NETGEAR FVS338 Router Manual PDF (Setup & Configuration Guide)

Page 121 / 178 Scroll up to view Page 116 - 120

FVS338 ProSafe VPN Firewall 50 Reference Manual

Virtual Private Networking

5-31

v1.0, September 2006

b.

From the Select Certificate pull-down menu, select None.

c.

From the ID Type pull-down menu, select Domain Name and create an identifier based on

the name of the IKE policy you created; for example “salesperson11.remote_id.com”.

d.

Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP

Address should be 0.0.0.0.

e.

Select your Internet Interface adapter from the Name pull-down menu.

3.

On the left-side of the menu, select Security Policy.

a.

Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio

button.

b.

Check the Enable Perfect Forward Secrecy (PFS) radio button, and select the Diffie-

Hellman Group 2 from the PFS Key Group pull-down menu.

c.

Enable Replay Detection should be checked.

4.

Click on Authentication (Phase 1) on the left-side of the menu and select Proposal 1. Enter the

Authentication values to match those in the VPN firewall ModeConfig Record menu.

Note:

If no box is displayed for Internal Network IP Address, go to Options/

Global Policy Settings, and check the box for “Allow to Specify Internal

Network Address.”

Figure 5-22

Page 122 / 178

FVS338 ProSafe VPN Firewall 50 Reference Manual

5-32

Virtual Private Networking

v1.0, September 2006

5.

Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the

values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA

Lifetime can be longer, such as 8 hours (28800 seconds)).

6.

Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client.

Figure 5-23

Figure 5-24

Page 123 / 178

FVS338 ProSafe VPN Firewall 50 Reference Manual

Virtual Private Networking

5-33

v1.0, September 2006

To test the connection:

1.

Right-click on the VPN client icon in the Windows toolbar and select Connect. The

connection policy you configured will appear; in this case “My Connections\modecfg_test”.

2.

Click on the connection. Within 30 seconds the message “Successfully connected to

MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read

“On”.

3.

From the client PC, ping a computer on the VPN firewall LAN.

Certificates

Digital Certificates (also known as X509 Certificates) are used to authenticate the identity of users

and systems, and are issued by various CAs (Certification Authorities). Digital Certificates are

used by this router during the IKE (Internet Key Exchange) authentication phase as an alternative

authentication method. Trusted Certificates are issued to you by various CAs (Certification

Authorities).

Trusted Certificates (CA Certificates)

Trusted Certificates are used to verify the validity of certificates issued to an organization and

signed by the issuing CA authority. When a certificate is generated, it is signed by a publicly-

known authority called the Certificate Authority.

The Trusted Certificates table shows the Trusted Certificates issued by the various CAs

(Certification Authorities). For each Certificate, the following data is listed in the

Trusted

Certificates

table:

•

CA Identity (Subject Name)

. The organization or name to whom the certificate has been

issued.

•

Issuer Name.

The name of the CA that issued the certificate.

•

Expiry Time.

The date when the certificate becomes invalid.

New certificates can be uploaded to the router when they are received.

To upload a Trusted Certificate:

1.

Select

VPN

from the main menu and

Certificates

from the submenu. The

Certificates

screen

will display.

Page 124 / 178

FVS338 ProSafe VPN Firewall 50 Reference Manual

5-34

Virtual Private Networking

v1.0, September 2006

2.

Click

Browse

to locate the trusted certificate on your computer and then click

Upload

. The

certificate will be stored on the router and will display in the

Trusted Certificates

table.

Self Certificates

Active Self certificates are certificates issued to you by the various Certificate Authorities (CAs)

that are available for presentation to peer IKE servers. Each active self certificate is listed in the

Active Self Certificates

table. The data consists of:

•

Name.

A unique given by you to identify the certificate.

•

Subject Name

. The name which other organizations will see as the Holder (owner) of this

Certificate. This should be your registered business name or official company name.

Generally, all Certificates should have the same value in the Subject field.

•

Serial Number

. This is the serial number maintained by the CA. It is used to identify the

certificate with in the CA.

•

Issuer Name.

The name of the CA which issued the Certificate.

•

Expiry Time

. The date on which the Certificate expires. You should renew the Certificate

before it expires.

To use a Certificate, you must first generate and request the certificate from the CA from the

computer or device that will be using the CA. The

Certificate Signing Request (CSR)

file must

be filled out and submitted to the CA who will then generate a certificate for this device.

To request a Certificate from the CA:

1.

From the main menu under

VPN

, select the

Certificates

submenu. The

Certificates

screen

will display.

2.

In the

Generate Self Certificate Request,

enter the required data:

Figure 5-25

Page 125 / 178

FVS338 ProSafe VPN Firewall 50 Reference Manual

Virtual Private Networking

5-35

v1.0, September 2006

•

Name

– Enter a name that will identify this Certificate.

•

Subject

– This is the name which other organizations will see as the Holder (owner) of the

Certificate. Since this name will be seen by other organizations, you should use your

registered business name or official company name.

This information must be submitted in the following format: C=

, ST=

<state>

,

L=

<city>

, O=

<organization>,

OU=

<department>,

CN=

<device name>.

In the

following example: C=USA, ST=CA, L=Santa Clara, O=NETGEAR, OU=XX,

CN=FVS338)

•

From the pull-down menus, select the following values:

–

Hash Algorithm: MD5 or SHA2.

–

Signature Algorithm: RSA.

–

Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but

may also impact performance.)

3.

Complete the Optional fields, if desired, with the following information:

•

IP Address

– If you have a fixed IP address, you may enter it here. Otherwise, you should

leave this field blank.

•

Domain Name

– If you have a Domain name, you can enter it here. Otherwise, you

should leave this field blank.

•

E-mail Address

– Enter your e-mail address in this field.

4.

Click

Generate

. Your request will display in the

Self Certificate Requests

table.

5.

View the request by clicking

View

in the Action column. The

Self Certificate Request

screen

will display.

6.

The Self Certificate Request data screen will display the data required for submission to the

CA. Copy the data in the

Data to supply to CA

field data into a file, including all of the data

contained in “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE

REQUEST---”

7.

Following the instructions of the CA to complete the certificate request process.

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share