1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVX538
    5. /
  5. 25
Page 121 / 240 Scroll up to view Page 116 - 120
ProSafe VPN Firewall 200 FVX538 Reference Manual
Virtual Private Networking
5-17
v1.0, March 2009
DH
. Diffie-Hellman Group. The Diffie-Hellman algorithm is used when exchanging keys. The
DH Group sets the number of bits. The VPN Wizard default setting is Group 2. (This setting
must match the Remote VPN.)
Enable Dead Peer Detection
: Dead Peer Detection is used to detect whether the peer is alive
or not. If the peer is detected as dead, the IPSec and IKE Security Association are deleted.
To gain a more complete understanding of the encryption, authentication and DH algorithm
technologies, see
Appendix D, “Related Documents”
for a link to the NETGEAR website.
VPN Policy
You can create two types of VPN Policies. When using the VPN Wizard to create a VPN policy,
only the Auto method is available.
Manual
. All settings (including the keys) for the VPN tunnel are manually input at each end
(both VPN Endpoints). No third party server or organization is involved.
Auto
. Some parameters for the VPN tunnel are generated automatically by using the IKE
(Internet Key Exchange) protocol to perform negotiations between the two VPN Endpoints
(the Local ID Endpoint and the Remote ID Endpoint).
In addition, a CA (Certificate Authority) can also be used to perform authentication (see
“Certificate Authorities” on page 5-19
). To use a CA, each VPN Gateway must have a Certificate
from the CA. For each Certificate, there is both a “Public Key” and a “Private Key”. The “Public
Key” is freely distributed, and is used to encrypt data. The receiver then uses their “Private Key” to
decrypt the data (without the Private Key, decryption is impossible). CAs can be beneficial since
using them reduces the amount of data entry required on each VPN Endpoint.
Managing VPN Policies
The VPN Policies screen allows you to add additional policies—either Auto or Manual—and to
manage the VPN policies already created. You can edit policies, enable or disable policies, or
delete them entirely. The rules for VPN policy use are:
1.
Traffic covered by a policy will automatically be sent via a VPN tunnel.
2.
When traffic is covered by two or more policies, the first matching policy will be used. (In this
situation, the order of the policies is important. However, if you have only one policy for each
remote VPN Endpoint, then the policy order is not important.)
3.
The VPN tunnel is created according to the parameters in the SA (Security Association).
4.
The remote VPN Endpoint must have a matching SA, or it will refuse the connection.
Page 122 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
5-18
Virtual Private Networking
v1.0, March 2009
VPN Policy Table
Only one Client Policy may configured at a time (noted by an “*” next to the policy name). The
Policy Table contains the following fields:
! (Status)
. Indicates whether the policy is enabled (green circle) or disabled (grey circle). To
Enable or Disable a Policy, check the radio box adjacent to the circle and click
Enable
or
Disable
, as required.
Name
. Each policy is given a unique name (the Connection Name when using the VPN
Wizard).
Type
. The Type is “Auto” or “Manual” as described previously (Auto is used during VPN
Wizard configuration).
Keep alive
: It periodically sends ping packets to the host on the peer side of the network to
keep the tunnel alive.
Enable Keep alive
: check to enable.
Ping IP Address
: Enter the IP Address to which ping packets need to be sent.
Detection period
: Router sends ping packets periodically at regular intervals of time
which is specified by the user.
Reconnect after failure count
: Fresh negotiation starts when no acknowledgement is
received for the specified number of consecutive packets.
Local
. IP address (either a single address, range of address or subnet address) on your local
LAN. Traffic must be from (or to) these addresses to be covered by this policy. (The Subnet
address is supplied as the default IP address when using the VPN Wizard).
Remote
. IP address or address range of the remote network. Traffic must be to (or from) these
addresses to be covered by this policy. (The VPN Wizard default requires the remote LAN IP
address and subnet mask).
AH
. Authentication Header. This specifies the authentication protocol for the VPN header
(VPN Wizard default is disabled).
ESP
. Encapsulating Security Payload. This specifies the encryption protocol used for the VPN
data (VPN Wizard default is enabled).
Action.
Allows you to access individual policies to make any changes or modifications.
Page 123 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Virtual Private Networking
5-19
v1.0, March 2009
Certificate Authorities
Digital Self Certificates are used to authenticate the identity of users and systems, and are issued
by various CAs (Certification Authorities). Digital Certificates are used by this router during the
IKE (Internet Key Exchange) authentication phase as an alternative authentication method. Self
Certificates are issued to you by various CAs (Certification Authorities).
