1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS338
    5. /
  5. 24
Page 116 / 178 Scroll up to view Page 111 - 115
FVS338 ProSafe VPN Firewall 50 Reference Manual
5-26
Virtual Private Networking
v1.0, September 2006
ModeConfig Operation
After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP
configuration parameters such as IP address, subnet mask and name server addresses. The
ModeConfig module will allocate an IP address from the configured IP address pool and will
activate a temporary IPSec policy using the template security proposal information configured in
the ModeConfig record.
Setting Up ModeConfig
Two menus must be configured—the ModeConfig menu and the IKE Policies menu.
To configure the ModeConfig menu:
1.
Select
VPN
from the main menu and
Mode Config
from the submenu. The
Mode Config
screen will display.
2.
Click
Add.
The
Add Mode Config Record
screen will display.
3.
Enter a descriptive
Record Name
such as “Remote Users”.
4.
Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN
clients.
5.
If you have a WINS Server on your local network, enter its IP address.
6.
Enter one or two DNS Server IP addresses to be used by remote VPN clients.
7.
If you enable Perfect Forward Secrecy (PFS), select DH Group 1 or 2. This setting must match
exactly the configuration of the remote VPN client,
8.
Specify the Local IP Subnet to which the remote client will have access. Typically, this is your
router’s LAN subnet, such as 192.168.2.1/255.255.255.0. (If not specified, it will default to the
LAN subnet of the device.)
Note:
After configuring a Mode Config record, you must go to the IKE Policies menu
and configure an IKE policy using the newly-created Mode Config record as the
Remote Host Configuration Record. The VPN Policies menu does not need to be
edited.
Note:
The IP Pool should not be within your local network IP addresses. Use a
different range of private IP addresses such as 172.20.xx.xx.
Page 117 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
Virtual Private Networking
5-27
v1.0, September 2006
9.
Specify the VPN policy settings. These settings must match the configuration of the remote
VPN client. Recommended settings are:
SA Lifetime: 3600 seconds
Authentication Algorithm: SHA-1
Encryption Algorithm: 3DES
10.
Click
Apply
. The new record should appear in the VPN Remote Host Mode Config Table (a
sample record is shown below).
To configure an IKE Policy:
1.
From the main menu, select
VPN
. The
IKE Policies
screen will display showing the current
policies in the List of IKE Policies Table.
Figure 5-19
Page 118 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
5-28
Virtual Private Networking
v1.0, September 2006
2.
Click
Add
to configure a new IKE Policy. The
Add IKE Policy
screen will display.
3.
Enable
Mode Config
by checking the
Yes
radio box and selecting the Mode Config record
you just created from the pull-down menu. (You can view the parameters of the selected record
by clicking the
View selected
radio box.)
Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends
of the tunnel be defined by a FQDN.
4.
In the
General
section:
a.
Enter a description name in the Policy Name Field such as “salesperson”. This name will
be used as part of the remote identifier in the VPN client configuration.
b.
Set Direction/Type to Responder.
c.
By default, the Exchange Mode is set to Aggressive.
5.
For Local information:
d.
Select Fully Qualified Domain Name for the Local Identity Type.
e.
Enter an identifier in the Remote Identity Data field that is not used by any other IKE
policies. This identifier will be used as part of the local identifier in the VPN client
configuration.
6.
Specify the IKE SA parameters. These settings must be matched in the configuration of the
remote VPN client. Recommended settings are:
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Diffie-Hellman: Group 2
SA Lifetime: 3600 seconds
7.
Enter a Pre-Shared Key that will also be configured in the VPN client.
8.
XAUTH is disabled by default. To enable XAUTH, select:
the
Edge Device
radio button to use this router as a VPN concentrator where one or more
gateway tunnels terminate. (If selected, you must specify the
Authentication Type
to be
used in verifying credentials of the remote VPN gateways.)
the
IPsec Host
radio button if you want this gateway to be authenticated by the remote
gateway. Enter a Username and Password to be associated with the IKE policy. When this
option is chosen, you will need to specify the user name and password to be used in
authenticating this gateway (by the remote gateway).
Page 119 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
Virtual Private Networking
5-29
v1.0, September 2006
9.
If Edge Device was enabled, select the
Authentication Type
from the pull down menu which
will be used to verify account information: User Database, RADIUS-CHAP or RADIUS-PAP.
Users must be added thorough the User Database screen (see
“User Database Configuration”
on page 5-22
or
“RADIUS Client Configuration” on page 5-23
).
10.
Click
Apply.
The new policy will appear in the IKE Policies Table (a sample policy is shown
below)
Note:
If RADIUS-PAP is selected, the router will first check the User Database to
see if the user credentials are available. If the user account is not present, the
router will then connect to the RADIUS server.
Figure 5-20
Page 120 / 178
FVS338 ProSafe VPN Firewall 50 Reference Manual
5-30
Virtual Private Networking
v1.0, September 2006
Configuring the ProSafe VPN Client for ModeConfig
From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN
client connection.
To configure the client PC:
1.
Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor
window, click the New Policy editor icon.
a.
Give the connection a descriptive name such as “modecfg_test” (this name will only be
used internally).
b.
From the ID Type pull-down menu, select IP Subnet.
c.
Enter the IP Subnet and Mask of the VPN firewall (this is the LAN network IP address of
the gateway).
d.
Check the Connect using radio button and select Secure Gateway Tunnel from the pull-
down menu.
e.
From the ID Type pull-down menu, select Domain name and enter the FQDN of the VPN
firewall; in this example it is “local_id.com”.
f.
Select Gateway IP Address from the second pull-down menu and enter the WAN IP
address of the VPN firewall; in this example it is “172.21.4.1”.
2.
From the left side of the menu, click My Identity and enter the following information:
a.
Click
Pre-Shared Key
and enter the key you configured in the FVS338 IKE menu.
Figure 5-21

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top