1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS336Gv3
    5. /
  5. 19
Page 91 / 203 Scroll up to view Page 86 - 90
Chapter 5:
Virtual Private Networking Using IPsec
|
91
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Configuring Mode Config Operation on the VPN Firewall
You need to configure two screens to configure Mode Config operation on the VPN firewall:
the Mode Config screen and the IKE Policies screen.
To configure the Mode Config screen:
1.
Select VPN > IPsec VPN from the menu.
2.
Click the
Mode Config
tab. The Mode Config screen is displayed.
3.
Click
Add.
The Add Mode Config Record screen is displayed.
4.
Enter a descriptive
Record Name
such as “Sales”.
5.
Assign at least one range of IP Pool addresses in the First IP Pool field to give to
remote VPN clients.
Note:
The IP Pool should not be within your local network IP addresses.
Use a different range of private IP addresses such as 172.20.xx.xx.
Page 92 / 203
92
|
Chapter 5:
Virtual Private Networking Using IPsec
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
6.
If you have a WINS Server on your local network, enter its IP address.
7.
Enter one or two DNS Server IP addresses to be used by remote VPN clients.
8.
If you enable Perfect Forward Secrecy (PFS), choose DH Group 1 or 2. This setting
must match exactly the configuration of the remote VPN client,
9.
Specify the Local IP Subnet to which the remote client will have access. Typically, this is
your VPN firewall’s LAN subnet, such as 192.168.2.1/255.255.255.0. (If not specified, it
will default to the LAN subnet of the VPN firewall.)
10.
Specify the VPN policy settings. These settings must match the configuration of the
remote VPN client. Recommended settings are:
SA Lifetime: 3600 seconds
Authentication Algorithm: SHA-1
Encryption Algorithm: 3DES
11.
Click
Apply
.
The new record should appear in the
List of Mode Config Records
table on the Mode
Config screen.
Configuring an IKE Policy for Mode Config Operation
Next, you must configure an IKE policy:
1.
Select VPN > IPsec VPN from the menu. The IKE Policies screen is displayed showing
the current policies in the
List of IKE Policies
table.
2.
Click
Add
to configure a new IKE Policy. The
Add IKE Policy
screen is displayed:
Page 93 / 203
Chapter 5:
Virtual Private Networking Using IPsec
|
93
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
3.
In the
Mode Config Record
section, enable
Mode Config
by checking the
Yes
radio
button and selecting the Mode Config record you just created from the drop-down list.
(To view the parameters of the selected record, click the
view selected
button.)
Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both
ends of the tunnel are defined by an FQDN.
4.
In the
General
section:
Enter a descriptive name in the Policy Name field such as “salesperson”. This name
will be used as part of the remote identifier in the VPN client configuration.
Set Direction/Type to
Responder
.
The Exchange Mode will automatically be set to
Aggressive
.
5.
In the
Local
section, select
FQDN
for the Identity Type.
6.
In the
Local
section, choose which WAN port to use as the VPN tunnel end point.
7.
In the
Remote
section, enter an identifier in the Identity Type field that is not used by
any other IKE policies. This identifier will be used as part of the local identifier in the
VPN client configuration.
8.
In the
IKE SA Parameters
section, specify the IKE SA parameters. These settings must
be matched in the configuration of the remote VPN client. Recommended settings are:
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Diffie-Hellman: Group 2
SA Lifetime: 3600 seconds
9.
Enter a Pre-Shared Key that will also be configured in the VPN client.
10.
XAUTH is disabled by default. To enable XAUTH, in the
Extended Authentication
section, select one of the following:
Edge Device
to use this VPN firewall as a VPN concentrator where one or more
gateway tunnels terminate. (If selected, you must specify the
Authentication Type
to
be used in verifying credentials of the remote VPN gateways.)
IPsec Host
if you want the VPN firewall to be authenticated by the remote gateway.
Enter a username and password to be associated with the IKE policy. When this
option is chosen, you will need to specify the user name and password to be used in
authenticating this gateway (by the remote gateway).
For more information on XAUTH, see
“Configuring XAUTH for VPN Clients”
on page 86.
11.
