1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS328
    5. /
  5. 16
Page 76 / 224 Scroll up to view Page 71 - 75
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
7-2
Virtual Private Networking
December 2003, M-10041-01
IKE Policies
: Define the authentication scheme and automatically generate the encryption
keys. As an alternative option, to further automate the process, you can create an Internet Key
Exchange
(
IKE) policy which uses a trusted certificate authority to provide the authentication
while the IKE policy still handles the encryption.
VPN Policies
: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you
can create a VPN policy which does not use an IKE policy but in which you manually enter all
the authentication and key parameters.
Since the VPN Auto policies require IKE policies, you must define the IKE policy first. The
FVS328 also allows you to manually input the authentication scheme and encryption key values.
VPN Manual policies manage the keys according to settings you select and do not use IKE
policies.
In order to establish secure communication over the Internet with the remote site you need to
configure matching VPN parameters on both the local and remote sites. The outbound VPN
parameters on one end must match to the inbound VPN parameters on other end, and vice versa.
When the network traffic enters into the FVS328 from the LAN network interface, if there is no
VPN policy found for a type of network traffic, then that traffic passes through without any
change. However, if the traffic is selected by a VPN policy, then the Internet Protocol security
IPSec authentication and encryption rules will be applied to it as defined in the VPN policy.
By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy
table. You can change the priority by selecting the VPN policy from the policy table and clicking
Move.
Using Automatic Key Management
The most common configuration scenarios will use IKE policies to automatically manage the
authentication and encryption keys. Based on the IKE policy, some parameters for the VPN tunnel
are generated automatically. The IKE protocols perform negotiations between the two VPN
endpoints to automatically generate required parameters.
Some organizations will use an IKE policy with a Certificate Authority (CA) to perform
authentication. Typically, CA authentication is used in large organizations which maintain their
own internal CA server. This requires that each VPN gateway have a certificate and trust
certificate root from the CA. Using CAs reduces the amount of data entry required on each VPN
endpoint.
Page 77 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Virtual Private Networking
7-3
December 2003, M-10041-01
IKE Policies’ Automatic Key and Authentication Management
Click the IKE Policies link from the VPN section of the main menu, and then click the Add button
of the IKE Policies screen to display the IKE Policy Configuration menu shown in
Figure 7-2
.
Figure 7-2:
IKE - Policy Configuration Menu
Page 78 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
7-4
Virtual Private Networking
December 2003, M-10041-01
The IKE Policy Configuration fields are defined in the following table.
Table 7-1.
IKE Policy Configuration Fields
Field
Description
General
These settings identify this policy and determine its major characteristics.
Policy Name
The descriptive name of the IKE policy. Each policy should have a unique
policy name. This name is not supplied to the remote VPN endpoint. It is
only used to help you identify IKE policies.
Direction/Type
This setting is used when determining if the IKE policy matches the current
traffic. The drop-down menu includes the following:
Initiator – Outgoing connections are allowed, but incoming are blocked.
Responder – Incoming connections are allowed, but outgoing are
blocked.
Both Directions – Both outgoing and incoming connections are allowed.
Remote Access – This is to allow only incoming client connections,
where the IP address of the remote client is unknown.
If Remote Access is selected, the “Exchange Mode” MUST be
“Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST
be “Name.” On the matching VPN Policy, the IP address of the remote
VPN endpoint should be set to 0.0.0.0.
Exchange Mode
Main Mode or Aggressive Mode. This setting must match the setting used
on the remote VPN endpoint.
Main Mode is slower but more secure.
Aggressive Mode is faster but less secure.
Local
These parameters apply to the Local FVS328 firewall.
Local Identity Type
Use this field to identify the local FVS328. You can choose one of the
following four options from the drop-down list:
By its Internet (WAN) port IP address.
By its Fully Qualified Domain Name (FQDN) – your domain name.
By a Fully Qualified User Name – your name, E-mail address, or
other ID.
By DER ASN.1 DN – the binary Distinguished Encoding Rules (DER)
encoding of your ASN.1 X.500 Distinguished Name.
Local Identity Data
This field lets you identify the local FVS328 by name.
Remote
These parameters apply to the target remote FVS328 firewall, VPN
gateway, or VPN client.
Page 79 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Virtual Private Networking
7-5
December 2003, M-10041-01
Remote Identity Type
Use this field to identify the remote FVS328. You can choose one of the
following four options from the drop-down list:
By its Internet (WAN) port IP address.
By its Fully Qualified Domain Name (FQDN) – your domain name.
By a Fully Qualified User Name – your name, E-mail address, or
other ID.
By DER ASN.1 DN – the binary DER encoding of your ASN.1 X.500
Distinguished Name.
Remote Identity Data
This field lets you identify the target remote FVS328 by name.
IKE SA Parameters
These parameters determine the properties of the IKE Security
Association.
Encryption Algorithm
Choose the encryption algorithm for this IKE policy:
• DES
3DES is more secure and is the default
Authentication Algorithm
If you enable Authentication Headers (AH), this menu lets you select from
these authentication algorithms:
MD5 –- the default
SHA-1 – more secure
Authentication Method
You can select Pre-Shared Key or RSA Signature.
Pre-Shared Key
Specify the key according to the requirements of the Authentication
Algorithm you selected.
For MD5, the key length should be 16 bytes.
For SHA-1, the key length should be 20 bytes.
RSA Signature
RSA Signature requires a certificate.
Diffie-Hellman (DH) Group
The Diffie-Hellman groups are MODP Oakley Groups 1 and 2. The DH
Group setting determines the size of the key used in the key exchange.
This must match the value used on the remote VPN gateway or client.
Select Group 1 (768 bit) or Group 2 (1024 bit).
SA Life Time
The amount of time in seconds before the Security Association expires;
over an hour (3600) is common.
Table 7-1.
IKE Policy Configuration Fields
Field
Description
Page 80 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
7-6
Virtual Private Networking
December 2003, M-10041-01
VPN Policy Configuration for Auto Key Negotiation
An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN
Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Figure 7-3:
VPN - Auto Policy Menu

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top