1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS336Gv2
    5. /
  5. 17
Page 81 / 203 Scroll up to view Page 76 - 80
Chapter 5:
Virtual Private Networking Using IPsec
|
81
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Right-click the VPN Client icon in the system tray and select
Log Viewer
.
Figure 5-9
Log Viewer
Right-click the VPN Client icon in the system tray and select
Connection Monitor
.
Figure 5-10
Connection Monitor
The VPN client system tray icon provides status indications, which are listed below.
Table 5-6.
System Tray Icon
Status
The client policy is deactivated.
The client policy is deactivated but not connected.
The client policy is activated and connected.
A flashing vertical bar indicates traffic on the tunnel.
Page 82 / 203
82
|
Chapter 5:
Virtual Private Networking Using IPsec
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
VPN Firewall VPN Connection Status and Logs
To view VPN firewall VPN connection status, go to VPN > Connection Status.
You can set a poll interval (in seconds) to check the connection status of all active IKE
policies to obtain the latest VPN tunnel activity. The
Active IPSec SA(s)
table also lists
current data for each active IPsec SA (security association):
Policy Name
. The name of the VPN policy associated with this SA.
Endpoint
. The IP address on the remote VPN endpoint.
Tx (KBytes)
. The amount of data transmitted over this SA.
Tx (Packets)
. The number of packets transmitted over this SA.
State
. The current state of the SA. Phase 1 is “Authentication phase” and Phase 2 is “Key
Exchange phase”.
Action
. Allows you to terminate or build the SA (connection), if required.
To view VPN firewall VPN logs, select Monitoring > VPN Logs from the menu. The IPSec
VPN Logs screen is displayed.
Page 83 / 203
Chapter 5:
Virtual Private Networking Using IPsec
|
83
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Managing VPN Policies
After you use the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are
stored in separate policy tables. The name you selected as the VPN tunnel connection name
during Wizard setup identifies both the VPN policy and IKE policy.
You can edit existing policies, or add new VPN and IKE policies directly in the policy tables.
Note:
You cannot modify an IKE policy that is associated with an enabled
VPN policy. To modify the IKE policy, first disable the VPN policy.
After you have modified and saved the IKE policy, you can then
re-enable the VPN policy.
Configuring IKE Policies
The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN
gateways, and provides automatic management of the keys used in IPsec. It is important to
remember that:
“Auto” generated VPN policies must use the IKE negotiation protocol.
“Manual” generated VPN policies cannot use the IKE negotiation protocol.
IKE policies are activated when the following occur:
1.
The VPN Policy Selector determines that some traffic matches an existing VPN policy. If
the VPN policy is of type “Auto”, then the Auto Policy Parameters defined in the VPN
policy are accessed which specify which IKE policy to use.
2.
If the VPN policy is a “Manual” policy, then the Manual Policy Parameters defined in the
VPN policy are accessed and the first matching IKE policy is used to start negotiations
with the remote VPN gateway.
If negotiations fail, the next matching IKE policy is used.
If none of the matching IKE policies are acceptable to the remote VPN gateway, then
a VPN tunnel cannot be established.
3.
An IKE session is established, using the SA (Security Association) parameters specified
in a matching IKE policy:
Keys and other parameters are exchanged.
An IPsec SA (Security Association) is established, using the parameters in the VPN
policy.
The VPN tunnel is then available for data transfer.
Page 84 / 203
84
|
Chapter 5:
Virtual Private Networking Using IPsec
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
The IKE Policies Screen
When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and
populated in the
List of IKE Policies
table on the IKE Policies screen and is given the same
name as the new VPN connection name. You can also edit exiting policies or add new IKE
policies directly on the IKE Policies screen.
Go to VPN > IKE Policies to view the IKE Policies screen. (The example policies that are
listed in the
List of IKE Policies
table do not correspond to the IKE policies that were created
using the VPN Wizard earlier in this chapter.)
