1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS328
    5. /
  5. 18
Page 86 / 224 Scroll up to view Page 81 - 85
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
7-12
Virtual Private Networking
December 2003, M-10041-01
Authenticating Header
(AH) Configuration
AH specifies the authentication protocol for the VPN header. These settings
must match the remote VPN endpoint.
Note:
The "Incoming" settings must match the "Outgoing" settings on the
remote VPN endpoint, and the "Outgoing" settings must match the "Incoming"
settings on the remote VPN endpoint.
SPI - Incoming
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
SPI - Outgoing
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Incoming SPI" field.
Enable Authentication
Use this check box to enable or disable AH. Authentication is often not used,
so you can leave the check box unselected.
Authentication
Algorithm
If you enable AH, then select the authentication algorithm:
MD5 – the default
SHA1 – more secure
Enter the keys in the fields provided. For MD5, the keys should be 16
characters. For SHA-1, the keys should be 20 characters.
Key - In
Enter the keys.
For MD5, the keys should be 16 characters.
For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
Key - Out
Enter the keys in the fields provided.
For MD5, the keys should be 16 characters.
For SHA-1, the keys should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
Encapsulated Security
Payload (ESP)
Configuration
ESP provides security for the payload (data) sent through the VPN tunnel.
Generally, you will want to enable both encryption and authentication. when
you use ESP. Two ESP modes are available:
Plain ESP encryption
ESP encryption with authentication
These settings must match the remote VPN endpoint.
SPI - Incoming
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Outgoing SPI" field.
Table 7-1.
VPN Manual Policy Configuration Fields
Field
Description
Page 87 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Virtual Private Networking
7-13
December 2003, M-10041-01
SPI - Outgoing
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote
VPN endpoint has the same value in its "Incoming SPI" field.
Enable Encryption
Use this check box to enable or disable ESP Encryption.
Encryption
Algorithm
If you enable ESP Encryption, then select the Encryption Algorithm:
DES - the default
3DES -more secure
Key - In
Enter the key in the fields provided.
For DES, the key should be 8 characters.
For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - Out" field.
Key - Out
Enter the key in the fields provided.
For DES, the key should be 8 characters.
For 3DES, the key should be 24 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Encryption Algorithm "Key - In" field.
Enable Authentication
Use this check box to enable or disable ESP authentication for this VPN policy.
Authentication
Algorithm
If you enable authentication, then use this menu to select the algorithm:
MD5 – the default
SHA1 – more secure
Key - In
Enter the key.
For MD5, the key should be 16 characters.
For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - Out" field.
Key - Out
Enter the key in the fields provided.
For MD5, the key should be 16 characters.
For SHA-1, the key should be 20 characters.
Any value is acceptable, provided the remote VPN endpoint has the same
value in its Authentication Algorithm "Key - In" field.
NetBIOS Enable
Check this if you want NetBIOS traffic to be forwarded over the VPN tunnel.
The NetBIOS protocol is used by Microsoft Networking for such features as
Network Neighborhood.
Table 7-1.
VPN Manual Policy Configuration Fields
Field
Description
Page 88 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
7-14
Virtual Private Networking
December 2003, M-10041-01
Using Digital Certificates for IKE Auto-Policy Authentication
Digital certificates are character strings generated using encryption and authentication schemes
which cannot be duplicated by anyone without access to the different values used in the production
of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a
workstation uniquely. The CAs are authorized to issue these certificates by Policy Certification
Authorities (PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA).
The FVS328 is able to use certificates to authenticate users at the endpoints during the IKE key
exchange process.
The certificates can be obtained from a certificate server an organization might maintain internally
or from the established public CAs. The certificates are produced by providing the particulars of
the user being identified to the CA. The information provided may include the user's name, e-mail
ID, domain name, etc.
A CA is part of a trust chain. A CA has a public key which is signed. The combination of the
signed public key and the private key enables the CA process to eliminate ‘man in the middle’
security threats. A ‘self’ certificate has your public key and the name of your CA, and relies on the
CA’s certificate to authenticate. Each CA has its own certificate. The certificates of a CA are added
to the FVS328 and can then be used to form IKE policies for the user. Once a CA certificate is
added to the FVS328 and a certificate is created for a user, the corresponding IKE policy is added
to the FVS328. Whenever the user tries to send traffic through the FVS328, the certificates are
used in place of pre-shared keys during initial key exchange as the authentication and key
generation mechanism. Once the keys are established and the tunnel is set up the connection
proceeds according to the VPN policy.
Certificate Revocation List (CRL)
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these
revoked certificates is known as the Certificate Revocation List (CRL).
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the
CRL on the FVS328 obtained from the corresponding CA. If the certificate is not present in the
CRL it means that the certificate is not revoked. IKE can then use this certificate for
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and
the IKE will not authenticate the client.
You must manually update the FVS328 CRL regularly in order for the CA-based authentication
process to remain valid.
Page 89 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Virtual Private Networking
7-15
December 2003, M-10041-01
Walk-Through of Configuration Scenarios
There are a variety of configurations you might implement with the FVS328. The scenarios listed
below illustrate typical configurations you might use in your organization.
In order to help make it easier to set up an IPsec system, the following two scenarios are provided.
These scenarios were developed by the VPN Consortium (
). The goal is to
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing
you with both of these scenarios in the following two formats:
VPN Consortium Scenarios without any product implementation details
VPN Consortium Scenarios based on the FVS328 user interface
The purpose of providing these two versions of the same scenarios is to help you determine where
the two vendors use different vocabulary. Seeing the examples presented in these different ways
will reveal how systems from different vendors do the same thing. See
Appendix E, “Virtual
Private Networking
” for a full discussion of VPN and the configuration templates NETGEAR
developed for publishing multi-vendor VPN integration configuration case studies.
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets
The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.
Figure 7-5:
VPN Consortium Scenario 1
Note:
See
Appendix F, “NETGEAR VPN Configuration FVS318 or FVM318 to
FVS328
for a detailed procedure for configuring VPN communications between a
NETGEAR FVS318 and a FVS328. NETGEAR publishes additional interoperability
scenarios with various gateway and client software products. Look on the NETGEAR
Web site at
www.netgear.com/docs
for more details.
10.5.6.0/24
10.5.6.1
Gateway A
14.15.16.17
22.23.24.25
172.23.9.0/24
Internet
Gateway B
172.23.9.1
Page 90 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
7-16
Virtual Private Networking
December 2003, M-10041-01
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used
for testing IPsec but is not needed for configuring Gateway A.
Note:
The /24 after the IP address refers to the full range of IP addresses. For example, 10.5.6.0/24
refers to IP address 10.5.6.0 with the netmask 255.255.255.0.
The IKE Phase 1 parameters used in Scenario 1 are:
Main mode
TripleDES
SHA-1
MODP group 2 (1024 bits)
pre-shared secret of "hr5xb84l6aa9r6"
SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
TripleDES
SHA-1
ESP tunnel mode
MODP group 2 (1024 bits)
Perfect forward secrecy for rekeying
SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4
subnets

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top