The FVX538 uses Digital Certificates (also known as X509 Certificates) during the Internet Key
Exchange (IKE) authentication phase to authenticate connecting VPN gateways or clients, or to be
authenticated by remote entities. The same Digital Certificates are extended for secure web access
via SSL VPN connections over HTTPS.
Digital Certificates can be either self signed or can be issued by Certification Authorities (CA)
such as via an in-house Windows server, or by an external organization such as Verisign or
Thawte.
However, if the Digital Certificates contain the extKeyUsage extension then the certificate must be
used for one of the purposes defined by the extension. For example, if the Digital Certificate
contains the extKeyUsage extension defined to SNMPV2 then the same certificate cannot be used
for secure web management.
The extKeyUsage would govern the certificate acceptance criteria in the FVX538 when the same
digital certificate is being used for secure web management.
In the FVX538, the uploaded digital certificate is checked for validity and also the purpose of the
certificate is verified. Upon passing the validity test and the purpose matches its use (has to be SSL
and VPN) the digital certificate is accepted. The additional check for the purpose of the uploaded
digital certificate must correspond to use for VPN and secure web remote management via
HTTPS. If the purpose defined is for VPN & HTTPS then the certificate is uploaded to the HTTPS
certificate repository and as well in the VPN certificate repository. If the purpose defined is ONLY
for VPN then the certificate is only uploaded to the VPN certificate repository. Thus, certificates
used by HTTPS and IPSec will be different if their purpose is not defined to be VPN and HTTPS.
Each CA also issues a CA Identity certificate shown in the
Trusted Certificates (CA
Certificates)
table. This Certificate is required in order to validate communication with the CA. It
is a three-step process. First, you generate a CA request; then, when the request is granted, you
upload the Self Certificate (shown in the
Active Self Certificates
table) and then you upload the
CA Identity certificate (shown in the
Trusted Certificates
table.
The
Trusted Certificates
table lists the certificates generated and signed by a publicly known
organization or authority called the Certificate Authority. The table lists the certificates of each CA
and contains the following data:
Page 124 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
5-20
Virtual Private Networking
v1.0, March 2009
CA Identity (Subject Name)
. The organization or person to whom the certificate is issued.
Issuer Name
. The name of the CA that issued the certificate.
Expiry Time
. The date after which the certificate becomes invalid
The Active Self Certificates table shows the Certificates issued to you by the various CAs
(Certification Authorities), and available for use. For each Certificate, the following data is listed:
Name
. The name you used to identify this Certificate.
Subject Name
. This is the name which other organizations will see as the Holder (owner) of
this Certificate. This should be your registered business name or official company name.
Generally, all Certificates should have the same value in the Subject field.
Serial Number
. It is a serial number maintained by the CA. It is used to identify the certificate
with in the CA.
Issuer Name.
The name of the CA which issued the Certificate.
Expiry Time
. The date on which the Certificate expires. You should renew the Certificate
before it expires.
Generating a Self Certificate Request
To use a Certificate, you must first request the certificate from the CA, then download and activate
the certificate on your system.
To request a Certificate from the CA:
1.
From the main menu under
VPN
, select the
Certificates
submenu. The Certificates screen
will display.
2.
In the
Generate Self Certificate Request,
enter the required data:
Name
– Enter a name that will identify this Certificate.
Subject
– This is the name which other organizations will see as the Holder (owner) of the
Certificate. Since this name will be seen by other organizations, you should use your
registered business name or official company name. (Using the same name, or a derivation
of the name, in the Title field would be useful.)
From the pull-down menus, select the following values:
Hash Algorithm: MD5 or SHA2.
Signature Algorithm: RSA.
Page 125 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Virtual Private Networking
5-21
v1.0, March 2009
Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but
may also impact performance.)
3.
Complete the Optional fields, if desired, with the following information:
IP Address
– If you have a fixed IP address, you may enter it here. Otherwise, you should
leave this field blank.
Domain Name
– If you have a Domain name, you can enter it here. Otherwise, you
should leave this field blank.
E-mail Address
– Enter your e-mail address in this field.
4.
Click
Generate
. A new certificate request is created and added to the
Self Certificate
requests
table.
5.
Click
View
under the
Action
column to view the request.
Figure 5-20

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top