NETGEAR FVX538 Router Manual PDF (Setup & Configuration Guide)

Page 131 / 240 Scroll up to view Page 126 - 130

ProSafe VPN Firewall 200 FVX538 Reference Manual

Virtual Private Networking

5-27

v1.0, March 2009

To edit the user name or password:

1.

Click

Edit

opposite the user’s name. The

Edit User

screen will display.

2.

Make the required changes to the User Name or Password and click

Apply

to save your

settings or

Reset

to cancel your changes and return to the previous settings

.

The modified user

name and password will display in the Configured Users table.

RADIUS Client Configuration

RADIUS (Remote Authentication Dial In User Service, RFC 2865) is a protocol for managing

Authentication, Authorization and Accounting (AAA) of multiple users in a network. A RADIUS

server will store a database of user information, and can validate a user at the request of a gateway

or server in the network when a user requests access to network resources. During the

establishment of a VPN connection, the VPN gateway can interrupt the process with an XAUTH

(eXtended AUTHentication) request. At that point, the remote user must provide authentication

information such as a username/password or some encrypted response using his username/

password information. The gateway will try and verify this information first against a local User

Database (if RADIUS-PAP is enabled) and then by relaying the information to a central

authentication server such as a RADIUS server.

To configure the Primary RADIUS Server:

1.

Select

VPN

from the main menu,

VPN Client

from the submenu and then select the

RADIUS

Client

tab. The

RADIUS Client

screen will display.

2.

Enable the Primary RADIUS server by checking the

Yes

radio box

Page 132 / 240

ProSafe VPN Firewall 200 FVX538 Reference Manual

5-28

Virtual Private Networking

v1.0, March 2009

.

3.

Enter the Primary

RADIUS Server IP address

.

4.

Enter a

Secret Phrase

. Transactions between the client and the RADIUS server are

authenticated using a shared secret phrase, so the same Secret Phrase must be configured on

both client and server.

5.

Enter the

Primary Server NAS Identifier

(Network Access Server). This Identifier MUST be

present in a RADIUS request. Ensure that NAS Identifier is configured as the same on both

client and server.

The FVX538 is acting as a NAS (Network Access Server), allowing network access to

external users after verifying their authentication information. In a RADIUS transaction, the

NAS must provide some NAS Identifier information to the RADIUS Server. Depending on the

configuration of the RADIUS Server, the router's IP address may be sufficient as an identifier,

or the Server may require a name, which you would enter here. This name would also be

configured on the RADIUS Server, although in some cases it should be left blank on the

RADIUS Server.

6.

Enable a Backup RADIUS Server (if required) by following steps 2 through 5.

7.

Set the

Time Out Period

, in seconds, that the router should wait for a response from the

RADIUS server.

8.

Set the

Maximum Retry Count.

This is the number of tries the router will make to the

RADIUS server before giving up.

Figure 5-24

Page 133 / 240

ProSafe VPN Firewall 200 FVX538 Reference Manual

Virtual Private Networking

5-29

v1.0, March 2009

9.

Click

Reset

to cancel any changes and revert to the previous settings.

10.

Click

Apply

to save the settings.

Assigning IP Addresses to Remote Users (ModeConfig)

To simply the process of connecting remote VPN clients to the FVX538, the ModeConfig module

can be used to assign IP addresses to remote users, including a network access IP address, subnet

mask, and name server addresses from the router. Remote users are given IP addresses available in

secured network space so that remote users appear as seamless extensions of the network.

In the following example, we configured the VPN firewall using ModeConfig, and then

configured a PC running ProSafe VPN Client software using these IP addresses.

•

NETGEAR ProSafe VPN Firewall 200

–

WAN IP address: 172.21.4.1

–

LAN IP address/subnet: 192.168.2.1/255.255.255.0

•

NETGEAR ProSafe VPN Client software IP address: 192.168.1.2

Mode Config Operation

After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP

configuration parameters such as IP address, subnet mask and name server addresses. The Mode

Config module will allocate an IP address from the configured IP address pool and will activate a

temporary IPSec policy using the template security proposal information configured in the Mode

Config record.

Note:

Selection of the Authentication Protocol, usually PAP or CHAP, is configured

on the individual IKE policy screens.

Note:

After configuring a Mode Config record, you must go to the IKE Policies menu

and configure an IKE policy using the newly-created Mode Config record as the

Remote Host Configuration Record. The VPN Policies menu does not need to be

edited.

Page 134 / 240

ProSafe VPN Firewall 200 FVX538 Reference Manual

5-30

Virtual Private Networking

v1.0, March 2009

Configuring the VPN Firewall

Two menus must be configured—the Mode Config menu and the IKE Policies menu.

To configure the Mode Config menu:

1.

From the main menu, select

VPN

, and then select

Mode Config

from the submenu. The

Mode

Config

screen will display.

2.

Click

Add.

The

Add Mode Config Record

screen will display.

3.

Enter a descriptive

Record Name

such as “Sales”.

4.

Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN

clients.

5.

If you have a WINS Server on your local network, enter its IP address.

6.

Enter one or two DNS Server IP addresses to be used by remote VPN clients.

7.

If you enable Perfect Forward Secrecy (PFS), select DH Group 1 or 2. This setting must match

exactly the configuration of the remote VPN client,

8.

Specify the Local IP Subnet to which the remote client will have access. Typically, this is your

router’s LAN subnet, such as 192.168.2.1/255.255.255.0. (If not specified, it will default to the

LAN subnet of the router.)

9.

Specify the VPN policy settings. These settings must match the configuration of the remote

VPN client. Recommended settings are:

•

SA Lifetime: 3600 seconds

•

Authentication Algorithm: SHA-1

•

Encryption Algorithm: 3DES

10.

Click

Apply

. The new record should appear in the VPN Remote Host Mode Config Table (a

sample record is shown below).

Note:

The IP Pool should not be within your local network IP addresses. Use a

different range of private IP addresses such as 172.20.xx.xx.

Page 135 / 240

ProSafe VPN Firewall 200 FVX538 Reference Manual

Virtual Private Networking

5-31

v1.0, March 2009

To configure an IKE Policy:

1.

From the main menu, select

VPN

. The

IKE Policies

screen will display showing the current

policies in the

List of IKE Policies

Table.

2.

Click

Add

to configure a new IKE Policy. The

Add IKE Policy

screen will display.

3.

Enable

Mode Config

by checking the

Yes

radio box and selecting the Mode Config record

you just created from the pull-down menu. (You can view the parameters of the selected record

by clicking the

View selected

radio box.)

Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends

of the tunnel be defined by a FQDN.

Figure 5-25

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share