1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS336Gv2
    5. /
  5. 18
Page 86 / 203 Scroll up to view Page 81 - 85
86
|
Chapter 5:
Virtual Private Networking Using IPsec
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Auth
. Authentication Algorithm used for the VPN tunnel. The default setting using the
VPN Wizard is SHA1. (This setting must match the remote VPN.)
Encr
. Encryption algorithm used for the VPN tunnel. The default setting using the VPN
Wizard is 3DES. (This setting must match the remote VPN.)
Action
. Allows you to access individual policies to make any changes or modifications.
Configuring Extended Authentication (XAUTH)
When connecting many VPN clients to a VPN firewall, an administrator may want a unique
user authentication method beyond relying on a single common preshared key for all clients.
Although the administrator could configure a unique VPN policy for each user, it is more
convenient for the VPN firewall to authenticate users from a stored list of user accounts.
XAUTH provides the mechanism for requesting individual authentication information from the
user, and a local User Database or an external authentication server, such as a RADIUS
server, provides a method for storing authentication information centrally in the local network.
You can enable XAUTH when adding or editing an IKE Policy. Two types of XAUTH are
available:
Edge Device
. If this is selected, the VPN firewall is used as a VPN concentrator where
one or more gateway tunnels terminate. If this option is chosen, you must specify the
authentication type to be used in verifying credentials of the remote VPN gateways: User
Database, RADIUS-PAP, or RADIUS-CHAP.
IPsec Host
.
If you want authentication by the remote gateway, enter a User Name and
Password to be associated with this IKE policy. If this option is chosen, the remote
gateway must specify the user name and password used for authenticating this gateway.
Note:
If a RADIUS-PAP server is enabled for authentication, XAUTH first
checks the local User Database for the user credentials. If the user
account is not present, the VPN firewall then connects to a RADIUS
server.
Configuring XAUTH for VPN Clients
When the XAUTH is enabled, you must establish user accounts on the User Database to be
authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.
Note:
You cannot modify an existing IKE policy to add
XAUTH
while the
IKE policy is in use by a VPN policy. The VPN policy must be
disabled before you can modify the IKE policy.
Page 87 / 203
Chapter 5:
Virtual Private Networking Using IPsec
|
87
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
To enable and configure XAUTH:
1.
Select VPN > IPsec VPN
from the menu.
2.
Click the
IKE Policies
tab. The IKE Policies
screen is displayed.
3.
You can add XAUTH to an existing IKE Policy by clicking
Edit
adjacent to the policy to
be modified or you can create a new IKE Policy incorporating XAUTH by clicking
Add
.
Page 88 / 203
88
|
Chapter 5:
Virtual Private Networking Using IPsec
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
4.
In the Extended Authentication section, choose the
Authentication Type
from the
drop-down list which will be used to verify user account information. Select one of the
following:
Edge Device
to use this VPN firewall as a VPN concentrator where one or more
gateway tunnels terminate. When this option is chosen, you will need to specify the
authentication type to be used in verifying credentials of the remote VPN gateways.
Specify one of the following authentication types:
-
User Database
to verify against the VPN firewall’s user database. Users must be
added through the User Database screen (see
“User Database Configuration”
on
page 88).
-
RADIUS–CHAP
or
RADIUS–PAP
(depending on the authentication mode
accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is
selected, the VPN firewall will first check in the user database to see if the user
credentials are available. If the user account is not present, the VPN firewall will
then connect to the RADIUS server (see
“RADIUS Client Configuration”
on
page 88).
IPsec Host
if you want to be authenticated by the remote gateway. In the adjacent
Username
and
Password
fields, type in the information user name and password
associated with the IKE policy for authenticating this gateway (by the remote
gateway).
5.
Click
Apply
to save your settings.
User Database Configuration
When XAUTH is enabled as an Edge Device, users must be authenticated either by a local
User Database account or by an external RADIUS server. Whether or not you use a RADIUS
server, you may want some users to be authenticated locally. These users must be added to
the
List of Users
table, as described in
“Creating a New User Account”
on page 120.
