1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS338
    5. /
  5. 19
Page 91 / 178 Scroll up to view Page 86 - 90
Virtual Private Networking
5-1
v1.0, September 2006
Chapter 5
Virtual Private Networking
This chapter describes how to use the Virtual Private Networking (VPN) features of the VPN
firewall. VPN tunnels provide secure, encrypted communications between your local network and
a remote network or computer.
Dual WAN Port Systems
The dual WAN ports in the VPN firewall can be configured for rollover mode for increased system
reliability by specifying the Broadband connection with the Dialup connection as backup. This
WAN mode choice then impacts how the VPN features must be configured.
The use of fully qualified domain names is mandatory when the WAN ports are in rollover mode
(
“Configuring the WAN Mode” on page 2-15
); also required for the VPN tunnels to fail over.
When using rollover mode, you must configure a Dynamic DNS service (see
“Configuring
Dynamic DNS (If Needed)” on page 2-16
to select and configure the Dynamic DNS service).
Tip:
When using dual WAN port networks, use the VPN Wizard to configure the basic
parameters and then edit the VPN and IKE Policy screens for the various VPN
scenarios.
Table 5-1.
IP Addressing Requirements for VPN in Dual WAN Port Systems
Configuration and WAN IP address
Rollover Mode
a
a. All tunnels must be re-established after a rollover using the new WAN IP address.
Dedicated Mode
VPN Road Warrior
(client-to-gateway)
Fixed
FQDN required
Allowed (FQDN optional)
Dynamic
FQDN required
FQDN required
VPN Gateway-to-Gateway
Fixed
FQDN required
Allowed (FQDN optional)
Dynamic
FQDN required
FQDN required
VPN Telecommuter
(client-to-gateway through a
NAT router)
Fixed
FQDN required
Allowed (FQDN optional)
Dynamic
FQDN required
FQDN required
Page 92 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
5-2
Virtual Private Networking
v1.0, September 2006
Setting up a VPN Connection using the VPN Wizard
Setting up a VPN tunnel connection requires that all settings and parameters on both sides of the
VPN tunnel match or mirror each other precisely, which can be a daunting task. The VPN Wizard
can assist in guiding you through the setup procedure by asking you a series of questions that will
determine the IPSec keys and VPN policies it sets up. It also will set the parameters for the
network connection: Security Association, traffic selectors, authentication algorithm, and
encryption. The parameters used by the VPN wizard are based on the VPNC recommendations.
Creating a VPN Tunnel to a Gateway
You can set up multiple Gateway VPN tunnel policies through the VPN Wizard. You can also set
up multiple remote VPN Client policies through the VPN Wizard. A remote client policy can
support up to 25 clients.
To create a VPN tunnel gateway policy using the VPN Wizard:
1.
Select
VPN
from the main menu and
VPN Wizard
from the submenu. The
VPN Wizard
screen will display.
2.
Select
Gateway
as your
VPN tunnel connection
. The wizard needs to know if you are
planning to connect to a remote Gateway or setting up the connection for a remote client/PC to
establish a secure connection to this device.
3.
Select a
Connection Name
. Enter an appropriate name for the connection. This name is not
supplied to the remote VPN Endpoint. It is used to help you manage the VPN settings.
4.
Enter a
Pre-shared Key
. The key must be entered both here and on the remote VPN Gateway,
or the remote VPN Client. This key length should be minimum 8 characters and should not
exceed 49 characters. This method does not require using a CA (Certificate Authority).
5.
Enter the
Remote WAN IP
Address or Internet Name
of the gateway you want to connect
to.
Both the remote WAN address and the your local WAN address are required. When choosing
these addresses, follow the guidelines in
Table 5-1
above.
The remote WAN IP address of the Gateway must be a public address or the Internet name of
the Gateway. The
Internet name
is the Fully Qualified Domain Name (FQDN) as setup in a
Dynamic DNS service. Both local and remote ends should be defined as either IP addresses or
Internet Names (FQDN). A combination of IP address and Internet Name is not permissible.
6.
Enter your
Local WAN IP Address or Internet Name
.
Page 93 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
Virtual Private Networking
5-3
v1.0, September 2006
The Local WAN IP address is the address used in the IKE negotiation phase. Automatically,
the WAN IP address assigned by your ISP may display. You can modify the address to use
your FQDN; required if the WAN Mode you selected is auto-rollover.
7.
Enter the
Remote LAN IP Address and Subnet Mask
of the remote gateway.
The information entered here must match the Local LAN IP and Subnet Mask of the remote
gateway; otherwise the secure tunnel will fail to connect.The IP address range used on the
remote LAN must be different from the IP address range used on the local LAN.
8.
Click
Apply
to save your settings. the
VPN Policies
table will display showing your VPN
policy. You can click the IKE Policies tab to view the corresponding IKE Policy.