If Edge Device was enabled, choose the
Authentication Type
from the pull down menu
which will be used to verify account information: User Database, RADIUS-CHAP or
RADIUS-PAP. Users must be added through the User Database screen (see
“Creating a
New User Account”
on page 120 or
“RADIUS Client Configuration”
on page 88).
Page 94 / 203
94
|
Chapter 5:
Virtual Private Networking Using IPsec
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Note:
If RADIUS-PAP is selected, the VPN firewall first checks the User
Database to see if the user credentials are available. If the user
account is not present, the VPN firewalll then connects to the
RADIUS server.
12.
Click
Apply.
The new policy will appear in the
List of IKE Policies
table.
Configuring the ProSafe VPN Client for ModeConfig
From a client PC running NETGEAR ProSafe VPN Client software, configure the remote
VPN client connection.
To configure the client PC:
1.
Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy
Editor window, click the New Policy editor icon.
a.
Give the connection a descriptive name such as “modecfg_test”. (This name will only
be used internally).
b.
In the
ID Type
field, choose
IP Subnet
.
c.
Enter the IP Subnet and Mask of the VPN firewall (this is the LAN network IP
address of the gateway).
d.
Check the Connect using radio button and choose
Secure Gateway Tunnel
from
the drop-down list.
e.
From the ID Type drop-down list, choose
Domain Name
and enter the FQDN of the
VPN firewall; in this example it is “local_id.com”.
f.
Choose
Gateway IP Address
from the second drop-down list and enter the WAN IP
address of the VPN firewall; in this example it is “172.21.4.1”.
2.
From the left side of the menu, click
My Identity
and enter the following information:
a.
Click
Pre-Shared Key
and enter the key you configured in the VPN firewall’s Add IKE
Policy screen.
b.
From the Select Certificate drop-down list, choose
None
.
c.
In the ID Type feild, choose
Domain Name
and create an identifier based on the
name of the IKE policy you created; for example “salesperson11.remote_id.com”.
d.
Under Virtual Adapter drop-down list, choose
Preferred
. The Internal Network IP
Address should be 0.0.0.0.
Note:
If no box is displayed for Internal Network IP Address, go to
Options/Global Policy Settings, and check the box for “Allow to
Specify Internal Network Address.”
Page 95 / 203
Chapter 5:
Virtual Private Networking Using IPsec
|
95
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
e.
Select your Internet Interface adapter in the
Name
field.
3.
On the left-side of the menu, choose
Security Policy
.
a.
Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio
button.
b.
Check the Enable Perfect Forward Secrecy (PFS) box, and choose the
Diffie-Hellman Group 2
from the PFS Key Group drop-down list.
c.
Enable Replay Detection should be checked.
4.
Click on Authentication (Phase 1) on the left-side of the menu and choose
Proposal 1
.
Enter the Authentication values to match those in the VPN firewall ModeConfig Record
menu.
5.
Click on Key Exchange (Phase 2) on the left-side of the menu and choose
Proposal 1
.
Enter the values to match your configuration of the VPN firewall ModeConfig Record
menu. (The SA Lifetime can be longer, such as 8 hours [28800 seconds]).
6.
Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client.
Testing the Mode Config Connection
To test the connection:
1.
Right-click on the VPN client icon in the Windows toolbar and click Connect. The
connection policy you configured will appear; in this case “My
Connections\modecfg_test”.
2.
Click on the connection. Within 30 seconds the message “Successfully connected to
MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will
read “On”.
3.
From the client PC, ping a computer on the VPN firewall LAN.
Configuring Keepalives and Dead Peer Detection
In some cases, it may not be desirable to have a VPN tunnel drop when traffic is idle; for
example, when client-server applications over the tunnel cannot tolerate the tunnel
establishment time. If you require your VPN tunnel to remain connected, you can use the
Keepalive and Dead Peer Detection features to prevent the tunnel from dropping and to force
a reconnection if the tunnel drops for any reason.
For Dead Peer Detection to function, the peer VPN device on the other end of the tunnel
must also support Dead Peer Detection. Keepalive, though less reliable than Dead Peer
Detection, does not require any support from the peer device.
Configuring Keepalives
The keepalive feature maintains the IPSec SA by sending periodic ping requests to a host
across the tunnel and monitoring the replies. To configure the keepalive on a configured VPN
policy, follow these steps:
1.
Select VPN > Policies from the menu.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top