RADIUS Client Configuration
RADIUS (Remote Authentication Dial In User Service, RFC 2865) is a protocol for managing
Authentication, Authorization and Accounting (AAA) of multiple users in a network. A
RADIUS server will store a database of user information, and can validate a user at the
request of a gateway or server in the network when a user requests access to network
resources. During the establishment of a VPN connection, the VPN gateway can interrupt the
process with an XAUTH request. At that point, the remote user must provide authentication
information such as a username/password or some encrypted response using his
username/password information. The gateway will try to verify this information first against a
local User Database (if RADIUS-PAP is enabled) and then by relaying the information to a
central authentication server such as a RADIUS server.
Page 89 / 203
Chapter 5:
Virtual Private Networking Using IPsec
|
89
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
To configure RADIUS servers:
1.
Select VPN > IPsec VPN from the menu, and then click the
RADIUS Client
tab.
2.
To activate (enable) the primary RADIUS server, click the
Yes
radio button. The primary
server options become active.
3.
Configure the following entries:
Primary RADIUS Server IP address
. The IP address of the RADIUS server.
Secret Phrase
. Transactions between the client and the RADIUS server are
authenticated using a shared secret phrase, so the same Secret Phrase must be
configured on both client and server.
Primary Server NAS Identifier
(Network Access Server). This identifier must be
present in a RADIUS request. Ensure that NAS identifier is configured identically on
both client and server.
The VPN firewall is acting as a NAS (Network Access Server), allowing network access
to external users after verifying their authentication information. In a RADIUS transaction,
the NAS must provide some NAS Identifier information to the RADIUS server. Depending
on the configuration of the RADIUS server, the VPN firewall’s IP address may be
sufficient as an identifier, or the server may require a name, which you would enter here.
This name would also be configured on the RADIUS server, although in some cases it
should be left blank on the RADIUS server.
4.
Enable a backup RADIUS server (if required).
5.
Set the
Time Out Period
, in seconds, that the VPN firewall should wait for a response
from the RADIUS server.
6.
Set the
Maximum Retry Count.
This is the number of attempts that the VPN firewall will
make to contact the RADIUS server.
7.
Click
Apply
to save the settings.
Page 90 / 203
90
|
Chapter 5:
Virtual Private Networking Using IPsec
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Note:
Selection of the Authentication Protocol, usually PAP or CHAP, is
configured on the individual IKE policy screens.
Assigning IP Addresses to Remote Users
(ModeConfig)
To simply the process of connecting remote VPN clients to the VPN firewall, you can use the
ModeConfig screen to assign IP addresses to remote users, including a network access IP
address, subnet mask, and name server addresses from the VPN firewall. Remote users are
given IP addresses available in secured network space so that remote users appear as
seamless extensions of the network.
In the following example, we configured the VPN firewall using ModeConfig, and then
configured a PC running ProSafe VPN Client software using these IP addresses.
VPN firewall FVS336Gv2
-
WAN IP address: 172.21.4.1
-
LAN IP address/subnet: 192.168.2.1/255.255.255.0
ProSafe VPN Client software IP address: 192.168.1.2
Mode Config Operation
After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the
remote user with a VPN client) requests the IP configuration settings such as the IP address,
subnet mask and name server addresses. The Mode Config feature will allocate an IP
address from the configured IP address pool and will activate a temporary IPsec policy using
the template security proposal information configured in the Mode Config record. The Mode
Config feature allocates an IP address from the configured IP address pool and activates a
temporary IPsec policy, using the information that is specified in the Traffic Tunnel Security
Level section of the Mode Config record (on the Add Mode Config Record screen that is
shown in ).
After configuring a Mode Config record, you must manually configure an IKE policy and
select the newly-created Mode Config record from the
Select Mode Config Record
drop-down list (see
“Configuring Mode Config Operation on the VPN Firewall”
on page 91.”
You do not need to make changes to any VPN policy.
Note:
An IP address that is allocated to a VPN client is released only after
the VPN client has gracefully disconnected or after the SA liftetime
for the connection has timed out.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top