Creating a VPN Tunnel Connection to a VPN Client
You can set up multiple Gateway VPN tunnel policies through the VPN Wizard. Multiple remote
VPN Client policies can also be set up through the VPN Wizard by changing the default End Point
Information settings. A remote client policy can support up to 25 clients. The remote clients must
configure the “Local Identity” field in their policy as “PolicyName<
X
>.fvs_remote.com”, where
X
stands for a number from 1 to 25.
As an example, if the client-type policy on the router is configured with “home” as the policy
name, and if two users are required to connect using this policy, then the “Local Identity” in their
policy should be configured as “home1.fvs_remote.com” and “home2.fvs_remote.com”,
respectively.
To create a VPN Client Policy using the VPN Wizard:
1.
Select
VPN
from the main menu and
VPN Wizard
from the submenu. The
VPN Wizard
screen will display.
2.
Select
VPN Client
as your
VPN tunnel connection
. The wizard needs to know if you are
planning to connect to a remote Gateway or setting up the connection for a remote client/PC to
establish a secure connection to this device.
3.
Select a
Connection Name
. Enter an appropriate name for the connection. This name is not
supplied to the remote VPN Endpoint. It is used to help you manage the VPN settings.
4.
Enter a
Pre-shared Key
. The key must be entered both here and on the remote VPN Gateway,
or the remote VPN Client. This key length should be minimum 8 characters and should not
exceed 49 characters. This method does not require using a CA (Certificate Authority).
5.
The
Remote Identifier Information
and the
Local Identifier Information
will display with
the default IKE Client Policy values:
fvs_remote.com
for the remote end point and
fvs_local.com
for the local end point.
Page 94 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
5-4
Virtual Private Networking
v1.0, September 2006
6.
Click
Apply
. The
VPN Client
screen will display showing that the VPN Client has been
enabled. Click the IKE Policies tab to view the corresponding IKE Client Policy.
IKE Policies
The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN
Gateways, and provides automatic management of the Keys used in IPSec. It is important to
remember that:
“Auto” generated VPN policies must use the IKE negotiation protocol.
“Manual” generated VPN policies cannot use the IKE negotiation protocol.
IKE Policy Operation
IKE Policies are activated when:
1.
The VPN Policy Selector determines that some traffic matches an existing VPN Policy. If the
VPN policy is of type “Auto”, then the
Auto Policy Parameters
defined in the VPN Policy
are accessed which specify which IKE Policy to use.
2.
If the VPN Policy is a “Manual” policy, then the
Manual Policy Parameters
defined in the
VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with
the remote VPN Gateway.
If negotiations fail, the next matching IKE Policy is used.
If none of the matching IKE Policies are acceptable to the remote VPN Gateway, then a
VPN tunnel cannot be established.
3.
An IKE session is established, using the SA (Security Association) parameters specified in a
matching IKE Policy:
Keys and other parameters are exchanged.
An IPsec SA (Security Association) is established, using the parameters in the VPN
Policy.
The VPN tunnel is then available for data transfer.
Page 95 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
Virtual Private Networking
5-5
v1.0, September 2006
IKE Policy Table
When you use the VPN Wizard to set up a VPN tunnel, an IKE Policy is established and populated
in the Policy Table and is given the same name as the new VPN connection name. You can also
edit exiting policies or add new IKE policies directly on the Policy Table Screen. Each policy
contains the following data:
Name
. Uniquely identifies each IKE policy. The name is chosen by you and used for the
purpose of managing your policies; it is not supplied to the remote VPN Server. If the Policy is
a Client Policy, it will be prepended by an “*”.
Mode
. Two modes are available: either “Main” or “Aggressive”.
Main Mode is slower but more secure.
Aggressive mode is faster but less secure. (If specifying either a FQDN or a User FQDN
name as the Local ID/Remote ID, aggressive mode is automatically selected.)
Local ID
. The IKE/ISAKMP identify of this device. (The remote VPN must have this value as
their “Remote ID”.)
Remote ID
. The IKE/ISAKMP identify of the remote VPN Gateway. (The remote VPN must
have this value as their “Local ID”.)
Encr
. Encryption Algorithm used for the IKE SA. The default setting using the VPN Wizard is
3DES. (This setting must match the Remote VPN.)
Auth
. Authentication Algorithm used for the IKE SA. The default setting using the VPN
Wizard is SHA1. (This setting must match the Remote VPN.)
DH
.
Diffie-Hellman Group. The Diffie-Hellman algorithm is used when exchanging keys. The DH
Group sets the number of bits. The VPN Wizard default setting is Group 2. (This setting must
match the Remote VPN.)
To gain a more complete understanding of the encryption, authentication and DH algorithm
technologies, see
Appendix B, “Related Documents”
.
VPN Policies
You can create two types of VPN Policies. When using the VPN Wizard to create a VPN policy,
only the Auto method is available.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top