4
on page 241. This example uses NA
Sales.
General
Policy Name
A descriptive name of the IKE policy for identification and management purposes.
This example uses ModeConfigNA_Sales.
Note:
The name is not supplied to the remote VPN endpoint.
Direction / Type
Responder is automatically selected when you select the Mode Config record in
the Mode Config Record section of the screen. This ensures that the wireless VPN
firewall responds to an IKE request from the remote endpoint but does not initiate
one.
Exchange Mode
Aggressive mode is automatically selected when you select the Mode Config
record in the Mode Config Record section of the screen.
Local
Identifier Type
From the drop-down list, select
FQDN
.
Note:
Mode Config requires that the wireless VPN firewall (that is, the local
endpoint) is defined by an FQDN.
Identifier
Enter an FQDN for the wireless VPN firewall. This example
uses router.com.
Remote
Identifier Type
From the drop-down list, select
FQDN
.
Note:
Mode Config requires that the remote endpoint is defined by an FQDN.
Identifier
Enter the FQDN for the remote endpoint. This needs to be an
FQDN that is not used in any other IKE policy. This example
uses client.com.
Page 244 / 414
Virtual Private Networking Using IPSec and L2TP Connections
244
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IKE SA Parameters
Note:
Generally, the default settings work well for a Mode Config configuration.
Encryption Algorithm
To negotiate the security association (SA), from the drop-down list, select the
3DES
algorithm.
Authentication
Algorithm
From the drop-down list, select the
SHA-1
algorithm to be used in the VPN header
for the authentication process.
Authentication Method
Select
Pre-shared key
as the authentication method, and enter a key in the
Pre-shared key field.
Pre-shared key
A key with a minimum length of 8 characters and no more than
49 characters. Do not use a double quote (''), single quote('),
or space in the key. This example uses H8!spsf3#JYK2!.
Diffie-Hellman (DH)
Group
The DH Group sets the strength of the algorithm in bits. From the drop-down list,
select
Group 2 (1024 bit)
.
SA-Lifetime (sec)
The period in seconds for which the IKE SA is valid. When the period times out, the
next rekeying occurs. The default setting is 28800 seconds (8 hours). However, for
a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour).
Enable Dead Peer
Detection
Note:
See also
Configure
Keep-Alives and
Dead Peer Detection
on page 253.
Select a radio button to specify whether or not Dead Peer Detection (DPD) is
enabled:
Yes
. This feature is enabled. When the wireless VPN firewall detects an IKE
connection failure, it deletes the IPSec and IKE SA and forces a reestablishment
of the connection. You need to specify the detection period in the Detection
Period field and the maximum number of times that the wireless VPN firewall
attempts to reconnect in the Reconnect after failure count field.
No
. This feature is disabled. This is the default setting.
Detection Period
The period in seconds between consecutive
DPD R-U-THERE messages, which are sent only when the
IPSec traffic is idle. The default setting is 10 seconds. This
example uses 30 seconds.
Reconnect after
failure count
The maximum number of DPD failures before the wireless
VPN firewall tears down the connection and then attempts to
reconnect to the peer. The default setting is 3 failures.
Table 57.
Add IKE Policy screen settings for a Mode Config configuration (continued)
Setting
Description
Page 245 / 414
Virtual Private Networking Using IPSec and L2TP Connections
245
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
9.
Click
Apply
to save your settings. The IKE policy is added to the List of IKE Policies table.
Configure the ProSafe VPN Client for Mode Config Operation
When the Mode Config feature is enabled, the following information is negotiated between
the VPN client and the wireless VPN firewall during the authentication phase:
Virtual IP address of the VPN client
DNS server address (optional)
WINS server address (optional)
The virtual IP address that is issued by the wireless VPN firewall is displayed in the VPN
Client Address field on the VPN client’s IPSec pane.
Extended Authentication
XAUTH Configuration
Note:
For more
information about
XAUTH and its
authentication
modes, see
Configure
XAUTH for VPN
Clients
on page 234.
Select one of the following radio buttons to specify whether or not Extended
Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify
user account information:
None
. XAUTH is disabled. This the default setting.
Edge Device
. The wireless VPN firewall functions as a VPN concentrator on
which one or more gateway tunnels terminate. The authentication modes that
are available for this configuration are User Database, RADIUS PAP, and
RADIUS CHAP.
IPSec Host
. The wireless VPN firewall functions as a VPN client of the remote
gateway. In this configuration the wireless VPN firewall is authenticated by a
remote gateway with a user name and password combination.
Authentication
Type
For an Edge Device configuration, from the drop-down list,
select one of the following authentication types:
User Database
. XAUTH occurs through the wireless VPN
firewall’s user database. You can add users on the Add User
screen (see
User Database Configuration
on page 235).
Radius PAP
. XAUTH occurs through RADIUS Password
Authentication Protocol (PAP). The local user database is
first checked. If the user account is not present in the local
user database, the wireless VPN firewall connects to a
RADIUS server. For more information, see
RADIUS Client
and Server Configuration
on page 235.
Radius CHAP
. XAUTH occurs through RADIUS Challenge
Handshake Authentication Protocol (CHAP). For more
information, see
RADIUS Client and Server Configuration
on
page 235.
Username
The user name for XAUTH.
Password
The password for XAUTH.
Table 57.
Add IKE Policy screen settings for a Mode Config configuration (continued)
Setting
Description

Rate

4.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top