Each policy that is listed in the
List of IKE Policies
table contains the following data:
Name
. Uniquely identifies each IKE policy. The name is chosen by you and used for
managing your policies; it is not supplied to the remote VPN endpoint.
Mode
. Two modes are available: either Main or Aggressive.
-
Main Mode is slower but more secure.
-
Aggressive mode is faster but less secure. (If specifying either a FQDN or a User
FQDN name as the Local ID/Remote ID, aggressive mode is automatically selected.)
Local ID
. The IKE/ISAKMP identifier of this device. (The remote VPN must have this
value as their remote ID.)
Remote ID
. The IKE/ISAKMP identifier of the remote VPN gateway. (The remote VPN
must have this value as its Local ID.)
Encr
. Encryption algorithm used for the IKE SA. The default setting using the VPN Wizard
is 3DES. (This setting must match the Remote VPN.)
Auth
. Authentication algorithm used for the IKE SA. The default setting using the VPN
Wizard is SHA1. (This setting must match the remote VPN.)
DH
. The Diffie-Hellman (DH) group used when exchanging keys. The DH group sets the
number of bits. The VPN Wizard default setting is Group 2. (This setting must match the
remote VPN.)
To gain a more complete understanding of the encryption, authentication and DH
algorithm technologies, see
Appendix D
” for a link to the NETGEAR website.
Page 85 / 203
Chapter 5:
Virtual Private Networking Using IPsec
|
85
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Configuring VPN Policies
You can create two types of VPN policies. When using the VPN Wizard to create a VPN
policy, only the Auto method is available.
Manual
. All settings (including the keys) for the VPN tunnel are manually entered at each
end (both VPN Endpoints). No third-party server or organization is involved.
Auto
. Some parameters for the VPN tunnel are generated automatically by using the IKE
(Internet Key Exchange) protocol to perform negotiations between the two VPN
Endpoints (the Local ID Endpoint and the Remote ID Endpoint).
In addition, a Certificate Authority (CA) can also be used to perform authentication (see
“Managing Certificates”
on page 124). To use a CA, each VPN gateway must have a
certificate from the CA. For each certificate, there is both a public key and a private key. The
public key is freely distributed, and is used by any sender to encrypt data intended for the
receiver (the key owner). The receiver then uses its private key to decrypt the data (without
the private key, decryption is impossible). The use of certificates for authentication reduces
the amount of data entry required on each VPN endpoint.
The VPN Policies Screen
The VPN Policies screen (see ) allows you to add additional policies—either Auto or
Manual—and to manage the VPN policies already created. You can edit policies, enable or
disable policies, or delete them entirely. The rules for VPN policy use are:
1.
Traffic covered by a policy will automatically be sent via a VPN tunnel.
2.
When traffic is covered by two or more policies, the first matching policy will be used. (In
this situation, the order of the policies is important. However, if you have only one policy
for each remote VPN Endpoint, then the policy order is not important.)
3.
The VPN tunnel is created according to the parameters in the SA (Security Association).
4.
The remote VPN endpoint must have a matching SA, or it will refuse the connection.
Only one client policy may configured at a time (noted by an “*” next to the policy name). The
List of VPN Policies
table contains the following fields:
! (Status)
. Indicates whether the policy is enabled (green circle) or disabled (grey circle).
To Enable or Disable a Policy, check the box adjacent to the circle and click
Enable
or
Disable
, as required.
Name
. Each policy is given a unique name (the Connection Name when using the VPN
Wizard).
Type
. The type is “Auto” or “Manual” as described previously (Auto is used during VPN
Wizard configuration).
Local
. IP address (either a single address, range of address or subnet address) on your
local LAN. Traffic must be from (or to) these addresses to be covered by this policy. (The
subnet address is supplied as the default IP address when using the VPN Wizard).
Remote
. IP address or address range of the remote network. Traffic must be to (or from)
these addresses to be covered by this policy. (The VPN Wizard default requires the
remote LAN IP address and subnet mask).

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top